Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying...

Specifying and Verifying Event-based Fairness Enhanced Systems

1ICFEM 2008


Jun SUN, Yang LIU, Jin Song DONG and Hai H. WANG


2ICFEM 2008

Outline

•Why do we need fairness?•Event-based systems•Fair events annotations•Verification

–On-the-fly verification algorithm–Partial order reduction

•Process Analysis Toolkit (PAT)•Experiments•Conclusion and Future Works


3ICFEM 2008

Why do we need fairness?

•Critical systems requires safety and liveness properties–Safety: bad things never happen–Liveness: good things eventually happen

•Fairness is important–It is important in the system specification

•Something is enabled sufficiently often, it must eventually happen

–No liveness property is true without fairness!•the default fairness: a system must always eventually make some progress•enabled processes/choices can not be infinitely ignored.


4ICFEM 2008

Weak Fairness vs. Strong Fairness

•Weak fairness –The weak fairness wf(e) asserts that if an event e eventually becomes enabled forever, infinitely many occurrences of the event must be observed.

•Strong fairness–The strong fairness sf(e) asserts that if e is infinitely often enabled (or in other words, repeatedly enabled), infinitely many occurrences of the event must be observed.

•Strong fairness Weak fairness


5ICFEM 2008

How to verify fair systems?

•Current approaches–State fairness assumptions as premises of the liveness properties.

• Experiments using SPIN 4.6

-Weak fairness option in SPIN.

-Model fairness using global accepting states (or in the form of justice/compassion condition).


6ICFEM 2008

Event-based systems

• Syntax

–where b is a Boolean expression,

–X is a set of events and e is an event. Note that e could be an abstract event (single or compound) or an assignment (e.g., x := x + 1).

–Variables

–Process parameters

•Example: dining philosopher


7ICFEM 2008

•Naïve Approach

–C1 states that each philosopher must always eventually get his first fork.–C2 states that one of the philosopher (in this case, the1st) must eventually put down a fork.

College(5) |= [] <>eat.0?

•3 Possible Counterexamples


8ICFEM 2008

How to verify fair systems?

•Current approaches–State fairness assumptions as premises of the liveness properties.

• Experiments using SPIN 4.6

-Weak fairness option in SPIN.

-Model fairness using global accepting states (or in the form of justice/compassion condition).


9ICFEM 2008

Event-based Fairness Annotations


10ICFEM 2008

Enabledness and Readiness


11ICFEM 2008

Weak fair example


12ICFEM 2008

Weak live example

•Model checking []<>eat.0 against lCollege(5) returns true. –Initially, wl (get.i.(i + 1)%N) is ready and therefore by definition, it must be engaged (since it is not possible to make it not ready).

–Once get.i.(i+1)%N is engaged, wl (put.i.(i+1)%N) becomes ready and thus the system is forced to execute until it is engaged. For the same reason, wl (put.i.i) must be engaged afterwards.

–Once put.i.i is engaged, wl (get.i.(i+1)%N) becomes ready again. Therefore, the system is forced to execute infinitely and fairly.


13ICFEM 2008

Verification

•Verification under fairness

= fair loop searching

= fair Strongly Connected Components (SCC) searching


14ICFEM 2008

Verification: Algorithm

•On-the-fly model checking based on Tarjan’s algorithm (1972) for identifying SCC.

–Iterative version–Keep searching until it is not SCC anymore.

•A counterexample is a fair loop which fails the property.


15ICFEM 2008

Partial Order Reduction

•The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily.

•Allowing all possible orderings is a potential cause of the state explosion problem.

•We incorporate the partial order reduction into model checking algorithms

– Only expend a subset of enabled events– Taking care of properties, shared variables and fairness

annotations.


Process-level Fairness

• Event annotation is to difficult!

• Process-level weak fairness–Each process must make infinite progress if always possible.–e.g., supported by SPIN

• Process-level strong local fairness–Each process must make infinite progress if repeated possible. –e.g., supported by CHESS

• Process-level strong global fairness–If a step is infinitely often enabled, it must be taken infinitely.

•[]<> (s –a s’ is enabled) => []<> (s –a-> s’) is engaged


17ICFEM 2008

Process Analysis Toolkit

•PAT: a toolkit for automatically analyzing event-based concurrent systems, possibly under fairness.

–System Modeling (CSP with variables)–Visualized simulation with animations–Model checking

•Deadlock•Reachability •LTL (with fairness assumptions)•Refinement checking (vs. FDR)

•Website: http://pat.comp.nus.edu.sg/


18ICFEM 2008

Process Analysis Toolkit (GUI)


19ICFEM 2008

Experiments 1


Experiments 2: vs SPIN


Experiments 3: vs FDR


22ICFEM 2008

Conclusion

•Embed the different fairness into events of system

•Develop an on-the-fly model checking algorithm with effective reduction techniques

•Develop a toolset to realize the algorithms–PAT: Modeling, Simulation and Verification


23ICFEM 2008

On-going and future works

•Refinement under fairness•Multi-threads model checking•Timing•Other domains and languages: web services•Applications

–Leader election algorithms–Security protocols


24ICFEM 2008

Thank You

Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying...

Documents

Transcript of Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying...