Week-1: Introduction to model checking B. Srivathsan Chennai - - PowerPoint PPT Presentation

Week-1: Introduction to model checking

• B. Srivathsan

Chennai Mathematical Institute

NPTEL-course July - November 2015

1/30

Module 4: Modeling concurrent systems

2/30

Concurrent systems

Independent Shared variables Shared actions

3/30

red green

TrLight1

red green

TrLight2

4/30

red green

TrLight1

red green

TrLight2

What is the transition system for the joint behaviour?

4/30

red green TrLight1 red green TrLight2

5/30

red green TrLight1 red green TrLight2

red, red

5/30

red green TrLight1 red green TrLight2

red, red green, red red, green

5/30

red green TrLight1 red green TrLight2

red, red green, red red, green green, green

5/30

red green TrLight1 red green TrLight2

red, red green, red red, green green, green

5/30

red green TrLight1 red green TrLight2

red, red green, red red, green green, green

5/30

red green TrLight1 red green TrLight2

red, red green, red red, green green, green

TrLight1 ||| TrLight2

5/30

red green TrLight1 red green TrLight2

red, red green, red red, green green, green

TrLight1 ||| TrLight2 ||| : Interleaving operator

5/30

x := x+1

...

l1 l2 x:= x+1

PG1 y := y-2

...

q1 q2 y:= y-2

PG2

6/30

x := x+1

...

l1 l2 x:= x+1

PG1 y := y-2

...

q1 q2 y:= y-2

PG2

l1: x=0 l2: x=1 q1: y=7 q2: y=5

α β TS1

(initially x=0)

TS2

(initially y=7)

α β

6/30

x := x+1

...

l1 l2 x:= x+1

PG1 y := y-2

...

q1 q2 y:= y-2

PG2

l1: x=0 l2: x=1 q1: y=7 q2: y=5 x=0, y=7 x=1, y=7 x=1, y=5 x=0, y=5

α β

α β β α

TS1

(initially x=0)

TS2

(initially y=7)

TS1 ||| TS2 α β

6/30

l1 l2 l3 q1 q2

a b a a b

|||

7/30

l1 l2 l3 q1 q2

a b a a b

|||

l1,q1 l2,q1 l3,q1 l1,q2 l2,q2 l3,q2

7/30

l1 l2 l3 q1 q2

a b a a b

|||

l1,q1 l2,q1 l3,q1 l1,q2 l2,q2 l3,q2

a a

7/30

l1 l2 l3 q1 q2

a b a a b

|||

l1,q1 l2,q1 l3,q1 l1,q2 l2,q2 l3,q2

a a b

7/30

l1 l2 l3 q1 q2

a b a a b

|||

l1,q1 l2,q1 l3,q1 l1,q2 l2,q2 l3,q2

a a b a a

7/30

l1 l2 l3 q1 q2

a b a a b

|||

l1,q1 l2,q1 l3,q1 l1,q2 l2,q2 l3,q2

a a b a a a

7/30

l1 l2 l3 q1 q2

a b a a b

|||

l1,q1 l2,q1 l3,q1 l1,q2 l2,q2 l3,q2

a a b a a a b a b a b b

7/30

Multiple systems

TS1 ||| TS2 ||| ... ||| TSn

8/30

Multiple systems

TS1 ||| TS2 ||| ... ||| TSn

Exercise: Try out an example of interleaving three systems

8/30

Concurrent systems

Independent

Interleaving TS1 ||| TS2 ||| ... ||| TSn

Shared variables Shared actions

9/30

x:= 2·x

...

l1 l2 x := 2·x

PG1 x:= x+1

...

q1 q2 x:= x+1

PG2

10/30

x:= 2·x

...

l1 l2 x := 2·x

PG1 x:= x+1

...

q1 q2 x:= x+1

PG2

l1: x=3 l2: x=6 q1: x=3 q2: x=4

α β TS1

(initially x=3)

TS2

(initially x=3)

α β

10/30

x:= 2·x

...

l1 l2 x := 2·x

PG1 x:= x+1

...

