Self- -Verifying Verifying Self Self-Verifying * * Dining - - PowerPoint PPT Presentation
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,
15-Oct-11
Copyleft (GPL) P.H.Welch and J.B.Pedersen 1
* About 10 of them * About 10 of them … …
2000 2000
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 2
http://www.cs.utexas.edu/users/EWD/ewd03xx/EWD310.PDF http://www.cs.utexas.edu/users/EWD/ewd03xx/EWD310.PDF http://www.cs.utexas.edu/users/EWD/ewd03xx/EWD310.PDF Historical document Historical document
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 3
College College
thinking thinking eating eating
F F F F F F F F F F P P P P P P P P P P
A new, really A new, really really really neat, solution (Neil Brown / PHW) neat, solution (Neil Brown / PHW)
eatBar eatBar
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 4
PROC PROC Phil Phil ( (CHAN INT CHAN INT thinking! thinking!, , eating! eating!, , BARRIER BARRIER eatBar eatBar) ) WHILE TRUE WHILE TRUE SEQ SEQ thinking ! 0 thinking ! 0 SYNC SYNC eatBar eatBar eating ! 0 eating ! 0 SYNC SYNC eatBar eatBar : :
thinking thinking eating eating eatBar eatBar
P P
Phil Phil ( (thinking thinking, , eating eating, , eatBar eatBar) = ) = let let Phil_0_ Phil_0_ = = thinking thinking -
> eatBar eatBar -
> eating eating -
> eatBar eatBar -
> Phil_0_ Phil_0_ within within Phil_0_ Phil_0_ : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 5
College College
F F F F F F F F F F P P P P P P P P P P
thinking thinking eating eating eatBar eatBar
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 6
PROC PROC Fork Fork ( (BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) WHILE TRUE WHILE TRUE ALT ALT SYNC SYNC eatBarRight eatBarRight SYNC SYNC eatBarRight eatBarRight SYNC SYNC eatBarLeft eatBarLeft SYNC SYNC eatBarLeft eatBarLeft : :
F F
eatBarRight eatBarRight eatBarLeft eatBarLeft
Fork Fork ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) = ) = let let Fork_0_ Fork_0_ = = eatBarRight eatBarRight -
> eatBarRight eatBarRight -
> Fork_0_ Fork_0_ [] [] eatBarLeft eatBarLeft -
> eatBarLeft eatBarLeft -
> Fork_0_ Fork_0_ within within Fork_0_ Fork_0_ : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 7
1 1 2 2 3 3 4 4
VAL INT VAL INT nPhils nPhils IS 5: IS 5: nPhils nPhils = 5 = 5 PROC PROC Philosophers Philosophers ( ([ [nPhils]CHAN nPhils]CHAN INT INT thinking! thinking!, , eating! eating!, , [ [nPhils]BARRIER nPhils]BARRIER eatBar eatBar) ) PAR id = 0 FOR PAR id = 0 FOR nPhils nPhils Phil ( Phil (thinking[id thinking[id]! ]!, , eating[id eating[id]! ]!, , eatBar[id eatBar[id] ]) ) : : Philosophers Philosophers ( (thinking thinking, , eating eating, , eatBar eatBar) = ) = ||| ||| id id : : {0..(nPhils {0..(nPhils – – 1)} @ 1)} @ Phil ( Phil (thinking.id thinking.id, , eating.id eating.id, , eatBar.id eatBar.id) )
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 8
1 1 2 2 3 3 4 4
VAL INT VAL INT nPhils nPhils IS 5: IS 5: nPhils nPhils = 5 = 5
… except that FDR2 uses much less memory and time if replicated (or merely repeated) processes take no parameters, but instead use event renaming to wire up the different instances. … … except that except that FDR2 FDR2 uses uses much much less memory and time less memory and time if replicated if replicated (or merely repeated) processes (or merely repeated) processes take take no parameters no parameters, , but instead but instead use use event renaming event renaming to wire up the to wire up the different instances. different instances.
VERIFY PROC VERIFY PROC Philosophers Philosophers ( ([ [nPhils]CHAN nPhils]CHAN INT INT thinking! thinking!, , eating! eating!, , [ [nPhils]BARRIER nPhils]BARRIER eatBar eatBar) ) PAR id = 0 FOR PAR id = 0 FOR nPhils nPhils Phil ( Phil (thinking[id thinking[id]! ]!, , eating[id eating[id]! ]!, , eatBar[id eatBar[id] ]) ) : : Philosophers Philosophers ( (thinking thinking, , eating eating, , eatBar eatBar) = ) = ||| ||| id id : : {0..(nPhils {0..(nPhils – – 1)} @ 1)} @ Phil ( Phil (thinking.id thinking.id, , eating.id eating.id, , eatBar.id eatBar.id) ) channel channel thinking_r0_ thinking_r0_, , eating_r0_ eating_r0_, , eatBar_r0_ eatBar_r0_ Philosophers Philosophers ( (thinking thinking, , eating eating, , eatBar eatBar) = ) = let let Philosophers_0 = Phil Philosophers_0 = Phil ( (thinking_r0_ thinking_r0_, , eating_r0_ eating_r0_, , eatBar_r0_ eatBar_r0_) ) within within ||| ||| id id : : {0..(nPhils {0..(nPhils – – 1)} @ 1)} @ Philosophers_0 Philosophers_0 [[ [[ thinking_r0_ thinking_r0_ < <-
thinking.id, , eating_r0_ eating_r0_ < <-
eating.id, , eatBar_r0_ eatBar_r0_ < <-
eatBar.id) ) ]] ]] Note: Note: the three the three declared channels are declared channels are not actually used !! not actually used !!
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 9
1 1 2 2 3 3 4 4
VAL INT VAL INT nPhils nPhils IS 5: IS 5: nPhils nPhils = 5 = 5 PROC PROC Forks Forks ( ([ [nPhils]BARRIER nPhils]BARRIER eatBar eatBar) ) PAR id = 0 FOR PAR id = 0 FOR nPhils nPhils VAL INT right IS id: VAL INT right IS id: VAL INT left IS (id + 1) VAL INT left IS (id + 1)\ \nPhils: nPhils: Fork Fork ( (eatBar[right eatBar[right] ], , eatBar[left eatBar[left] ]) ) : : Forks Forks ( (eatBar eatBar) = ) = || || id id : : {0..(nPhils {0..(nPhils – – 1)} @ 1)} @ [{ [{ eatBar.id eatBar.id, , eatBar.((id eatBar.((id + 1)%nPhils) + 1)%nPhils) }] }] Fork Fork ( (eatBar.id eatBar.id, , eatBar.((id eatBar.((id + 1)%nPhils) + 1)%nPhils)) )
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 10
1 1 2 2 3 3 4 4
VAL INT VAL INT nPhils nPhils IS 5: IS 5: nPhils nPhils = 5 = 5
… except that FDR2 uses much less memory and time if replicated (or merely repeated) processes take no parameters, but instead use event renaming to wire up the different instances. … … except that except that FDR2 FDR2 uses uses much much less memory and time less memory and time if replicated if replicated (or merely repeated) processes (or merely repeated) processes take take no parameters no parameters, , but instead but instead use use event renaming event renaming to wire up the to wire up the different instances. different instances.
VERIFY PROC VERIFY PROC Forks Forks ( ([ [nPhils]BARRIER nPhils]BARRIER eatBar eatBar) ) PAR id = 0 FOR PAR id = 0 FOR nPhils nPhils VAL INT right IS id: VAL INT right IS id: VAL INT left IS (id + 1) VAL INT left IS (id + 1)\ \nPhils: nPhils: Fork Fork ( (eatBar[right eatBar[right] ], , eatBar[left eatBar[left] ]) ) : : Forks Forks ( (eatBar eatBar) = ) = || || id id : : {0..(nPhils {0..(nPhils – – 1)} @ 1)} @ [{ [{ eatBar.id eatBar.id, , eatBar.((id eatBar.((id + 1)%nPhils) + 1)%nPhils) }] }] Fork Fork ( (eatBar.id eatBar.id, , eatBar.((id eatBar.((id + 1)%nPhils) + 1)%nPhils)) ) channel channel eatBarRight_r2_ eatBarRight_r2_, , eatBarLeft_r2_ eatBarLeft_r2_ Forks Forks ( (eatBar eatBar) = ) = let let Forks_0 = Fork Forks_0 = Fork ( (eatBarRight_r2_ eatBarRight_r2_, , eatBarLeft_r2_ eatBarLeft_r2_) ) within within || || id id : : {0..(nPhils {0..(nPhils – – 1)} @ 1)} @ [{ [{ eatBar.id eatBar.id, , eatBar.((id eatBar.((id + 1)%nPhils) + 1)%nPhils) }] }] Forks_0 Forks_0 [[ [[ eatBarRight_r2_ eatBarRight_r2_ < <-
eatBar.id, , eatBarLeft_r2_ eatBarLeft_r2_ < <-
eatBar.((id + 1)%nPhils) + 1)%nPhils) ]] ]] Note: Note: the two the two declared channels are declared channels are not actually used !! not actually used !!
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 11
VAL INT VAL INT nPhils nPhils IS 5: IS 5: nPhils nPhils = 5 = 5 PROC PROC College College ( ([ [nPhils]CHAN nPhils]CHAN INT INT thinking! thinking!, , eating! eating!) ) [ [nPhils]BARRIER nPhils]BARRIER eatBar eatBar: : PAR PAR Philosophers ( Philosophers (thinking! thinking!, , eating! eating!, , eatBar eatBar) ) Forks ( Forks (eatBar eatBar) ) : : channel channel eatBar_99_ : eatBar_99_ : {0..(nPhils {0..(nPhils – – 1)} 1)} College College ( (thinking thinking, , eating eating) = ) = ( (Philosophers ( Philosophers (thinking thinking, , eating eating, , eatBar_99_ eatBar_99_) ) [| [| {| {| eatBar_99_ eatBar_99_ |} |} |] |] Forks ( Forks (eatBar_99_ eatBar_99_) )) ) \ \ {| {| eatBar_99_ eatBar_99_ |} |} : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 12
PROC PROC College College ( ([ [nPhils]CHAN nPhils]CHAN INT INT thinking! thinking!, , eating! eating!) ) [ [nPhils]BARRIER nPhils]BARRIER eatBar eatBar: : PAR PAR Philosophers ( Philosophers (thinking! thinking!, , eating! eating!, , eatBar eatBar) ) Forks ( Forks (eatBar eatBar) ) : :
VERIFY VERIFY DEADLOCK.FREE.FD DEADLOCK.FREE.FD College College
VERIFY VERIFY LIVELOCK.FREE LIVELOCK.FREE College College
VERIFY VERIFY NOT NOT DETERMINISTIC.FD DETERMINISTIC.FD College College
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 13
FDR2 model check is
FDR2 manual, Bill Roscoe explains how to verify a
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 14
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 15
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 16
PROC PROC Phil Phil ( (CHAN INT CHAN INT thinking! thinking!, , eating! eating!, , BARRIER BARRIER eatBar eatBar) ) WHILE TRUE WHILE TRUE SEQ SEQ thinking ! 0 thinking ! 0 SYNC SYNC eatBar eatBar eating ! 0 eating ! 0 SYNC SYNC eatBar eatBar : :
thinking thinking eating eating eatBar eatBar
P P
Phil Phil’ ’ ( (thinking thinking, , eating eating, , eatBar eatBar) = ) = let let Phil_0_ Phil_0_ = = thinking thinking -
> eatBar eatBar -
> eating eating -
> eatBar eatBar -
> Phil_0_ Phil_0_ within within Phil_0_ Phil_0_ : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 17
VERIFY PROC VERIFY PROC Phil.
(BARRIER BARRIER eatBar eatBar) ) CHAN INT CHAN INT thinking! thinking!, , eating! eating!: : --
channel *ends* only Phil ( Phil (thinking! thinking!, , eating! eating!, , eatBar eatBar) ) : :
eatBar eatBar
P P’ ’
channel channel thinking_h0_ thinking_h0_, , eating_h0_ eating_h0_ Phil Phil’ ’ ( (eatBar eatBar) = ) = Phil Phil ( (thinking_h0_ thinking_h0_, , eating_h0_ eating_h0_, , eatBar eatBar) ) \ \ {| {| thinking_h0_ thinking_h0_, , eating_h0_ eating_h0_ |} |}
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 18
VERIFY PROC VERIFY PROC Phil.
(BARRIER BARRIER eatBar eatBar) ) WHILE TRUE WHILE TRUE SEQ SEQ SYNC SYNC eatBar eatBar SYNC SYNC eatBar eatBar : :
eatBar eatBar
P P’ ’
Phil Phil’ ’ ( (eatBar eatBar) = ) = let let Phil_0_ Phil_0_ = = eatBar eatBar -
> eatBar eatBar -
> Phil_0_ Phil_0_ within within Phil_0_ Phil_0_ : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 19
VERIFY PROC VERIFY PROC Phil.
(BARRIER BARRIER eatBar eatBar) ) CHAN INT CHAN INT thinking! thinking!, , eating! eating!: : --
channel *ends* only Phil ( Phil (thinking! thinking!, , eating! eating!, , eatBar eatBar) ) : : VERIFY SIZE VERIFY SIZE Phil Phil VERIFY SIZE VERIFY SIZE Phil. Phil.
eatBar eatBar
P P’ ’
* By default, these are computed in the (stable) failures model of CSP * By default, these are computed in the (stable) failures model * By default, these are computed in the (stable) failures model of CSP
* *
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 20
VERIFY PROC VERIFY PROC Phil.. Phil.. ( (BARRIER BARRIER eatBar eatBar) ) NORMALISE NORMALISE
reduce state machine to normal form
eatBar) ) : : VERIFY SIZE VERIFY SIZE Phil.. Phil..
eatBar eatBar
P P’’ ’’
Phil Phil’’ ’’ ( (eatBar eatBar) = ) = normalise normalise ( (Phil Phil’ ’ ( (eatBar eatBar)) ))
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 21
VERIFY PROC VERIFY PROC Phil.. Phil.. ( (BARRIER BARRIER eatBar eatBar) ) WHILE TRUE WHILE TRUE SYNC SYNC eatBar eatBar : :
eatBar eatBar
P P’’ ’’
Phil Phil’’ ’’ ( (eatBar eatBar) = ) = let let Phil_0_ Phil_0_ = = eatBar eatBar -
> Phil_0_ Phil_0_ within within Phil_0_ Phil_0_ : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 22
College College
F F F F F F F F F F P P P P P P P P P P
thinking thinking eating eating eatBar eatBar
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 23
PROC PROC Fork Fork ( (BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) WHILE TRUE WHILE TRUE ALT ALT SYNC SYNC eatBarRight eatBarRight SYNC SYNC eatBarRight eatBarRight SYNC SYNC eatBarLeft eatBarLeft SYNC SYNC eatBarLeft eatBarLeft : : VERIFY SIZE VERIFY SIZE Fork Fork
F F
eatBarRight eatBarRight eatBarLeft eatBarLeft
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 24
VERIFY PROC VERIFY PROC PhilFork PhilFork ( (CHAN INT CHAN INT thinking! thinking!, , eating! eating!, , BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) PAR PAR Phil Phil ( (thinking! thinking!, , eating! eating!, , eatBarRight eatBarRight) ) Fork Fork ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) : : VERIFY SIZE VERIFY SIZE PhilFork PhilFork
eatBarRight eatBarRight eatBarLeft eatBarLeft thinking thinking eating eating
F F P P
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 25
VERIFY PROC VERIFY PROC PhilFork PhilFork. . ( (BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) PAR PAR Phil.. Phil.. ( (eatBarRight eatBarRight) ) Fork Fork ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) : : VERIFY SIZE VERIFY SIZE PhilFork PhilFork. . VERIFY PROC VERIFY PROC PhilFork PhilFork. . ( (BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) PAR PAR Phil.. Phil.. ( (eatBarRight eatBarRight) ) Fork Fork ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) : : VERIFY SIZE VERIFY SIZE PhilFork PhilFork. . VERIFY VERIFY PhilFork PhilFork. . EQUIVALENT.FD EQUIVALENT.FD Fork Fork
eatBarRight eatBarRight eatBarLeft eatBarLeft
F F P P’’ ’’
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 26
VERIFY PROC VERIFY PROC Chain Chain ( (VAL VERIFY VAL VERIFY INT INT length length, , --
assume >= 1 BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) IF IF length = 1 length = 1 PhilFork PhilFork. . ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) TRUE TRUE NORMALISE NORMALISE BARRIER BARRIER eatBarMiddle eatBarMiddle: : PAR PAR Chain Chain ( (length length – – 1 1, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) PhilFork PhilFork. . ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) ) : :
Generating the CSPM code for this requires an extra care … (because FDR2 does something it shouldn’t – claim!) Generating the Generating the CSP
CSPM
M code for this requires an extra care
code for this requires an extra care … … (because (because FDR2
FDR2 does something it shouldn
does something it shouldn’ ’t t – – claim!) claim!) The following does not work correctly … The following does not work correctly The following does not work correctly … …
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 27
channel channel eatBarMiddle eatBarMiddle Chain Chain ( (length length, , eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) if if length == 1 length == 1 then then PhilFork PhilFork’ ’ ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) else else normalise normalise ( ( ( ( Chain Chain ( (length length – – 1 1, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) [| { [| {eatBarMiddle eatBarMiddle} |] } |] PhilFork PhilFork’ ’ ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) ) ) ) \ \ { {eatBarMiddle eatBarMiddle} } ) ) : :
An eatBarMiddle event “hidden” inside each recursive instance of Chain gets confused with the eatBarMiddle connecting that instance with PhilFork’. An An eatBarMiddle
eatBarMiddle event
event “ “hidden hidden” ” inside each recursive inside each recursive instance of instance of Chain Chain gets confused with the gets confused with the eatBarMiddle
eatBarMiddle
connecting that instance with connecting that instance with PhilFork
PhilFork’ ’.
.
We have to declare lots of We have to declare lots of eatBarMiddle
eatBarMiddle events
events … …
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 28
channel channel eatBarMiddle eatBarMiddle : : Int Int Chain Chain ( (length length, , eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) if if length == 1 length == 1 then then PhilFork PhilFork’ ’ ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) else else normalise normalise ( ( ( ( Chain Chain ( (length length – – 1 1, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle.length .length) ) [| { [| {eatBarMiddle eatBarMiddle.length .length} |] } |] PhilFork PhilFork’ ’ ( (eatBarMiddle eatBarMiddle.length .length, , eatBarLeft eatBarLeft) ) ) ) \ \ { {eatBarMiddle eatBarMiddle.length .length} } ) ) : :
… and use a different one for each length. Now we are OK! ☺ ☺ ☺ … … and use a different one for each and use a different one for each length
. Now we are OK! ☺ ☺ ☺ ☺ ☺ ☺ But it really should not be up to us to declare and use this infinite set of hidden events. Why doesn’t FDR2 just rename hidden events to unique names that cannot be expressed in the CSPM code? Not doing so seems to break the semantics of hiding … ??? But it really should not be up to us to declare and use this inf But it really should not be up to us to declare and use this infinite set of inite set of hidden events. Why doesn hidden events. Why doesn’ ’t t FDR2 FDR2 just rename hidden events to unique just rename hidden events to unique names that cannot be expressed in the names that cannot be expressed in the CSP CSPM
M code
code?
? Not doing so Not doing so seems to break the semantics of hiding seems to break the semantics of hiding … … ??? ???
