PAT Advanced Tutorial

Outline

• Alphabet calculation and declaration

• Global Variables– Var, array, size

• Tips

• Examples– Dining Philosophers– Peterson’s Algorithm

Alphabet calculation and declaration

• PAT automatically calculates the alphabet of the expression.VM() = insertcoin -> coffee -> VM();

VM() = insertcoin -> Inserted(); Inserted() = coffee -> VM();

• User can explicitly specify the alphabet for a particular processClock(i) = tick.i -> Clock(i+1);System = Clock(0) || Skip;#alphabet Clock {tick};#alphabet Clock {tick.i};

Global Variables

• Variable declaration (No type)– Simple variable

• var x;• var y = 0;• var z = false;

– Array• var array = [0, 1, 3, 5];• var floor[5]; • var floor[N];

– Channel• channel c 5;

• Scope: Global

Process Parameters vs. Global Variables

• Used in event expressions– GV can (supported from v1.3.0)– PP can

• Used as parameter for process– GV can (supported from v1.3.0)– PP can

• LHS of event assignment– GV can– PP can NOT

• RHS of event assignment– Both can

var x = 0;P(i) = a.x -> P(i); P(i) = a.i -> P(i);

var x = 0;P(i) = a -> P(x); P(i) = a -> P(i+2);

var x = 0;P(i) = a{x=9;} -> P(i); P(i) = a{i=9;} -> P(i); (wrong)

var x = 0;P(i) = a{x=x+1;} -> P(x); P(i) = a{x=i+1;} -> P(i);

Finite Model

• # of different process needs to be finite– P(i) = a.i -> P(i); – P(i) = a.i -> P(i+1); (infinite)

• Value range of global variables needs to be finite– var x = 0;– P(i) = a{x=x+1;} -> P(i); (infinite)

• Out of memory exception will be thrown• Check for infinite model

– System = P(0);– #define out x > 100;– #assert System reaches out;

Data Race!

• var x = 0;

• P = a{x=1;} -> P;

• Q = a{x=2;} -> Q;

• S = P || Q;

Fairness

• PAT supports two ways of adding fairness into the systems– Event annotation: wf, sf, wl, sl

• wl(pick.i.i)– Process level option: weak fairness, strong local

fairness, strong global fairness• When do we need fairness?

– Counterexamples with loop. • Leader election in ring example.

• How to add fairness?– Try process level option first.– Ask us.

What properties to test?

• Deadlock free

• Safety properties: bad things never happen– #define badthing …– #assert System reaches badthing

• Liveness properties: good things eventually happen– #assert System |= []<> goodthing

Dining Philosophers

Peterson's algorithm

PAT Model of Peterson’s Algorithm• var flag[2];• var turn = 0;

• var counter = 0;

• P0 = set0.1{flag[0] = 1;} -> set0.2{turn=1;} -> LoopTest(1); cs.0{counter = counter +1;} -> exit.0{flag[0] = 0;counter = counter -1;} -> P0;

• LoopTest(i) = if(flag[i] == 1 && turn == i)• {• loop -> LoopTest(i)• }• else• {• Skip• };

• P1 = set1.1{flag[1] = 1;} -> set1.2{turn=0;} -> LoopTest(0); cs.1{counter = counter +1;} -> exit.1{flag[1] = 0;counter = counter -1;} -> P1;

• Peterson() = P0() ||| P1();

• #define goal counter > 1;• #assert Peterson() reaches goal;• #assert Peterson() |= []<> cs.0;