q1 q2 x:= x+1

PG2

l1: x=3 l2: x=6 q1: x=3 q2: x=4 x=3, x=3 x=6, x=3 x=6, x=4 x=3, x=4

α β

α β β α

TS1

(initially x=3)

TS2

(initially x=3)

TS1 ||| TS2 α β

10/30

l1 l2 x := 2·x

PG1

q1 q2 x := x+1

PG2

11/30

l1 l2 x := 2·x

PG1

q1 q2 x := x+1

PG2

l1,q1 l2,q2 l2,q1 l1,q2 x:=2·x x:=x+1 x:=x+1 x:=2·x

||| =

PG1 ||| PG2

11/30

l1 l2 x := 2·x

PG1 α

q1 q2 x := x+1

PG2 β

l1,q1 l2,q2 l2,q1 l1,q2 x:=2·x x:=x+1 x:=x+1 x:=2·x

||| =

PG1 ||| PG2

l1,q1: x=3 l2,q1: x=6 l1,q2: x=4 l2,q2: x=7 l2,q2: x=8 α β β α

TS( PG1 ||| PG2 ):

11/30

Concurrent systems

Independent

Interleaving TS1 ||| TS2 ||| ... ||| TSn

Shared variables

TS( PG1 ||| PG2 ||| ... ||| PGn )

Shared actions

12/30

Coming next: Another example

13/30

while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0

14/30

while x < 200 x := x+1 while x>0 x := x-1 while x=200 x := 0 Is the value of x always between 0 and 200?

14/30

while x < 200 x := x+1

l1 l2 x < 200 x := x+1

while x>0 x := x-1

m1 m2 x > 0 x:=x-1

while x=200 x := 0

n1 n2 x = 200 x:=0

Is the value of x always between 0 and 200?

14/30

l1,m1,n1 l2,m1,n1 l1,m2,n1 l1,m1,n2 l2,m2,n1 l2,m1,n2 l1,m2,n2 l2,m2,n2

x<200 x>0 x=200 x:=x+1 x:=x-1 x:=0 x>0 x:=x-1 x=200 x:=0 x<200 x:=x+1 x=200 x:=0 x<200 x:=x+1 x>0 x:=x-1 x=200 x:=0 x>0 x:=x-1 x<200 x:=x+1 15/30

l1,m1,n1 l2,m1,n1 l1,m2,n1 l1,m1,n2 l2,m2,n1 l2,m1,n2 l1,m2,n2 l2,m2,n2

x<200 x>0 x=200 x:=x+1 x:=x-1 x:=0 x>0 x:=x-1 x=200 x:=0 x<200 x:=x+1 x=200 x:=0 x<200 x:=x+1 x>0 x:=x-1 x=200 x:=0 x>0 x:=x-1 x<200 x:=x+1 15/30

l1,m1,n1 l2,m1,n1 l1,m2,n1 l1,m1,n2 l2,m2,n1 l2,m1,n2 l1,m2,n2 l2,m2,n2

x<200 x>0 x=200 x:=x+1 x:=x-1 x:=0 x>0 x:=x-1 x=200 x:=0 x<200 x:=x+1 x=200 x:=0 x<200 x:=x+1 x>0 x:=x-1 x=200 x:=0 x>0 x:=x-1 x<200 x:=x+1

Is the value of x always between 0 and 200? No

15/30

Coming next: Mutual exclusion

16/30

SHARED RESOURCE

P1 P2 Pn

...

(variable, printer, ...) Mutual Exclusion: No two processes can access the resource simultaneously

17/30

Goal: Modeling the protocols used for mutual exclusion

18/30

loop forever

. . .

request critical section release

. . .

end loop *non-critical actions* *non-critical actions*

P1

loop forever

. . .

request critical section release

. . .

end loop *non-critical actions* *non-critical actions*

P2

19/30

loop forever

. . .

request critical section release

. . .

end loop *non-critical actions* *non-critical actions*

P1 PG1

noncrit1 wait1 crit1 loop forever

. . .

request critical section release

. . .

