model checking of action based concurrent systems
play

Model Checking of Action-Based Concurrent Systems Radu Mateescu - PowerPoint PPT Presentation

Oct 09, 2023 •11 likes •1.16k views

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Why formal verification? Therac-25 radiotherapy Ariane-5 launch Mars climate orbiter accidents (1985-1987) failure

  1. Internal and external choice External choice (the environment decides which branch of the choice will be executed) the environment can force the execution of a and b a b by synchronizing on that action Internal choice (the system decides) a a the environment may synchronize on a, but this will not remove the nondeterminism VTSA'08 - Max Planck Institute, Saarbrücken 22

  2. Example of modeling with communicating automata Mutual exclusion problem: Given two parallel processes P 0 and P 1 competing for a shared resource, guarantee that at most one process accesses the resource at a given time. Several solutions were proposed at software level : – In centralized setting (Peterson, Dekker, Knuth, ...) – In distributed setting (Lamport, ...) � M. Raynal. Algorithmique du parallélisme: le problème de l’exclusion mutuelle . Dunod Informatique, 1984. VTSA'08 - Max Planck Institute, Saarbrücken 23

  3. Peterson’s algorithm [1968] var d0 : bool := false { read by P1, written by P0 } var d1 : bool := false { read by P0, written by P1 } t ∈ var {0, 1} := 0 { read/written by P0 and P1 } loop forever { P0 } loop forever { P1 } 1 : { ncs0 } 1 : { ncs1 } 2 : d0 := true 2 : d1 := true 3 : t := 0 3 : t := 1 4 : wait (d1 = false or t = 1) 4 : wait (d0 = false or t = 0) 5 : { b_cs0 } 5 : { b_cs1 } 6 : { e_cs0 } 6 : { e_cs1 } 7 : d0 := false 7 : d1 := false endloop endloop VTSA'08 - Max Planck Institute, Saarbrücken 24

  4. Automata of P 0 and P 1 P 0 P 1 1 1 ncs0 ncs1 “d0 := false” “d1 := false” 7 2 7 2 “d0 := true” “d1 := true” e_cs0 e_cs1 6 3 6 3 b_cs0 “t := 0” b_cs1 “t := 1” “d1 = false ?” “d0 = false ?” 5 4 5 4 “t = 1 ?” “t = 0 ?” VTSA'08 - Max Planck Institute, Saarbrücken 25

  5. Automata of d 0 , d 1 , and t d 0 d 1 “d0 = false ?” “d1 = false ?” false false “d0 := false” “d1 := false” “d0 := true” “d1 := true” true true t “t := 1” “t = 0 ?” 0 1 “t = 1 ?” “t := 0” VTSA'08 - Max Planck Institute, Saarbrücken 26

  6. Architecture of the system (graphical) d0 “d0 := false” “d0 = false ?” “d0 := true” ncs0 ncs1 “t := 1” b_cs0 “t = 1 ?” b_cs1 t P0 P1 “t = 0 ?” e_cs0 e_cs1 “t := 0” “d1 := true” “d1 = false ?” “d1 := false” d1 Synchronized actions: «d0:=false», «d0:=true», ... Non synchronized actions: ncs0, b_cs0, e_cs0, ... VTSA'08 - Max Planck Institute, Saarbrücken 27

  7. Architecture of the system (textual) Using binary parallel composition: (P0 ||| P1) |[ “d0:=false”, “d0:=true”, ... ]| (d0 ||| d1 ||| t) Using general parallel composition: par “d0:=false”, “d0:=true”, ... � P0 || “d1:=false”, “d1:=true”, ... � P1 || “d0:=false”, “d0:=true”, “d0=false?” � d0 || “d1:=false”, “d1:=true”, “d1=false?” � d1 || “t:=0”, “t:=1”, “t=0?”, “t=1?” � t end par VTSA'08 - Max Planck Institute, Saarbrücken 28

  8. Construction of the LTS (“product automaton”) Explicit-state method: – LTS construction by exploring forward the transition relation, starting at the initial state – Transitions are generated by using the R 1 , R 2 , R 3 rules – Detect already visited states in order to avoid cycling Several possible exploration strategies: – Breadth-first, depth-first – Guided by a criterion / property, ... Several types of algorithms: – Sequential, parallel, distributed, ... VTSA'08 - Max Planck Institute, Saarbrücken 29

  9. Construction of the LTS S = { F,V } × { F,V } × { 0,1 } × { 1..7 } × { 1..7 } A = { ncs0, ncs1, ..., “d0:=true”, ... } = 〈 F, F, 0, 1, 1 〉 s 0 = FF011 T = FF011 ncs0 ncs1 FF021 FF012 d0:=true ncs1 ncs0 d1:=true VF031 FF022 FV013 t:=0 ncs1 d0:=true d1:=true ncs0 t:=1 VF041 VF032 FV023 FF114 ………………………………………………………………... VTSA'08 - Max Planck Institute, Saarbrücken 30

  10. Remarks The LTS of Peterson’s algorithm is finite: | S | ≅ 50 ≤ 2 × 2 × 2 × 7 × 7 = 392 In the presence of synchronizations, the number of reachable states is (much) smaller than the size of the cartesian product of the variable domains Some tools of CADP for LTS manipulation: – OCIS (step-by-step and guided simulation) – Executor (random exploration) – Exhibitor (search for regular sequences) – Terminator (search for deadlocks) � can be used in conjunction with Exp.Open VTSA'08 - Max Planck Institute, Saarbrücken 31

  11. Verification Once the LTS is generated, one can formulate and verify automatically the desired properties of the system For Peterson’s algorithm: – Deadlock freedom: each state has at least one successor – Mutual exclusion: at most one process can be in the critical section at a given time – Liveness: no process can indefinitely overtake the other when accessing its critical section [see the chapter on temporal logics] VTSA'08 - Max Planck Institute, Saarbrücken 32

  12. Limitations of binary parallel composition Several ways of modeling a process network: – Absence of canonical form – Difficult to determine whether two composition expressions denote the same process network – Difficult to retrieve the process network from a composition expression The semantics of “|[G 1 , ..., G n ]|” (rule R 3 ) does not prevent that other processes P1 synchronize on G 1 , ..., G n binary synchro- ( maximal cooperation ) G G nization on G Some networks cannot be G modeled using “|[]|”: P2 P3 VTSA'08 - Max Planck Institute, Saarbrücken 33

  13. Example (ring network [Garavel-Sighireanu-99]) P1 G1 G5 P2 P5 Description using binary G2 G4 parallel composition: G3 P3 P4 (P 1 |[G 1 ]| P 2 |[G 2 ]| P 3 |[G 3 ]| P 4 ) |[G 4 , G 5 ]| the composition expression P 5 does not reflect the symmetry of the process network VTSA'08 - Max Planck Institute, Saarbrücken 34

  14. General parallel composition [Garavel-Sighireanu-99] “Graphical” parallel composition operator allowing the composition of several automata and their m among n synchronization: par [ g 1 #m 1 , ..., g p #m p in ] G 1 � B 1 gates with their associated || G 2 � B 2 synchronization degrees . . . automata (processes) || G n � B n end par communication interfaces (gate lists) VTSA'08 - Max Planck Institute, Saarbrücken 35

  15. General parallel composition (semantics – rules without synchronization degrees) ∃ – a � B i ’ ∧ a ∉ G i ∧ ∀ j ≠ i . B j ’ = B j a , i . B i (GR1) par G 1 � B 1 , …, G n � B n – a � par G 1 � B 1 ’, …, G n � B n ’ mandatory interleaved execution of non-synchronized actions ∃ a . ∀ ∈ i . if a G i then B i – a � B i ’ else B j ’ = B j (GR2) par G 1 � B 1 , …, G n � B n – a � par G 1 � B 1 ’, …, G n � B n ’ execution in maximal cooperation of synchronized actions VTSA'08 - Max Planck Institute, Saarbrücken 36

  16. Example (1/3) Process network unexpressible using “|[]|”: Description using general P1 parallel composition: G G par G#2 in G G � P 1 P2 P3 || G � P 2 || G � P 3 maximal cooperation avoided by means of synchronization degrees end par VTSA'08 - Max Planck Institute, Saarbrücken 37

  17. Example (2/3) (ring network [Garavel-Sighireanu-99]) Description using general P1 parallel composition: G1 G5 par P2 P5 G 1 , G 5 � P 1 || G 2 , G 1 � P 2 G2 G4 || G 3 , G 2 � P 3 G3 || G 4 , G 3 � P 4 P3 P4 || G 5 , G 4 � P 5 end par the symmetry of the process network is also present in the composition expression VTSA'08 - Max Planck Institute, Saarbrücken 38

  18. Example (3/3) Definition of “|[]|” in terms of “ par ”: B 1 |[G 1 , ..., G n ]| B 2 = par G 1 , ..., G n � B 1 || G 1 , ..., G n � B 2 end par CREW (Concurrent Read / Exclusive Write): par W#2 in R, W � P 1 P1 P2 P3 || R, W � P 2 || R, W � P 3 W R W R W R || R, W � VAR VAR end par VTSA'08 - Max Planck Institute, Saarbrücken 39

  19. Parallel composition using synchronization vectors Primitive form of n-ary parallel composition Proposed in various networks of automata: MEC [Arnold-Nivat], FC2 [deSimone-Bouali-Madelaine] Synchronizations are made explicit by means of synchronization vectors Syntax in the EXP language [Lang-05]: par V 1 , ..., V m in B 1 || ... || B n synchronization vectors end par V ::= (G 1 | _) * ... * (G n | _) � G 0 wildcard VTSA'08 - Max Planck Institute, Saarbrücken 40

  20. Example (client-server with gate multiplexing) req Client1 res binary synchronization Server on gates req and res req Client2 res Description using synchronization vectors: par req * _ * req � req, rep * _ * rep � rep, _ * req * req � req, _ * rep * rep � rep in Client 1 || Client 2 || Server end par VTSA'08 - Max Planck Institute, Saarbrücken 41

  21. Behavioural equivalence Useful for determining whether two LTSs denote the same behaviour Allows to: – Understand the semantics of languages (communicating automata, process algebras) having LTS models – Define and assess translations between languages – Refine specifications whilst preserving the equivalence of their corresponding LTSs – Replace certain system components by other, equivalent ones (maintenance) – Exploit identities between behaviour expressions (e.g., B 1 |[G]| B 2 = B 2 |[G]| B 1 ) in analysis tools VTSA'08 - Max Planck Institute, Saarbrücken 42

  22. Equivalence relations between LTSs a a a equivalent? b c b c A large spectrum of equivalence relations proposed: equivalence ( ≅ – Trace language equivalence) – Strong bisimulation [Park-81] – Weak bisimulation [Milner-89] – Branching bisimulation [Bergstra-Klop-84] – Safety equivalence [Bouajjani-et-al-90] – ... VTSA'08 - Max Planck Institute, Saarbrücken 43

  23. Trace equivalence Trace: sequence of visible actions (e.g., σ = req 1 res 1 req 2 res 2 ) Notations ( a = visible action): – s = a =>: there exists a transition sequence s –i � s 1 –i � s 2 ... – a � s k – s = σ =>: there exists a transition sequence s = a 1 => s 1 ... = a n => s n such that σ = a 1 ... a n Two state are trace equivalents iff they are the source of the same traces: s ≈ tr ∀ σ s’ iff . (s = σ => iff s = σ =>) VTSA'08 - Max Planck Institute, Saarbrücken 44

  24. Example (coffee machine) The two LTSs below are trace equivalent: money money money ≈ tr coffee coffee tea tea M 2 M 1 Traces ( M 1 ) = Traces ( M 2 ) = { ε , money , money coffee , money tea } � have the two coffee machines the same behaviour w.r.t. a user? M 1 : risk of deadlock VTSA'08 - Max Planck Institute, Saarbrücken 45

  25. Bisimulation Trace equivalence is not sufficiently precise to characterize the behaviour of a system w.r.t. its interaction with its environment � stronger relations (bisimulations) are necessary Two states s 1 et s 2 are bisimilar iff they are the origin of the same behaviour (execution tree): ∀ – a � s 1 ’ . ∃ s 2 – a � s 2 ’ . s 1 ’ ≈ s 2 ’ s 1 ∀ – a � s 2 ’ . ∃ s 1 – a � s 1 ’ . s 2 ’ ≈ s 1 ’ s 2 Bisimulation is an equivalence relation (reflexive, symmetric, and transitive) on states ≈ Two LTSs are bisimilar iff s 01 s 02 VTSA'08 - Max Planck Institute, Saarbrücken 46

  26. Strong bisimulation a a a d b c b c d ≈ st M 1 M 2 Strong bisimulation: the largest bisimulation � to show that two LTSs are strongly bisimilar, it is sufficient to find a bisimulation between them VTSA'08 - Max Planck Institute, Saarbrücken 47

  27. Is strong bisimulation sufficient? Trace equivalence ignores internal actions ( i ) and does not capture the branching of transitions � does not distinguish the LTSs below money money money coffee tea coffee tea Strong bisimulation captures the branching, but handles internal and visible actions in the same way � does not abstract away the internal behaviour VTSA'08 - Max Planck Institute, Saarbrücken 48

  28. Weak bisimulation (or observational equivalence ) In practice, it is necessary to compare LTSs – By abstracting away internal actions τ τ τ – By distinguishing the a branching . . . Weak bisimulation . . . [Milner-89]: a τ every a-transition corresponds to an . . . every τ -transition a-transition preceded and corresponds to 0 or τ followed by 0 or more more τ -transitions τ -transitions VTSA'08 - Max Planck Institute, Saarbrücken 49

  29. Weak bisimulation (formal definition) Let M 1 = < S 1 , A , T 1 , s 01 > and M 2 = < S 2 , A , T 2 , s 02 > is a relation ≈ ⊆ S 1 × A weak bisimulation S 2 such ≈ that s 1 s 2 iff: ∀ – a � s 1 ’ . ∃ s 2 – τ *. a . τ * � s 2 ’ . s 1 ’ eq s 2 ’ s 1 ∀ – τ � s 1 ’ . ∃ s 2 – τ * � s 2 ’ . s 1 ’ eq s 2 ’ s 1 and ∀ – a � s 2 ’ . ∃ s 1 – τ *. a . τ * � s 1 ’ . s 1 ’ eq s 2 ’ s 2 ∀ – τ � s 2 ’ . ∃ s 1 – τ * � s 1 ’ . s 1 ’ eq s 2 ’ s 2 ≈ obs is the largest weak bisimulation ≈ obs ≈ obs M 1 M 2 iff s 01 s 02 VTSA'08 - Max Planck Institute, Saarbrücken 50

  30. Example To show that two LTSs are weakly bisimilar, it is sufficient to find a weak bisimulation between them put τ get put τ put put get VTSA'08 - Max Planck Institute, Saarbrücken 51

  31. Communicating automata (summary) Advantages: – Simple model for describing concurrency – Powerful tools for manipulation � MEC (University of Bordeaux) � Auto/Autograph/FC2 (INRIA, Sophia-Antipolis) � CADP (INRIA, Grenoble) – Some industrial applications Shortcomings: – Limited expressiveness � No dynamic creation and destruction of automata � Impossible to express: A then (B || C) then D � No handling of data (each variable = an automaton), unacceptable for complex types (numbers, lists, structures, ...) – Maintenance difficult and error-prone (large automata) VTSA'08 - Max Planck Institute, Saarbrücken 52

  32. Process algebraic languages Basic notions Parallel composition and hiding Sequential composition and choice Value-passing and guards Process definition and instantiation VTSA'08 - Max Planck Institute, Saarbrücken 53

  33. Process algebras PAs: theoretical formalisms for describing and studying concurrency and communication Examples of PAs for asynchronous systems: – CCS ( Calculus of Communicating Systems ) [Milner-89] – CSP ( Communicating Sequential Processes ) [Hoare-85] – ACP ( Algebra of Communicating Processes ) [Bergstra-Klop-84] Basic idea of PAs: – Provide a small number of operators – Construct behaviours by freely combining operators (lego) Standardized specification languages: – LOTOS [ISO-1988], E-LOTOS [ISO-2001] VTSA'08 - Max Planck Institute, Saarbrücken 54

  34. LOTOS (Language Of Temporal Ordering Specification) International standard [ISO 8807] for the formal specification of telecommunication protocols and distributed systems http://www.inrialpes.fr/vasy/cadp/tutorial Enhanced LOTOS (E-LOTOS): revised standard [2001] LOTOS contains two “orthogonal” sublanguages: – data part (for data structures) – process part (for behaviours) Handling data is necessary for describing realistic systems. “Basic LOTOS” (the dataless fragment of LOTOS) is useful only for small examples. VTSA'08 - Max Planck Institute, Saarbrücken 55

  35. LOTOS – data part Based on algebraic abstract data types (ActOne): type Natural is sorts Nat opns 0 : -> Nat succ : Nat -> Nat + : Nat, Nat -> Nat eqns forall M, N : Nat ofsort Nat 0 + N = N; succ(M) + N = succ(M + N); endtype Caesar.Adt compiler of CADP [Garavel-Turlier-92] ADTs tend to become cumbersome for complex data manipulations (removed in E-LOTOS). VTSA'08 - Max Planck Institute, Saarbrücken 56

  36. LOTOS – process part Combines the best features of the process algebras CCS [Milner-89] and CSP [Hoare-85] Terminal symbols (identifiers): – Variables: X 1 , …, X n – Gates: G 1 , …, G n – Processes: P 1 , …, P n Sorts ( ≈ – types): S 1 , …, S n – Functions: F 1 , …, F n – Comments: (* … *) Caesar compiler of CADP [Garavel-Sifakis-90] VTSA'08 - Max Planck Institute, Saarbrücken 57

  37. Value expressions and offers Value expressions: V 1 , …, V n V ::= X | F ( V 1 , …, V n ) | V 1 F V 2 Offers: O 1 , …, O n O ::= ! V emission of a value V | ? X : S reception of a value to be stored in a variable X of sort S VTSA'08 - Max Planck Institute, Saarbrücken 58

  38. Behaviour expressions ( L ots O f T erribly O bscure S ymbols :-) Behaviours: B 1 , …, B n B ::= stop inaction | G 0 O 1 ... O n [ V ] ; B 0 action prefix | B 1 [] B 2 choice | B 1 |[ G 1 , ..., G n ]| B 2 parallel with synchroni- zation on G 1 , ..., G n | B 1 ||| B 2 interleaving | hide G 1 , ..., G n in B 0 hiding | [ V ] -> B 0 guard | let X : S = V in B 0 variable definition | choice X : S [] B 0 choice over values | P [ G 1 , ..., G n ] ( V 1 , ..., V n ) process call VTSA'08 - Max Planck Institute, Saarbrücken 59

  39. Process definitions process P [ G 1 , …, G n ] ( X 1 : S 1 , …, X n : S n ) := B endproc where: P = process name G 1 , …, G n = formal gate parameters of P X 1 , …, X n = formal value parameters of P , of sorts S 1 , …, S n B = body (behaviour) of P VTSA'08 - Max Planck Institute, Saarbrücken 60

  40. Remarks LOTOS process: “black box” equipped with communication points (gates) with the outside process P [ G 1 , G 2 , G 3 ] (...) := G 1 P G 3 ... G 2 endproc Each process has its own local (private) variables, which are not accessible from the outside � communication by rendezvous and not by shared variables Parallel composition and encapsulation of boxes: described using the |[…]|, |||, and hide operators VTSA'08 - Max Planck Institute, Saarbrücken 61

  41. Example A B Medium1 PUT GET Sender Receiver Medium2 D C (Sender [PUT, A, D] ||| Receiver [GET, B, C]) |[A, B, C, D]| (Medium1 [A, B] ||| Medium2 [C, D]) or (Sender [PUT, A, D] |[A]| Medium1 [A, B]) |[B, D]| (Receiver [GET, B, C] |[C]| Medium2 [C, D]) VTSA'08 - Max Planck Institute, Saarbrücken 62

