T Parallel and Distributed Systems (4 ECTS)

Similar documents
Network Protocol Design and Evaluation

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

The Spin Model Checker : Part I. Moonzoo Kim KAIST

CS477 Formal Software Development Methods / 39

T Parallel and Distributed Systems (4 ECTS)

Lecture 3 SPIN and Promela

Spin: Overview of PROMELA

Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN

A Tutorial on Model Checker SPIN

Spin: Overview of PROMELA

Computer Aided Verification 2015 The SPIN model checker

Design of Internet Protocols:

The Spin Model Checker : Part I/II

Software Engineering using Formal Methods

Software Engineering using Formal Methods

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Formal Specification and Verification

What is SPIN(Simple Promela Interpreter) Elements of Promela. Material About SPIN. Basic Variables and Types. Typical Structure of Promela Model

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

What is SPIN(Simple Promela Interpreter) Material About SPIN. Elements of Promela. Basic Variables and Types. Typical Structure of Promela Model

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Design and Analysis of Distributed Interacting Systems

CS477 Formal Software Development Methods / 32

The SPIN Model Checker

Tool demonstration: Spin

Distributed Systems Programming F29NM1 2. Promela I. Andrew Ireland. School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh

Hello World. Slides mostly a reproduction of Theo C. Ruys SPIN Beginners Tutorial April 23, Hello() print "Hello"

Applications of Formal Verification

Applications of Formal Verification

Applications of Formal Verification

Logic Model Checking

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Patrick Trentin Formal Methods Lab Class, March 03, 2017

SPIN: Introduction and Examples

EMBEDDED C CODE 17. SPIN Version 4 supports the inclusion of embedded C code into PROMELA models through the following fiv e new primitives:

SPIN. Carla Ferreira.

Introduction to Model Checking

The SPIN Model Checker

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

THE MODEL CHECKER SPIN

Chapter 8. Statement-Level Control Structures

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

SWEN-220 Mathematical Models of Software. Concurrency in SPIN Interleaving

Iterative Statements. Iterative Statements: Examples. Counter-Controlled Loops. ICOM 4036 Programming Languages Statement-Level Control Structure

Control Structures. Outline. In Text: Chapter 8. Control structures Selection. Iteration. Gotos Guarded statements. One-way Two-way Multi-way

Ch 9: Control flow. Sequencers. Jumps. Jumps

Chapter 7. - FORTRAN I control statements were based directly on IBM 704 hardware


Network Protocol Design and Evaluation

Blocking Non-blocking Caveat:

Flow Control. CSC215 Lecture

Statement level control structures

Using Model Checking with Symbolic Execution for the Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software

Automated Reasoning. Model Checking with SPIN (II)

Ch. 7: Control Structures

Cisco IOS Shell. Finding Feature Information. Prerequisites for Cisco IOS.sh. Last Updated: December 14, 2012

MP 6 Modeling in Promela and SPIN

Chapter 8. Statement-Level Control Structures

Proving Dekker with SPIN and PROMELA

SPIN, PETERSON AND BAKERY LOCKS

Concurrency. Lecture 14: Concurrency & exceptions. Why concurrent subprograms? Processes and threads. Design Issues for Concurrency.

TRIAL-EXAM Software Engineering using Formal Methods TDA293 (TDA292) / DIT270. Only dictionaries may be used. Other aids are not allowed!

Formal Methods for Software Development

Chapter 8. Statement-Level Control Structures

Formal Verification by Model Checking

COMP-520 GoLite Tutorial

Mapping of UML Diagrams to Extended Petri Nets for Formal Verification

Chapter 7 Control I Expressions and Statements

transformation of PROMELA models into Channel Systems,

Language Design COMS W4115. Prof. Stephen A. Edwards Spring 2003 Columbia University Department of Computer Science

Part Two - Process Management. Chapter 3: Processes

TRIAL-EXAM Software Engineering using Formal Methods TDA293 (TDA292) / DIT270. Only dictionaries may be used. Other aids are not allowed!

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Shared Channels etc.

C Language Part 2 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

Using Spin to Help Teach Concurrent Programming

COP 4610: Introduction to Operating Systems (Spring 2016) Chapter 3: Process. Zhi Wang Florida State University

Introduction. C provides two styles of flow control:

Chapter 8. Statement-Level Control Structures ISBN

Lecture 02 C FUNDAMENTALS

Principles of Programming Languages

Dept. of CSE, IIT KGP

LECTURE 5 Control Structures Part 2

A Fast Review of C Essentials Part I

3. Logical Values. Boolean Functions; the Type bool; logical and relational operators; shortcut evaluation

4. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

Model Requirements and JAVA Programs MVP 2 1

C Programming Class I

3. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

3. Logical Values. Our Goal. Boolean Values in Mathematics. The Type bool in C++

Building Graphical Promela Models using UPPAAL GUI

Flow of Control Execution Sequence

Recap. ANSI C Reserved Words C++ Multimedia Programming Lecture 2. Erwin M. Bakker Joachim Rijsdam

CIS 4930/6930: Principles of Cyber-Physical Systems

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

COMP 110/L Lecture 10. Kyle Dewey

Variables Data types Variable I/O. C introduction. Variables. Variables 1 / 14

GNU ccscript Scripting Guide IV

Transcription:

T 79.4301 Parallel and Distributed Systems (4 ECTS) T 79.4301 Rinnakkaiset ja hajautetut järjestelmät (4 op) Lecture 3 4th of February 2008 Keijo Heljanko Keijo.Heljanko@tkk.fi T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 1/46

Spin and XSpin Installed The spin and xspin binaries are installed to the computing centre Linux workstations: http://www.tkk.fi/atk/luokat/computernames.html Basically you need to add the directory: /p/edu/t-79.4301/bin to your executable search path See the course homepage for more detailed instructions for different shells: http://www.tcs.tkk.fi/studies/t-79.4301/ T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 2/46

Installing Yourself Optionally, installing Spin to your own machine is also pretty straightforward, just follow the instructions for (Unix(Linux)/Windows/Mac) at: http://spinroot.com/spin/man/readme.html Hint for Linux users: The first three line of the xspin script need for Linux to be replaced with: #!/usr/bin/wish -f # the next line restarts using wish \ #exec wish c:/cygwin/bin/xspin -- $* T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 3/46

Arrays and Records Array indices start at 0. No multidimensional arrays. Records (C style structs) are available through the typedef keyword: typedef foo { } short f1; byte f2; foo rr; /* variable declaration */ rr.f1 = 0; rr.f2 = 200; T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 4/46

Variables and Types Variables need to be declared Variables can be given value by: Assignment Argument passing (input parameters to processes) Message passing Variables have exactly two scopes: global and process local variables T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 5/46

Data Manipulation Most of C language arithmetic, relational, and logical operations on variables are supported in Spin with the same syntax (including comparison operators, bitshifts, masking etc.) When in doubt, try the C way of doing things and you will probably be right. T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 6/46

Data Manipulation, Example active[1] proctype foo() { int c,d; printf("c:%d d:%d\n", c, d); c++; c++; d = c+1; d = d<<1; c = c*d; printf("c:%d d:%d\n", c, d); c = c&3; d = d/5; printf("c:%d d:%d\n", c, d); } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 7/46

Data Manipulation, Example Running the example we get: $ spin ex4.pml c:0 d:0 c:12 d:6 c:0 d:1 1 process created T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 8/46

Conditional Expressions C-style conditional expressions have to be replaced: active[1] proctype foo() { int a,b,c,d; b=1;c=2;d=3; #if 0 a = b? c : d; /* not valid in Promela! */ a = b -> c : d; /* not valid in Promela! */ #endif a = (b -> c : d); /* valid in Promela */ printf("a:%d\n", a); } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 9/46

Conditional Expressions (cnt.) The parenthesis in "(foo -> bar : The expression "foo -> bar : syntax error! $ spin ex5.pml a:2 1 process created baz)" are vital! baz" will generate a T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 10/46

Promela Statements The body of a process consists of a sequence of statements A statement can in current global state of the model either be: Executable: the statement can be executed in the current global state Blocked: the statement cannot be executed in the current global state Assignments are always executable An expression is executable if it evaluates to non-zero (true) T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 11/46

Executable Statements 0<1; /* Always executable */ x<5; /* Executable only when x is smaller than 5 */ 3+x; /* Executable if x is not -3 */ (x > 0 && y > x); /* Executable if x > 0 and y > x */ /* Note: This is a single, atomic statement! */ T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 12/46

Statements The skip statement is always executable. It does nothing but changes the value of the program counter The run statement is executable if a new process can be created (recall the 255 process limit) The printf statement is always executable (it is used only for simulations, not in model checking) T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 13/46

Statements (cnt.) assert(<expr>); The assert statement is always executable If <expr> evaluates to zero, Spin will exit with an error The assert statements are handy for checking whether certain properties hold in the current global state of the model T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 14/46

Intuition of the Promela Semantics Promela processes execute in parallel Non-deterministic scheduling of the processes Processes are interleaved - statements of concurrently running processes cannot occur simultaneously All statements are atomic - each statement is executed without interleaving of other processes Each process can be non-deterministic - have several executable statements enabled. Only one statement is selected for execution nondeterministically T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 15/46