end loop *non-critical actions* *non-critical actions*

P2 PG2

noncrit2 wait2 crit2

19/30

loop forever

. . .

critical section

. . .

end loop *non-critical actions* *non-critical actions*

*request* *release*

〈 if y>0: y:=y-1 〉 y:=y+1

P1 PG1

noncrit1 wait1 crit1 y>0:y:=y-1 y:= y+1 loop forever

. . .

critical section

. . .

end loop *non-critical actions* *non-critical actions*

*request* *release*

〈 if y>0: y:=y-1 〉 y:=y+1

P2 PG2

noncrit2 wait2 crit2 y>0:y:=y-1 y:= y+1

19/30

loop forever

. . .

critical section

. . .

end loop *non-critical actions* *non-critical actions*

*request* *release*

〈 if y>0: y:=y-1 〉 y:=y+1

P1 PG1

noncrit1 wait1 crit1 y>0:y:=y-1 y:= y+1 loop forever

. . .

critical section

. . .

end loop *non-critical actions* *non-critical actions*

*request* *release*

〈 if y>0: y:=y-1 〉 y:=y+1

P2 PG2

noncrit2 wait2 crit2 y>0:y:=y-1 y:= y+1

atomic

19/30

noncrit1, noncrit2 wait1, noncrit2 noncrit1, wait2 crit1, noncrit2 wait1, wait2 noncrit1, crit2 crit1, wait2 wait1, crit2 crit1, crit2 y:=y+1 y:=y+1 y:=y+1 y:=y+1 y:=y+1 y>0: y:=y-1 y>0: y:=y-1 y>0: y:=y-1

PG1 ||| PG2

20/30

n1, n2, y=1 w1, n2, y=1 n1, w2, y=1 c1, n2, y=0 w1, w2, y=1 n1, c2, y=0 c1, w2, y=0 w1, c2, y=0

TS( PG1 ||| PG2 )

21/30

n1, n2, y=1 w1, n2, y=1 n1, w2, y=1 c1, n2, y=0 w1, w2, y=1 n1, c2, y=0 c1, w2, y=0 w1, c2, y=0

TS( PG1 ||| PG2 ) Both processes cannot be in critical section simultaneously

21/30

Concurrent systems

Independent

Interleaving TS1 ||| TS2 ||| ... ||| TSn

Shared variables

TS( PG1 ||| PG2 ||| ... ||| PGn )

Mutual Exclusion

Shared actions

22/30

Coming next: Book-keeping system in a supermarket

23/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P)

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 000

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 100 000 scan

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 100 000 010 scan check_price

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 100 000 001 010 scan check_price prt_cmd

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 100 000 001 110 111 011 101 010 print scan scan print print scan prt_cmd check_price check_price prt_cmd scan print

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 100 000 001 110 111 011 101 010 print scan scan print print scan prt_cmd check_price check_price prt_cmd scan print BCR || BP || P

24/30

1 1 1 scan check_price check_price print_cmd print_cmd print Bar-Code Reader (BCR) Booking Program (BP) Printer (P) 100 000 001 110 111 011 101 010 print scan scan print print scan prt_cmd check_price check_price prt_cmd scan print BCR || BP || P check_price, print_cmd: Shared actions (also called handshaking actions)

24/30

Next example: Train-Gate-Controller

25/30

TRAIN GATE

26/30

TRAIN GATE far near in 1 2 3 up down approach enter exit approach lower exit raise lower raise

Train Controller Gate

26/30

far near in 1 2 3 up down approach enter exit approach lower exit raise lower raise

Train Controller Gate

far, 0, up near, 1, up near, 2, down in, 1, up in, 2, down far, 3, down approach lower enter enter exit lower raise Train || Controller || Gate

27/30

|| : Handshake operator

28/30

Independent

Interleaving TS1 ||| TS2 ||| ... ||| TSn

Shared variables

TS( PG1 ||| PG2 ||| ... ||| PGn )

Mutual Exclusion

Shared actions

TS1 || TS2

29/30

Reference: Principles of Model Checking, Baier and Katoen, MIT Press (2008) Pages 35 - 53

30/30