Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying...
-
Upload
allen-todd -
Category
Documents
-
view
215 -
download
1
Transcript of Specifying and Verifying Event-based Fairness Enhanced Systems 1 ICFEM 2008 Specifying and Verifying...
Specifying and Verifying Event-based Fairness Enhanced Systems
1ICFEM 2008
Specifying and Verifying Event-based Fairness Enhanced Systems
Jun SUN, Yang LIU, Jin Song DONG and Hai H. WANG
Specifying and Verifying Event-based Fairness Enhanced Systems
2ICFEM 2008
Outline
•Why do we need fairness?•Event-based systems•Fair events annotations•Verification
–On-the-fly verification algorithm–Partial order reduction
•Process Analysis Toolkit (PAT)•Experiments•Conclusion and Future Works
Specifying and Verifying Event-based Fairness Enhanced Systems
3ICFEM 2008
Why do we need fairness?
•Critical systems requires safety and liveness properties–Safety: bad things never happen–Liveness: good things eventually happen
•Fairness is important–It is important in the system specification
•Something is enabled sufficiently often, it must eventually happen
–No liveness property is true without fairness!•the default fairness: a system must always eventually make some progress•enabled processes/choices can not be infinitely ignored.
Specifying and Verifying Event-based Fairness Enhanced Systems
4ICFEM 2008
Weak Fairness vs. Strong Fairness
•Weak fairness –The weak fairness wf(e) asserts that if an event e eventually becomes enabled forever, infinitely many occurrences of the event must be observed.
•Strong fairness–The strong fairness sf(e) asserts that if e is infinitely often enabled (or in other words, repeatedly enabled), infinitely many occurrences of the event must be observed.
•Strong fairness Weak fairness
Specifying and Verifying Event-based Fairness Enhanced Systems
5ICFEM 2008
How to verify fair systems?
•Current approaches–State fairness assumptions as premises of the liveness properties.
• Experiments using SPIN 4.6
-Weak fairness option in SPIN.
-Model fairness using global accepting states (or in the form of justice/compassion condition).
Specifying and Verifying Event-based Fairness Enhanced Systems
6ICFEM 2008
Event-based systems
• Syntax
–where b is a Boolean expression,
–X is a set of events and e is an event. Note that e could be an abstract event (single or compound) or an assignment (e.g., x := x + 1).
–Variables
–Process parameters
•Example: dining philosopher
Specifying and Verifying Event-based Fairness Enhanced Systems
7ICFEM 2008
•Naïve Approach
–C1 states that each philosopher must always eventually get his first fork.–C2 states that one of the philosopher (in this case, the1st) must eventually put down a fork.
College(5) |= [] <>eat.0?
•3 Possible Counterexamples
Specifying and Verifying Event-based Fairness Enhanced Systems
8ICFEM 2008
How to verify fair systems?
•Current approaches–State fairness assumptions as premises of the liveness properties.
• Experiments using SPIN 4.6
-Weak fairness option in SPIN.
-Model fairness using global accepting states (or in the form of justice/compassion condition).
Specifying and Verifying Event-based Fairness Enhanced Systems
9ICFEM 2008
Event-based Fairness Annotations
Specifying and Verifying Event-based Fairness Enhanced Systems
10ICFEM 2008
Enabledness and Readiness
Specifying and Verifying Event-based Fairness Enhanced Systems
11ICFEM 2008
Weak fair example
Specifying and Verifying Event-based Fairness Enhanced Systems
12ICFEM 2008
Weak live example
•Model checking []<>eat.0 against lCollege(5) returns true. –Initially, wl (get.i.(i + 1)%N) is ready and therefore by definition, it must be engaged (since it is not possible to make it not ready).
–Once get.i.(i+1)%N is engaged, wl (put.i.(i+1)%N) becomes ready and thus the system is forced to execute until it is engaged. For the same reason, wl (put.i.i) must be engaged afterwards.
–Once put.i.i is engaged, wl (get.i.(i+1)%N) becomes ready again. Therefore, the system is forced to execute infinitely and fairly.
Specifying and Verifying Event-based Fairness Enhanced Systems
13ICFEM 2008
Verification
•Verification under fairness
= fair loop searching
= fair Strongly Connected Components (SCC) searching
Specifying and Verifying Event-based Fairness Enhanced Systems
14ICFEM 2008
Verification: Algorithm
•On-the-fly model checking based on Tarjan’s algorithm (1972) for identifying SCC.
–Iterative version–Keep searching until it is not SCC anymore.
•A counterexample is a fair loop which fails the property.
Specifying and Verifying Event-based Fairness Enhanced Systems
15ICFEM 2008
Partial Order Reduction
•The interleaving model for asynchronous systems allows concurrent events to be ordered arbitrarily.
•Allowing all possible orderings is a potential cause of the state explosion problem.
•We incorporate the partial order reduction into model checking algorithms
– Only expend a subset of enabled events– Taking care of properties, shared variables and fairness
annotations.
Specifying and Verifying Event-based Fairness Enhanced Systems
Process-level Fairness
• Event annotation is to difficult!
• Process-level weak fairness–Each process must make infinite progress if always possible.–e.g., supported by SPIN
• Process-level strong local fairness–Each process must make infinite progress if repeated possible. –e.g., supported by CHESS
• Process-level strong global fairness–If a step is infinitely often enabled, it must be taken infinitely.
•[]<> (s –a s’ is enabled) => []<> (s –a-> s’) is engaged
Specifying and Verifying Event-based Fairness Enhanced Systems
17ICFEM 2008
Process Analysis Toolkit
•PAT: a toolkit for automatically analyzing event-based concurrent systems, possibly under fairness.
–System Modeling (CSP with variables)–Visualized simulation with animations–Model checking
•Deadlock•Reachability •LTL (with fairness assumptions)•Refinement checking (vs. FDR)
•Website: http://pat.comp.nus.edu.sg/
Specifying and Verifying Event-based Fairness Enhanced Systems
18ICFEM 2008
Process Analysis Toolkit (GUI)
Specifying and Verifying Event-based Fairness Enhanced Systems
19ICFEM 2008
Experiments 1
Specifying and Verifying Event-based Fairness Enhanced Systems
Experiments 2: vs SPIN
Specifying and Verifying Event-based Fairness Enhanced Systems
Experiments 3: vs FDR
Specifying and Verifying Event-based Fairness Enhanced Systems
22ICFEM 2008
Conclusion
•Embed the different fairness into events of system
•Develop an on-the-fly model checking algorithm with effective reduction techniques
•Develop a toolset to realize the algorithms–PAT: Modeling, Simulation and Verification
Specifying and Verifying Event-based Fairness Enhanced Systems
23ICFEM 2008
On-going and future works
•Refinement under fairness•Multi-threads model checking•Timing•Other domains and languages: web services•Applications
–Leader election algorithms–Security protocols
Specifying and Verifying Event-based Fairness Enhanced Systems
24ICFEM 2008
Thank You