The if-statement Now we proceed to non-atomic compound statements. The if statement is also called the selection statement and has gotten its syntax from Dijkstra s guarded command language. Example: chan STDIN; active[1] proctype foo() { int c; STDIN?c; /* Read a char from standard input */ if :: (c == -1) -> skip; /* EOF */ :: ((c % 2) == 0) -> printf("even\n"); :: ((c % 2) == 1) -> printf("odd\n"); fi } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 16/46

Example: if-statement $ spin ex6.pml a Odd 1 process created $ spin ex6.pml b Even 1 process created $ spin ex6.pml 1 process created T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 17/46

The if-statement (cnt.) The if-statement has the general form: if :: (choice_1) -> statement_1_1; statement_1_2;... :: (choice_2) -> statement_2_1; statement_2_2;... ::... :: (choice_n) -> statement_n_1; statement_n_2;... fi T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 18/46

The if-statement (cnt.) The if-statement is executable if there is a choice_i statement which is executable. Otherwise i is blocked. If several choice_i statements are executable, Spin non-deterministically chooses one to be executed. If choice_i is executed, the execution then proceeds to executing statement_i_1; statement_i_2;... statement_i_m; After this the program continues from the next statement after the fi T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 19/46

Example 2: if-statement An else branch is taken only if none of choice_i is executable active[10] proctype foo() { } pid p = _pid; if fi; :: (p > 2) -> p++; :: (p > 3) -> p--; :: else -> p = 0; printf("pid:%d, p:%d\n", _pid, p) T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 20/46

Example 2: if-statement (cnt.) $ spin -T ex7.pml Pid:7, p:8 Pid:0, p:0 Pid:3, p:4 Pid:9, p:8 Pid:6, p:7 Pid:4, p:3 Pid:1, p:0 Pid:5, p:6 Pid:2, p:0 Pid:8, p:9 10 processes created T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 21/46

The do-statement The way of doing loops in Promela With respect to choices, a do statement behaves same way as an if-statement However, after one selection has been made the do-statement repeats the choice selection The (always executable) break statement can be used to exit the loop and continue from the next statement after the od T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 22/46

The do-statement (cnt.) The do-statement has the general form: do :: (choice_1) -> statement1_1; statement1_2;... :: (choice_2) -> statement2_1; statement2_2;... ::... :: (choice_n) -> statementn_1; statementn_2;... od T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 23/46

Example: For loop active[1] proctype foo() { int i = 0; do :: (i < 10) -> printf("i: %d\n",i); i++; :: else -> break od } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 24/46

Example: For loop (cnt.) $ spin ex8.pml i: 0 i: 1 i: 2 i: 3 i: 4 i: 5 i: 6 i: 7 i: 8 i: 9 1 process created T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 25/46

Example: Euclid proctype Euclid(int x, y) { do :: (x > y) -> x = x - y :: (x < y) -> y = y - x :: (x == y) -> break od; printf("answer: %d\n", x) } init { run Euclid(38, 14) } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 26/46

Example: Euclid (cnt.) Running the algorithm we get: $ spin euclid.pml answer: 2 2 processes created T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 27/46

Example: Infamous goto-statement proctype Euclid(int x, y) { do :: (x > y) -> x = x - y :: (x < y) -> y = y - x :: (x == y) -> goto done od; done: printf("answer: %d\n", x) } init { run Euclid(38, 14) } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 28/46

Communication Message passing through message channels (first-in first-out (FIFO) queues) Rendezvous synchronization (handshake). Syntactically appears as communication over a channel with capacity zero Both are defined by channels: chan <chan_name> = [<capacity>] of {<t_1>, <t_1>,..., <t_n>}; where t_i are the types of the elements transmitted over the channel. T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 29/46

Sending Messages Consider the case where ch is a channel with capacity 1 The send-statement: ch! <expr_1>, <expr_2>,..., <expr_n>; Is executable only if the channel is not full Puts a message at the end of the message channel ch The message consists of a tuple of the values of the expressions <expr_i> - the types should match the channel declaration T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 30/46

Receiving Messages Consider the case where ch is a channel with capacity 1 The receive-statement: ch? <var_1>, <var_2>,..., <var_n>; Is executable only if the channel is not empty Receives the first message of the message channel ch and fetches the individual fields of the vars into variables <var_i> - the types should match the channel declaration An of the <var_i> can be replaced by a constant. In that case the statement is executable only if the first message matches the constants. T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 31/46