  42. Multiple rendezvous LOTOS parallel operators allow to specify the ≥ synchronization of n 2 processes on the same gate Example (client-server): C1 C2 C3 C1 [A] |[A]| C2 [A] |[A]| C3 [A] A |[A]| S [A] S the three client processes synchronize with the server on gate A (4-way rendezvous) VTSA'08 - Max Planck Institute, Saarbrücken 63

  43. Binary rendezvous The ||| operator allows to specify binary rendezvous (2 among n ) on the same gate Example (client-server) : C1 C2 C3 (C1 [A] ||| C2 [A] ||| C3 [A]) A |[A]| S [A] A A S the three client processes are competing to access the server on gate A but only one can get access at a given moment VTSA'08 - Max Planck Institute, Saarbrücken 64

  44. Abstraction (hiding) In LOTOS, when a synchronization takes place on a gate G between two processes, another one can also synchronize on G ( maximal cooperation ) If this is undesirable, it can be forbidden by hiding the gate (renaming it into i ) using the hide operator: hide G 1 , …, G n in B which means that all actions performed by B on gates G 1 , …, G n are hidden The gates G 1 , …, G n are “abstracted away” (hidden from the outside world) VTSA'08 - Max Planck Institute, Saarbrücken 65

  45. Example A B Medium1 PUT GET Sender Receiver Medium2 D C process Network [PUT, GET] := hide A, B, C, D in (Sender [PUT, A, D] ||| Receiver [GET, B, C]) |[A, B, C, D]| (Medium1 [A, B] ||| Medium2 [C, D]) endproc VTSA'08 - Max Planck Institute, Saarbrücken 66

  46. Operational semantics Notations: – G : gate list (or set) – L : action (transition label), of the form G V 1 , …, V n where G is a gate and V 1 , …, V n is the list of values exchanged on G during the rendezvous – gate ( L ) = G – B [ v / X ]: syntactic substitution of all free occurrences of X inside B by a value v (having the same sort as X ) – V [ v / X ]: idem, substitution of X by v in V VTSA'08 - Max Planck Institute, Saarbrücken 67

  47. Semantics of “|[...]|” → L ∧ ( L ) ∉ B 1 B 1 ’ gate G B 1 evolves → L B 1 |[ G ]| B 2 B 1 ’ |[ G ]| B 2 → L ∧ ( L ) ∉ B 2 B 2 ’ gate G B 2 evolves → L B 1 |[ G ]| B 2 B 1 |[ G ]| B 2 ’ → L ∧ → L ∧ ( L ) ∈ B 1 B 1 ’ B 2 B 2 ’ gate G B 1 and B 2 → L B 1 |[ G ]| B 2 B 1 ’ |[ G ]| B 2 ’ evolve Gates have no direction of communication VTSA'08 - Max Planck Institute, Saarbrücken 68

  48. Semantics of “hide” → L ∧ ( L ) ∉ B B’ gate G normal gate → L hide G in B hide G in B’ → L ∧ ( L ) ∈ B B’ gate G hidden gate → i hide G in B hide G in B’ In LOTOS, i is a keyword: use with care VTSA'08 - Max Planck Institute, Saarbrücken 69

  49. Sequential behaviours LOTOS allows to encode sequential automata by means of the choice (“[]”) and sequence operators (“;” and “ stop” ), and recursive processes process P [A, B, C, D, E] : noexit := A; ( B; stop A [] E C; ( B C D ; stop [] E ; P [A, B, C, D, E] D ) ) endproc VTSA'08 - Max Planck Institute, Saarbrücken 70

  50. Remarks The description of automata in LOTOS is not far from regular expressions (operators “.”, “|”, “*”), except that: ( ≠ – The “;” operator of LOTOS is asymmetric from “.”) G O 1 … O n ; B but not B 1 ; B 2 – There is no iteration operator “*”, one must use a recursive process call instead LOTOS allows to describe automata with data values ( ≈ functions in sequential languages) by using processes with value parameters VTSA'08 - Max Planck Institute, Saarbrücken 71

  51. Semantics of “stop” The “ stop” operator (inaction) has no associated semantic rule, because no transition can be derived from it A call of a “pathological” recursive process like process P [A] : noexit := P [A] endproc has a behaviour equivalent to stop (unguarded recursion) VTSA'08 - Max Planck Institute, Saarbrücken 72

  52. Prefix operator (“;”) Allows to describe: – Sequential composition of actions – Communication (emission / reception) of data values Simplest variant: actions on gates, without value- passing (basic LOTOS) a ; b ; c ; d ; stop a b c d VTSA'08 - Max Planck Institute, Saarbrücken 73

  53. Semantics of “;” Case 1: action without reception offers (? X : S ) ( ∀ 1 ≤ ≤ ≡ ) ∧ i n . O i ! V i V = true → G V1 … G O 1 … O n [ V ] ; B B Vn The boolean guard and the offers are optional If the guard V is false, the rendezvous does not happen (deadlock): ] ; B ≈ G O 1 … O n [ V stop VTSA'08 - Max Planck Institute, Saarbrücken 74

  54. Example (1/2) Sequential composition: A !true; B !4; stop A !true; B !4; stop A !true B !4; stop B !4 stop VTSA'08 - Max Planck Institute, Saarbrücken 75

  55. Example (2/2) Synchronization by value matching : two processes send to each other the same values on a gate G !1; B 1 |[ G ]| G !1; B 2 G 1 RdV OK G !1; B 1 |[ G ]| G !2; B 2 deadlock (different values) G !1; B 1 |[ G ]| G !true; B 2 deadlock (different types) VTSA'08 - Max Planck Institute, Saarbrücken 76

  56. Semantics of “;” Case 2: action containing reception offer(s) (? X : S ) ∈ S ) ∧ ( v ( V [ v / X ] = true) → G v G ? X : S [ V ] ; B B [ v / X ] The variables defined in the offers ?X:S are visible in the boolean guard V and inside B An action can freely mix emission and reception offers VTSA'08 - Max Planck Institute, Saarbrücken 77

  57. Example (1/3) G ? X :Bool; G false G true stop G 0 G 1 G 2 G 3 G ? X :Nat [ X < 4]; H ! X; H 0 H 1 H 2 H 3 stop The semantics handles the reception by branching on all possible values that can be received VTSA'08 - Max Planck Institute, Saarbrücken 78

  58. Example (2/3) Emission of a value = guarded reception: ≡ G ! V G ? X : S [ X = V ] G V where S = type ( V ) Synchronization by value generation : two processes receive values of the same type on a gate G ? n 1 : Nat [ n 1 <= 5 ]; B 1 |[ G ]| G 3 G 5 G 4 G ? n 2 : Nat [ n 2 > 2]; B 2 VTSA'08 - Max Planck Institute, Saarbrücken 79

  59. Example (3/3) Synchronization by value-passing : G ? X :Bool ; stop |[ G ]| G !true ; stop G true G ? X :Bool ; stop |[ G ]| G !3 ; stop G false G true |[ G ]| G 3 deadlock: the semantics of the “|[...]|” operator requires that the two labels be identical (same type for the emitted value and the reception offer) VTSA'08 - Max Planck Institute, Saarbrücken 80

  60. Rendezvous (summary) General form: G O 1 … O m [ V 1 ]; B 1 |[ G ]| G ’ O 1 ’ … O n ’[ V 2 ]; B 2 Conditions for the rendezvous: ∈ – G = G ’ and G G – m = n – V 1 and V 2 are true in the context of O 1 , ..., O n ’ ∀ 1 ≤ ≤ – i n . type ( O i ) = type ( O i ’) ∀ 1 ≤ ≤ ) ∩ ’) ≠ ∅ – i n . prop ( O i prop ( O i where prop ( O ) = set of values accepted by offer O – prop (! V ) = { V } – prop (? X : S ) = S VTSA'08 - Max Planck Institute, Saarbrücken 81

  61. Choice operator (“[]”) ”[]”: notation inherited from the programs with guarded commands [Dijkstra] Allows to specify the choice between several alternatives: ( B 1 [] B 2 [] B 3 ) can execute either B 1 , or B 2 , or B 3 Example: a ; a ( b ; stop b c [] c ; stop ) VTSA'08 - Max Planck Institute, Saarbrücken 82

  62. Semantics of “[]” → L B 1 B 1 ’ execution of B 1 → L B 1 [] B 2 B 1 ’ → L B 2 B 2 ’ execution of B 2 → L B 1 [] B 2 B 2 ’ After the choice, one of the two behaviours disappears (the execution was engaged on a branch of the choice and the other one is abandoned) VTSA'08 - Max Planck Institute, Saarbrücken 83

  63. Internal / external choice ( G 1 ; B 1 [] G 2 ; B 2 ) – External choice: the environment can decide which branch will be executed – Internal choice: the program decides Example (coffee machine): money money money coffee tea coffee tea external choice (user) internal choice (machine) VTSA'08 - Max Planck Institute, Saarbrücken 84

  64. Internal action (“i”) In LOTOS, the special gate i denotes an internal event on which the environment cannot act: ( i ; G 1 ; stop i i [] internal choice i ; G 2 ; stop ) G 1 G 2 ( G 1 ; stop G 1 i still internal choice [] G 2 i ; G 2 ; stop ) VTSA'08 - Max Planck Institute, Saarbrücken 85

  65. - > ”) Guard operator (“[…] LOTOS does not possess an “if-then-else” construct Guards (boolean conditions) can be used instead Informal semantics: ] - > ≈ [ V B if V then B else stop Frequent usage in conjunction with “[]”: READ ?m,n:Nat ; ( [ m >= n ] -> PRINT !m; stop emission of max (m,n) [] on gate PRINT [ m < n ] -> PRINT !n; stop ) VTSA'08 - Max Planck Institute, Saarbrücken 86

  66. - > ” Semantics of “[…] = true) ∧ → L ( V B B’ ] - > → L [ V B B’ If the boolean expression V evaluates to false, no semantic rule applies (deadlock): [ false ] - > ≈ B stop VTSA'08 - Max Planck Institute, Saarbrücken 87

  67. Examples “if-then-else”: “case”: ] - > < 0 ] - > [ V B 1 [ X B 1 [] [] [ not ( V ) ] - > = 0 ] - > B 2 [ X B 2 [] > 0 ] - > [ X B 3 Beware of overlapping guards: [ X ≤ 0 ] - > B 1 if X = 0 then this is equivalent [] to an unguarded choice B 1 [] B 2 [ X ≥ 0 ] - > B 2 VTSA'08 - Max Planck Institute, Saarbrücken 88

  68. Operator “let” LOTOS allows to define variables for storing the results of expressions Variable definition: let X : S = V in B declares variable X and initializes it with the value of V . X is visible in B. Write-once variables (no multiple assignments): let X : Bool = true in G ! X ; (* first X *) let X : Bool = false in G ! X ; (* second X *) stop VTSA'08 - Max Planck Institute, Saarbrücken 89

  69. Semantics of “let” ] → L B [ V / X B’ → L let X : S = V in B B’ Example: let X :NatList = cons (0, nil) in G ! X ; H !cons (1, X ); stop VTSA'08 - Max Planck Institute, Saarbrücken 90

  70. Remarks LOTOS is a functional language: No uninitialized variable (forbidden by the syntax) No assignment operator (“:=”), the value of a variable does not change after its initialization No “global” or “shared” variables between functions or processes Each process has its own local variables Communication by rendezvous only No side-effects VTSA'08 - Max Planck Institute, Saarbrücken 91

  71. Operator “choice” Operator “ choice” : similar to “ let” , except that variable X takes a nondeterministic value in the domain of its sort S Semantics: ( v ∈ ∧ ] → L S ) B [ v / X B’ → L choice X : S [] B B’ Example: choice X :Bool [] G false G true G ! X ; stop VTSA'08 - Max Planck Institute, Saarbrücken 92

  72. Examples Reception of a value = particular case of “ choice” : G ? X : S ; B = choice X : S [] B Iteration over the values of an enumerated type: choice A : Addr [] SEND ! m ! A ; stop Generation of a random value: choice rand : Nat [] [ rand <= 10 ] -> PRINT ! rand ; stop VTSA'08 - Max Planck Institute, Saarbrücken 93

  73. Operator “exit” LOTOS allows to express normal termination of a behaviour, possibly with the return of one or several values: exit ( V 1 , …, V n ) denotes a behaviour that terminates and produces the values V 1 , …, V n Example: REC 0 REC 1 REC ? x :Nat [ x < 2 ] ; exit 1 exit 2 exit ( x + 1) VTSA'08 - Max Planck Institute, Saarbrücken 94

  74. Semantics of “exit” true ) → exit V1 … exit ( V 1 , …, V n stop Vn exit = special gate, synchronized by the “|[…]|” operator (see later) The values V 1 , …, V n are optional (“ exit ” means normal termination without producing any value) VTSA'08 - Max Planck Institute, Saarbrücken 95

  75. Operator “>>” LOTOS allows to express the sequential composition between a behaviour B 1 that terminates and a behaviour B 2 that begins: B 1 >> accept X 1 : S 1 ,…, X n : S n in B 2 means that when B 1 terminates by producing values V 1 ,…, V n , the execution continues with B 2 in which X 1 ,…, X n are replaced by the values V 1 ,…, V n Example: exit (1) >> accept n:Nat in i PRINT 1 PRINT !n ; stop VTSA'08 - Max Planck Institute, Saarbrücken 96

  76. Semantics of “>>” → L ) ∧ ( L ) ≠ ( B 1 B 1 ’ ( gate exit ) → L ( B 1 >> accept X : S in B 2 ) ( B 1 ’ >> accept X : S in B 2 ) → exit V B 1 B 1 ’ → i ( B 1 >> accept X : S in B 2 ) B 2 [ V / X ] The V values must belong pairwise to the S sorts The exit gate is hidden (renamed into i ) when sequential composition takes place The “>>” operator is also called enabling ( B 2 ’s execution is made possible by B 1 ’s termination) VTSA'08 - Max Planck Institute, Saarbrücken 97

  77. Example (1/4) Sequential composition without value-passing: (In1; In2; exit In1 In2 [] In2 In1 In2; In1; exit) i i >> (Access; exit) Access >> i (Out1; Out2; stop Out1 Out2 [] Out2 Out1 Out2; Out1; stop) VTSA'08 - Max Planck Institute, Saarbrücken 98

  78. Example (2/4) Sequential composition with value-passing: READ ?m,n:Nat ; READ 0 1 READ 0 2 ( [ m >= n ] -> exit (m) [] . . . i i [ m < n ] -> exit (n) ) >> PRINT 1 PRINT 2 accept max:Nat in PRINT !max ; stop VTSA'08 - Max Planck Institute, Saarbrücken 99

  79. Example (3/4) Definition of terminating process: process Login [LogReq, LogConf, LogAbort] : exit := LogReq; ( i ; LogConf ; exit [] i ; LogAbort ; Login [LogReq, LogConf, LogAbort]) endproc Example of call: Login [Req,Conf,Abort] >> Transfer ; Logout ; stop VTSA'08 - Max Planck Institute, Saarbrücken 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Action-based temporal logics Introduction Modal logics Branching-time logics Regular logics Fixed point logics VTSA'08

1.7k views • 148 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara

Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara

Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara MOVEP 2012, Marseille Interaction of Unboundedly Many Processes n m o 1 2 3 p 4 Ahmet Kara Model Checking Concurrent Systems with

852 views • 59 slides
Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 30 Module 4: Modeling concurrent systems 2 / 30 Concurrent systems Independent Shared variables Shared actions 3 / 30

844 views • 67 slides
Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com

Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com

Introduction Transactions Dynamic Experiments Conclusion Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com Henning G unther , Ana Sokolova and Georg Weissenbacher Formal Methods in Systems

905 views • 51 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

636 views • 11 slides
SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

496 views • 26 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr anek Masaryk University Czech Republic SFM 2013 1/150 Outline Introduction 1 LTL Model Checking 2 Parallel LTL Model Checking 3 Discrete

2.18k views • 199 slides
Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems Informationsteknologi System Description A No! Debugging Information TOOL TOOL Yes, Requirement F Prototypes C T L Executable Code Test sequences Tools:

637 views • 34 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de Sistemas Informticos y Computacin Universidad Complutense de Madrid gorka.suarez@ucm.es Table of Contents 1. Introduction 2. The Maude

512 views • 22 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled? How are concurrent systems analyzed? What tools are available for modeling and

1.13k views • 85 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model

Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model

Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model Checking Motivation Embedded Systems Omnipresent Safety relevant systems Pentium bug Ariane 5 Errors can be extremely harmful Correct

837 views • 67 slides
Graph searching with advice Nicolas Nisse David Soguet LRI, Universit e Paris-Sud, France.

Graph searching with advice Nicolas Nisse David Soguet LRI, Universit e Paris-Sud, France.

Graph searching with advice Nicolas Nisse David Soguet LRI, Universit e Paris-Sud, France. SIROCCO, June 2007 1/16 Nicolas Nisse, David Soguet Graph searching with advice Graph searching problem Goal In an undirected simple graph, in

770 views • 41 slides
Automated Connected - Mobile Strategies &amp; Actions towards Automated &amp; Connected

Automated Connected - Mobile Strategies &amp; Actions towards Automated &amp; Connected

Automated Connected - Mobile Strategies &amp; Actions towards Automated &amp; Connected Driving in Austria Outline National Action Plan Automated Driving International 5G Relevant Activities and Priorities Projects National C-ITS

500 views • 31 slides
Unified Model for Assessing Checkpointing Protocols at Extreme-Scale George Bosilca 1 , Aur

Unified Model for Assessing Checkpointing Protocols at Extreme-Scale George Bosilca 1 , Aur

Unified Model for Assessing Checkpointing Protocols at Extreme-Scale George Bosilca 1 , Aur elien Bouteiller 1 , Elisabeth Brunet 2 , Franck Cappello 3 , Jack Dongarra 1 , Amina Guermouche 4 , erault 1 , Yves Robert 1 , 4 , Thomas H eric Vivien

732 views • 71 slides
1 Digression: local procedure calls Digression: local procedure calls j = f( i, mystring ,

1 Digression: local procedure calls Digression: local procedure calls j = f( i, mystring ,

Problems with sockets Sockets interface is straightforward [ connect] read/ write [ disconnect] Forces read/ write mechanism Remote Procedure Calls Not how we generally program We usually use a procedure call To make

315 views • 8 slides
PUBLISHING SIMULATIONS IN THE VO AND ELSEWHERE Gerard Lemson MPA Garching, Germany 1 ISSAC

PUBLISHING SIMULATIONS IN THE VO AND ELSEWHERE Gerard Lemson MPA Garching, Germany 1 ISSAC

PUBLISHING SIMULATIONS IN THE VO AND ELSEWHERE Gerard Lemson MPA Garching, Germany 1 ISSAC 2012 SDSC, San Diego, USA FOF groups and Subhalos Raw data: Particles Mock images Density fields Subhalo merger trees Synthetic galaxies (SAM)

926 views • 61 slides
I: Performance metrics (contd) II: Parallel programming models and mechanics Prof. Richard

I: Performance metrics (contd) II: Parallel programming models and mechanics Prof. Richard

I: Performance metrics (contd) II: Parallel programming models and mechanics Prof. Richard Vuduc Georgia Institute of Technology CSE/CS 8803 PNA, Spring 2008 [L.05] Tuesday, January 22, 2008 1 Algorithms for 2-D (3-D) Poisson, N=n 2 (=n 3

961 views • 68 slides
Overview of automated reasoning and ordering-based strategies Maria Paola Bonacina Visiting:

Overview of automated reasoning and ordering-based strategies Maria Paola Bonacina Visiting:

Outline Automated reasoning Some building blocks for reasoning The theorem-proving problem Inference mechanisms Theorem-proving strategies Overview of automated reasoning and ordering-based strategies Maria Paola Bonacina Visiting: Computer

1.27k views • 90 slides
Final Exam Review INFO/CSE 100, Spring 2006 Fluency in Information Technology

Final Exam Review INFO/CSE 100, Spring 2006 Fluency in Information Technology

The Information School of the University of Washington Final Exam Review INFO/CSE 100, Spring 2006 Fluency in Information Technology http://www.cs.washington.edu/100 5/31/06 fit100-26-review 1 The Information School of the University of

994 views • 81 slides

More recommend