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 29
VERIFY PROC VERIFY PROC Chain Chain ( (VAL VERIFY VAL VERIFY INT INT length length, ,
assume >= 1 BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) IF IF length = 1 length = 1 PhilFork PhilFork. . ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) TRUE TRUE NORMALISE NORMALISE BARRIER BARRIER eatBarMiddle eatBarMiddle: : PAR PAR Chain Chain ( (length length – – 1 1, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) PhilFork PhilFork. . ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) ) : : VERIFY SIZE VERIFY SIZE Chain Chain ( (1 1, , _ _, , _ _) ) VERIFY SIZE VERIFY SIZE Chain Chain ( (2 2, , _ _, , _ _) ) VERIFY SIZE VERIFY SIZE Chain Chain ( (3 3, , _ _, , _ _) ) VERIFY SIZE VERIFY SIZE Chain Chain ( (4 4, , _ _, , _ _) ) VERIFY SIZE VERIFY SIZE Chain Chain ( (5 5, , _ _, , _ _) ) VERIFY PROC VERIFY PROC Chain Chain ( (VAL VERIFY VAL VERIFY INT INT length length, ,
assume >= 1 BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) IF IF length = 1 length = 1 PhilFork PhilFork. . ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) TRUE TRUE NORMALISE NORMALISE BARRIER BARRIER eatBarMiddle eatBarMiddle: : PAR PAR Chain Chain ( (length length – – 1 1, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) PhilFork PhilFork. . ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) ) : : VERIFY SIZE VERIFY SIZE Chain Chain ( (1 1, , _ _, , _ _) ) --
> 3 states, 4 transitions VERIFY SIZE VERIFY SIZE Chain Chain ( (2 2, , _ _, , _ _) ) --
> 4 states, 8 transitions VERIFY SIZE VERIFY SIZE Chain Chain ( (3 3, , _ _, , _ _) ) --
> 4 states, 8 transitions VERIFY SIZE VERIFY SIZE Chain Chain ( (4 4, , _ _, , _ _) ) --
> 1 state, 2 transitions VERIFY SIZE VERIFY SIZE Chain Chain ( (5 5, , _ _, , _ _) ) --
> 1 state, 2 transitions
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 30
VERIFY PROC VERIFY PROC Chain Chain ( (VAL VERIFY VAL VERIFY INT INT length length, , --
assume >= 1 BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) IF IF length = 1 length = 1 PhilFork PhilFork. . ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) TRUE TRUE NORMALISE NORMALISE BARRIER BARRIER eatBarMiddle eatBarMiddle: : PAR PAR Chain Chain ( (length length – – 1 1, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) PhilFork PhilFork. . ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) ) : :
From Chain (2, _, _) upwards, they can certainly livelock – infinite sequences of eatBarMiddle events! From From Chain (2, _, _)
Chain (2, _, _) upwards, they can certainly
upwards, they can certainly livelock livelock – – infinite sequences of infinite sequences of eatBarMiddle
eatBarMiddle events
events! ! So, deadlock and refinement checking must only be done with the failures model (not failures-divergences). We will deal with livelock later! So, deadlock and refinement checking must only be done with So, deadlock and refinement checking must only be done with the the failures failures model (not model (not failures failures-
divergences). We will deal with ). We will deal with livelock later! livelock later!
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 31
VERIFY PROC VERIFY PROC Chain Chain ( (VAL VERIFY VAL VERIFY INT INT length length, , --
assume >= 1 BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) ... ... : : VERIFY PROC VERIFY PROC Chain Chain ( (VAL VERIFY VAL VERIFY INT INT length length, , --
assume >= 1 BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) ... ... : : VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain Chain ( (1 1, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain Chain ( (2 2, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain Chain ( (3 3, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain Chain ( (4 4, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain Chain ( (5 5, , _ _, , _ _) ) VERIFY VERIFY Chain Chain ( (1 1, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (2 2, , _ _, , _ _) ) VERIFY VERIFY Chain Chain ( (2 2, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (3 3, , _ _, , _ _) ) VERIFY VERIFY Chain Chain ( (3 3, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (4 4, , _ _, , _ _) ) VERIFY VERIFY Chain Chain ( (4 4, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (5 5, , _ _, , _ _) )
Let Let H(i H(i) ) be the hypothesis that: be the hypothesis that:
Chain Chain ( (4 4, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (i i, , _ _, , _ _) )
Clearly Clearly H(4) H(4) and, by model checking, and, by model checking, H(5) H(5). .
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 32
Chain Chain ( (4 4, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (i i, , _ _, , _ _) )
H(i H(i) ) is: We have We have H(4) H(4) and and H(5) H(5). Suppose . Suppose H(i H(i) ) for any for any i >= 4 i >= 4. Consider: is: We have We have H(4) H(4) and and H(5) H(5) . Consider: . .
Chain Chain ( (i+1 i+1, , eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) BARRIER BARRIER eatBarMiddle eatBarMiddle: : PAR PAR Chain Chain ( (i i, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) PhilFork PhilFork. . ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) )
This reduces to: This reduces to: By By H(i H(i) ), this is , this is EQUIVALENT.F
EQUIVALENT.F to to:
:
BARRIER BARRIER eatBarMiddle eatBarMiddle: : PAR PAR Chain Chain ( (4 4, , eatBarRight eatBarRight, , eatBarMiddle eatBarMiddle) ) PhilFork PhilFork. . ( (eatBarMiddle eatBarMiddle, , eatBarLeft eatBarLeft) )
But this is the same as: But this is the same as:
Chain Chain ( (5 5, , eatBarRight eatBarRight, , eatBarLeft eatBarLeft) )
H(i+1) H(i+1) Which, by Which, by H(5) H(5), is , is EQUIVALENT.F
EQUIVALENT.F to: to: Chain Chain ( (4 4, , eatBarRight eatBarRight, , eatBarLeft eatBarLeft) )
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 33
Chain Chain ( (4 4, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain Chain ( (i i, , _ _, , _ _) )
H(i H(i) ) is: is: Clearly Clearly H(4) H(4) and, by model checking, and, by model checking, H(5) H(5). . We have just shown that, for any We have just shown that, for any i >= 4 i >= 4, , H(i H(i) ) implies implies H(i+1) H(i+1). . By induction therefore, for all By induction therefore, for all i >= 4 i >= 4, we have , we have H(i H(i) ). . All chains of (non All chains of (non-
reporting) philosopher philosopher-
fork pairs with lengths pairs with lengths equal to or greater than equal to or greater than 4 4 are are failures equivalent failures equivalent. Further, all such . Further, all such chains are chains are deadlock free deadlock free (since model checking gave us that directly (since model checking gave us that directly for chains of lengths for chains of lengths 1 1 through through 4 4). ).
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 34
VERIFY PROC VERIFY PROC CollegeChain CollegeChain ( (VAL VERIFY VAL VERIFY INT INT size size) ) --
assume >= 2 NORMALISE NORMALISE [2]BARRIER [2]BARRIER eatBar eatBar: : PAR PAR PhilFork PhilFork. . ( (eatBar[0] eatBar[0], , eatBar[1] eatBar[1]) ) Chain Chain ( (size size – – 1 1, , eatBar[1] eatBar[1], , eatBar[0] eatBar[0]) ) : :
cycle cycle complete complete We can immediately deduce that all We can immediately deduce that all CollegeChain
CollegeChains
s with size equal to or with size equal to or greater than greater than 5 5 are are failures equivalent failures equivalent (since their (since their Chain
Chain sub
sub-
components have lengths equal to or greater than have lengths equal to or greater than 4 4 and are and are failures equivalent failures equivalent). ).
VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain CollegeChain ( (2 2, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain CollegeChain ( (3 3, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain CollegeChain ( (4 4, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain CollegeChain ( (5 5, , _ _, , _ _) )
Hence, all Hence, all CollegeChain
CollegeChains
s with size equal to or greater than with size equal to or greater than 2 2 are are deadlock deadlock free
. Of course, with no reporting, they are hopelessly livelocked livelocked ! !
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 35
An earlier argument showed that a An earlier argument showed that a deadlock free deadlock free result for a college with result for a college with external reports hidden external reports hidden implies a implies a deadlock free deadlock free result for a college with result for a college with external reports external reports (since the external reporting cannot cause internal (since the external reporting cannot cause internal blocking). blocking). So all reporting colleges of any size are deadlock So all reporting colleges of any size are deadlock-
free. The following argument shows that a college with external report The following argument shows that a college with external reports is also s is also livelock free livelock free … …
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 36
From simple code inspection, a From simple code inspection, a Phil
Phil
process cannot engage in two process cannot engage in two eatBar
eatBar
events (internal) without an (external) events (internal) without an (external) intervening report. intervening report. This could be model This could be model-
checked, using techniques discussed earlier, if it was techniques discussed earlier, if it was felt necessary! felt necessary!
VERIFY PROC VERIFY PROC Phil Phil ( (CHAN INT CHAN INT thinking! thinking!, , eating! eating!, , BARRIER BARRIER eatBar eatBar) ) WHILE TRUE WHILE TRUE SEQ SEQ thinking ! 0 thinking ! 0 SYNC SYNC eatBar eatBar eating ! 0 eating ! 0 SYNC SYNC eatBar eatBar : :
thinking thinking eating eating eatBar eatBar
P P
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 37
From simple code inspection, a From simple code inspection, a Phil
Phil
process cannot engage in two process cannot engage in two eatBar
eatBar
events (internal) without an (external) events (internal) without an (external) intervening report. intervening report. This could be model This could be model-
checked, using techniques discussed earlier, if it was techniques discussed earlier, if it was felt necessary! felt necessary! For the college not to be For the college not to be livelock free livelock free … … it must be possible for it to it must be possible for it to engage in an engage in an infinite infinite sequence of internal events sequence of internal events … … and the only internal and the only internal events are events are eatBar eatBars
. Suppose that this happens! If the college has size If the college has size n n, it has only , it has only n n eatBar eatBars
. After at most (n+1) (n+1) eatBar eatBar events, at least one must have occurred at least twice. But th events, at least one must have occurred at least twice. But the e
Phil Phil process engaging with that
process engaging with that eatBar
eatBar must (by the above) have
must (by the above) have made an external report made an external report … … so the college is so the college is not not livelocked livelocked. . This is a contradiction! So the supposition is false This is a contradiction! So the supposition is false – – and the and the college is college is livelock free livelock free. .
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 38
In Roscoe In Roscoe’ ’s book, chains are not built up s book, chains are not built up one
at-
a-
time like this like this (possibly (possibly because the standard dining philosophers solution analysed does because the standard dining philosophers solution analysed does not not collapse as nicely as this one, when reporting is hidden?) collapse as nicely as this one, when reporting is hidden?). Instead, they . Instead, they are built up in powers of 10. We can do this too: are built up in powers of 10. We can do this too:
* A chain of ( A chain of (length^level length^level) ) philospher philospher-
fork pairs. VERIFY PROC VERIFY PROC Chain2 Chain2 ( (VAL VERIFY VAL VERIFY INT INT level level, , length length, , BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) IF IF level = 0 level = 0 PhilFork PhilFork. . ( (eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) TRUE TRUE NORMALISE NORMALISE [length [length-
1]BARRIER eatBar eatBar: : PAR PAR Chain2 Chain2 ( (level level – – 1 1, , length length, , eatBarRight eatBarRight, , eatBar[ eatBar[0 0] ]) ) PAR PAR id = 1 id = 1 FOR FOR length length -
2 Chain2 Chain2 ( (level level – – 1 1, , length length, , eatBar[ eatBar[id id -
1] ], , eatBar[ eatBar[id id] ]) ) Chain2 Chain2 ( (level level – – 1 1, , length length, , eatBar[ eatBar[length length -
2] ], , eatBarLeft eatBarLeft) ) : :
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 39
* A chain of ( A chain of (length^level length^level) ) philospher philospher-
fork pairs. VERIFY PROC VERIFY PROC Chain2 Chain2 ( (VAL VERIFY VAL VERIFY INT INT level level, , length length, , BARRIER BARRIER eatBarRight eatBarRight, , eatBarLeft eatBarLeft) ) ... ... : : VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain2 Chain2 ( (0 0, , 10 10, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain2 Chain2 ( (1 1, , 10 10, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain2 Chain2 ( (10 10, , 10 10, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain2 Chain2 ( (100 100, , 10 10, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F Chain2 Chain2 ( (1000 1000, , 10 10, , _ _, , _ _) ) VERIFY VERIFY Chain2 Chain2 ( (1 1, , 2 2, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain2 Chain2 ( (2 2, , 2 2, , _ _, , _ _) ) VERIFY VERIFY Chain2 Chain2 ( (2 2, , 2 2, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain2 Chain2 ( (3 3, , 2 2, , _ _, , _ _) ) VERIFY VERIFY Chain2 Chain2 ( (1 1, , 10 10, , _ _, , _ _) ) EQUIVALENT.F EQUIVALENT.F Chain2 Chain2 ( (2 2, , 10 10, ,_ _, , _ _) )
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 40
* A college of size ( A college of size (length^level length^level) + 1. ) + 1. VERIFY PROC VERIFY PROC CollegeChain2 CollegeChain2 ( (VAL VERIFY VAL VERIFY INT INT level level, , length length) ) NORMALISE NORMALISE [2]BARRIER [2]BARRIER eatBar eatBar: : PAR PAR PhilFork PhilFork. . ( (eatBar[0] eatBar[0], , eatBar[1] eatBar[1]) ) Chain2 Chain2 ( (level level, , length length, , eatBar[1] eatBar[1], , eatBar[0] eatBar[0]) ) : :
* A college of size ( A college of size (length^level length^level) + 1. ) + 1. VERIFY PROC VERIFY PROC CollegeChain2 CollegeChain2 ( (VAL VERIFY VAL VERIFY INT INT level level, , length length) ) NORMALISE NORMALISE [2]BARRIER [2]BARRIER eatBar eatBar: : PAR PAR PhilFork PhilFork. . ( (eatBar[0] eatBar[0], , eatBar[1] eatBar[1]) ) Chain2 Chain2 ( (level level, , length length, , eatBar[1] eatBar[1], , eatBar[0] eatBar[0]) ) : : VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (0 0, , 10 10, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (1 1, , 10 10, , _ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (10 10, , 10 10, ,_ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (100 100, , 10 10, ,_ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (1000 1000, , 10 10, ,_ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (2000 2000, , 10 10, ,_ _, , _ _) ) VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (2500 2500, , 10 10, ,_ _, , _ _) )
FDR2 FDR2 verifies the first four above almost instantly. The college of verifies the first four above almost instantly. The college of size size (10^1000 + 1) (10^1000 + 1) takes around takes around 5 5 seconds and seconds and (10^2000 + 1) (10^2000 + 1) around around 10 10
(10^2500 + 1) crashes crashes FDR2 FDR2: : “ “broken pipe broken pipe” ” on
the terminal launch window. the terminal launch window.
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 41
* A college of size ( A college of size (length^level length^level) + 1. ) + 1. VERIFY PROC VERIFY PROC CollegeChain2 CollegeChain2 ( (VAL VERIFY VAL VERIFY INT INT level level, , length length) ) NORMALISE NORMALISE [2]BARRIER [2]BARRIER eatBar eatBar: : PAR PAR PhilFork PhilFork. . ( (eatBar[0] eatBar[0], , eatBar[1] eatBar[1]) ) Chain2 Chain2 ( (level level, , length length, , eatBar[1] eatBar[1], , eatBar[0] eatBar[0]) ) : : VERIFY DEADLOCK.FREE.F VERIFY DEADLOCK.FREE.F CollegeChain2 CollegeChain2 ( (2000 2000, , 10 10, , _ _, , _ _) ) ✔
The same arguments as before reveal that removing the The same arguments as before reveal that removing the report hiding report hiding from these colleges leaves them from these colleges leaves them deadlock deadlock and and livelock free livelock free. . For the college with For the college with (10^2000 + 1) (10^2000 + 1) philosophers, all we need is a universe philosophers, all we need is a universe large enough to contain the computer on which to run it. large enough to contain the computer on which to run it. We may actually need We may actually need several several parallel universes. Establishing the barrier parallel universes. Establishing the barrier syncs and channel communications between them is an open questio syncs and channel communications between them is an open question. n.
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 42
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 43
π has has … …
a dynamic concurrency model built into its core design … with full denotational semantics (based on the CSP traces/failures/divergences model) … a a dynamic concurrency model dynamic concurrency model built into its core design built into its core design … … with full denotational with full denotational semantics (based on the semantics (based on the CSP traces/failures/divergences model CSP traces/failures/divergences model) ) … … no data race hazards (eliminated by compiler aliasing analysis) … no no data race hazards data race hazards (eliminated by compiler aliasing analysis) (eliminated by compiler aliasing analysis) … … deterministic concurrency by default. Non-determinism is introduced only by explicit use of special features (e.g. choice, shared channels) … deterministic concurrency deterministic concurrency by default. Non by default. Non-
determinism is introduced only
by explicit use of special features (e.g. choice, shared channels) explicit use of special features (e.g. choice, shared channels) … … the fastest and most effective multicore scheduler on the planet (maybe) … the the fastest and most effective fastest and most effective multicore scheduler on the planet ( multicore scheduler on the planet (maybe maybe) ) … … program verification by programming (and a little thinking) … program verification by programming program verification by programming (and a little thinking) (and a little thinking) … … simple to learn, simple to use (e.g. 90 min Lego Robots occam workshop) … simple to learn, simple to use simple to learn, simple to use (e.g. 90 min Lego Robots occam workshop) (e.g. 90 min Lego Robots occam workshop) … … a tiny user base … to be fixed (???) … how (???) … when (???) … a tiny user base a tiny user base … … to be fixed (???) to be fixed (???) … … how (???) how (???) … … when (???) when (???) … …
15-Oct-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen 44
a dynamic concurrency model built into its core design … with full denotational semantics (based on the CSP traces/failures/divergences model) … a a dynamic concurrency model dynamic concurrency model built into its core design built into its core design … … with full denotational with full denotational semantics (based on the semantics (based on the CSP traces/failures/divergences model CSP traces/failures/divergences model) ) … … no data race hazards (eliminated by compiler aliasing analysis) … no no data race hazards data race hazards (eliminated by compiler aliasing analysis) (eliminated by compiler aliasing analysis) … … the fastest and most effective multicore scheduler on the planet (maybe) … the the fastest and most effective fastest and most effective multicore scheduler on the planet ( multicore scheduler on the planet (maybe maybe) ) … … program verification by programming (and a little thinking) … program verification by programming program verification by programming (and a little thinking) (and a little thinking) … … deterministic concurrency by default. Non-determinism is introduced only by explicit use of special features (e.g. choice, shared channels) … deterministic concurrency deterministic concurrency by default. Non by default. Non-
determinism is introduced only
by explicit use of special features (e.g. choice, shared channels) explicit use of special features (e.g. choice, shared channels) … …
π has has … …
simple to learn, simple to use (e.g. 90 min Lego Robots occam workshop) … simple to learn, simple to use simple to learn, simple to use (e.g. 90 min Lego Robots occam workshop) (e.g. 90 min Lego Robots occam workshop) … … a tiny user base … to be fixed (???) … how (???) … when (???) … a tiny user base a tiny user base … … to be fixed (???) to be fixed (???) … … how (???) how (???) … … when (???) when (???) … …