Example: Alternating Bit Protocol mtype = { msg0, msg1, ack0, ack1 }; chan to_sndr = [2] of { mtype }; chan to_rcvr = [2] of { mtype }; active proctype Sender() { again: to_rcvr!msg1; to_sndr?ack1; to_rcvr!msg0; to_sndr?ack0; goto again } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 32/46

Example: Alternating Bit Protocol active proctype Receiver() { again: to_rcvr?msg1; to_sndr!ack1; to_rcvr?msg0; to_sndr!ack0; goto again } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 33/46

Example: Alternating Bit Protocol $ spin -c -u10 alternatingbit.pml proc 0 = Sender proc 1 = Receiver q\p 0 1 1 to_rcvr!msg1 1. to_rcvr?msg1 2. to_sndr!ack1 2 to_sndr?ack1 1 to_rcvr!msg0 1. to_rcvr?msg0 2. to_sndr!ack0 2 to_sndr?ack0 ------------- depth-limit (-u10 steps) reached ------------- T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 34/46

Advanced Promela Promela is somewhat like the C language - very powerful but at the same time hard to fully master In the following we discuss more advanced modelling features of Promela T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 35/46

Alternative Send/Receive Syntax Alternative syntax for the send-statement: ch! <expr_1> (<expr_2>,..., <expr_n>); Alternative syntax for the receive-statement: ch? <var_1> (<var_2>,..., <var_n>); T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 36/46

More Promela Message Passing Peeking at the message channel can be implemented in Promela with: ch? [<var_1>, <var_2>,..., <var_n>]; It is executable iff the message receive would be but does not actually remove the message from the channel. Moreover, the contents of the variables <var_i> remain unchanged. To do the same except that this time the variables <var_i> are changed, use: ch? <<var_1>, <var_2>,..., <var_n>>; For example, ch? <x,y> puts the contents of the first message in the channel ch to vars x and y without removing the message from the channel. T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 37/46

Other Channel Operations len(ch) - returns the number of messages in channel ch empty(ch) - returns true if ch is empty, otherwise returns false nempty(ch) - returns true if ch is not empty, otherwise returns false full(ch) - returns true if ch is full, otherwise returns false nfull(ch) - returns true if ch is not full, otherwise returns false T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 38/46

Rendezvous Communication In Promela the synchronization between two processes (rendezvous) is syntactically implemented as message passing over a channel of capacity 0. In this case the channel cannot store messages, only pass immediately from the sender to the receiver. T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 39/46

Rendezvous Example mtype = { msgtype }; chan name = [0] of { mtype, byte }; active proctype A() { name!msgtype(124); /* Alternative syntax */ name!msgtype(121) /* used here */ } active proctype B() { byte state; name?msgtype(state) /* And here */ } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 40/46

Rendezvous Example (cnt.) The processes A and B in the example synchronize: The execution of both the send and the receive is blocked until a matching send/receive pair becomes enabled. When a matching send/receive pair is enabled, they can execute and communicate in an atomic step the sent message from the sender to the receiver. Note that if the channel had a capacity of 2 in the example, the process A could already terminate before the process B starts executing. T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 41/46

Executability of Statements (recap) skip - always executable assert(<expr>) - always executable <expression> - executable if not zero <assignment> - always executable if - executable if at least one guard is do - executable if at least one guard is break - always executable send ch! msg - executable if channel ch is not full receive ch? var - executable if channel ch is not empty T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 42/46

Advanced Promela - atomic In Promela a sequence of statements can be grouped together to execute atomically by using the atomic compound statement: atomic { /* Swap values of a and b */ tmp = b; b = a; a = tmp } T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 43/46

Atomic Sequences (cnt.) The sequence of statements inside an atomic sequence execute together in an uninterrupted manner In other words no other process can be scheduled until the atomic sequence has been completed In the example that means that no other process can be run to see the state where both a and b contains the old value of a T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 44/46

Atomic - Examples The following Promela statement sequences are not atomic: nfull(ch) -> ch!msg0; /* Not atomic! */ ch?[msg0] -> ch?msg0; /* Not atomic! */ They can be replaced by: atomic { nfull(ch) -> ch!msg0 };/* Atomic! */ ch?msg0; /* Trivially atomic! */ T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 45/46

Atomic Sequences - Details The atomic sequences are also allowed to contain branching and non-determinism If any statement inside an atomic sequence is found to be unexecutable (i.e., it blocks the execution), other processes are allowed to run The states reached inside an atomic sequence still exists in the statespace of the system, not only the last state reached by the execution T 79.4301 Parallel and Distributed Systems, Keijo Heljanko, Spring 2008 46/46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback