Linear-Time Properties Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng (CSE, USF) Comp Sys Verification 1 / 53 Recall Model Checking Recall Model Checking requirements system Formalizing Modeling property system model specification Model Checking violated + location satisfied Simulation counterexample error We now consider the properties. We now consider the properties. Chris J. Myers (Lecture 3: Linear-Time Prop.) Verification of Cyber-Physical Systems 2 / 80 Hao Zheng (CSE, USF) Comp Sys Verification 2 / 53 Overview 1 Deadlock (Section 3.1) 2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4) 3 Safety and Invariants (Section 3.3.1 - 3.3.2) 4 Liveness Properties (Section 3.4.1) 5 Fairness (Section 3.5.1) Hao Zheng (CSE, USF) Comp Sys Verification 3 / 53 Contents 1 Deadlock (Section 3.1) 2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4) 3 Safety and Invariants (Section 3.3.1 - 3.3.2) 4 Liveness Properties (Section 3.4.1) 5 Fairness (Section 3.5.1) Hao Zheng (CSE, USF) Comp Sys Verification 4 / 53 Deadlock Sequential programs without infinite loops terminate. • For reactive systems, terminal states are undesirable and represent an • error. • Embedded controllers need to operate without interruption for a long time. A deadlock occurs if a system stops while at least one component is in • a (local) nonterminal state. • System has halted when at least one component should continue. Typically occurs when components mutually wait for each other. • Hao Zheng (CSE, USF) Comp Sys Verification 5 / 53 90 Linear-Time Properties Example Deadlock Situation TrLight 1 red α β green TrLight2 red α β TrLight 1 TrLight 2 || green red , red ⟨ ⟩ Hao Zheng (CSE, USF) Comp Sys Verification 6 / 53 Figure 3.1: An example of a deadlock situation. Example 3.1. Deadlock for Fault Designed TrafficLights Consider the parallel composition of two transition systems TrLight TrLight 1 ∥ 2 modeling the trafficlightsoftwointersectingroads.Bothtrafficlightssynchronizeby means of the actions α and β that indicate the change of light (see Figure 3.1). The apparently trivial error to let both trafficlightsstartwitharedlightresultsinadeadlock. While the first trafficlightiswaitingtobesynchronizedonactionα,thesecondtraffic light is blocked, since it is waiting to be synchronized with action β. Example 3.2. Dining Philosophers This example, originated by Dijkstra, is one of the most prominent examples in the field of concurrent systems. Deadlock 91 The Dining Philosophers Stick1 P 1 P2 Stick 0 Stick2 P0 P3 Stick4 Stick3 P4 Design a protocol which is deadlock-free. • Design a protocol which is free of starvation. Five philosophers• are sitting at a round table with a bowl of rice in the middle. For the philosophers (beingHao Zhenga little (CSE, USF) unworldly)Comp life Sys consists Verification of thinking and eating7 / 53 (and waiting, as we will see). To take some rice out of the bowl, a philosopher needs two chopsticks. In between two neighboring philosophers, however, there is only a single chopstick. Thus, at any time only one of two neighboring philosophers can eat. Of course, the use of the chopsticks is exclusive and eating with hands is forbidden. Note that a deadlock scenario occurs when all philosophers possess a single chopstick. The problem is to design a protocol for the philosophers, such that the complete system is deadlock-free, i.e., at least one philosopher can eat and think infinitely often. Additionally, afairsolutionmayberequiredwitheachphilosopherbeingabletothinkandeatinfinitely often. The latter characteristic is called freedom of individual starvation. The following obvious design cannot ensure deadlock freedom. Assume the philosophers and the chopsticks are numbered from 0 to 4. Furthermore, assume all following calcula- tions be “modulo 5”, e.g., chopstick i 1fori=0 denotes chopstick 4, and so on. − Philosopher i has stick i on his left and stick i 1onhisrightside.Theactionrequest − i,i express that stick i is picked up by philosopher i.Accordingly,request i 1,i denotes the action by means of which philosopher i picks up the (i 1)th stick. The actions− release − i,i and release i 1,i have a corresponding meaning. − The behavior of philosopher i (called process Phil i)isspecifiedbythetransitionsystem depicted in the left part of Figure 3.2. Solid arrows depict the synchronizations with the i-th stick, dashed arrows refer to communications with the i 1th stick. The sticks are − modeled as independent processes (called Stick i)withwhichthephilosopherssynchronize via actions request and release;seetherightpartofFigure3.2thatrepresentstheprocess of stick i.Astickprocesspreventsphilosopheri from picking up the ith stick when philosopher i+1 is using it. A Transition92 System for the Dining PhilosophersLinear-Time Properties think releasei i releasei 1 i requesti 1 i requesti i available wait for wait for left stick right stick reqi i reqi i 1 requesti i requesti 1 i reli i reli i 1 eat occupied occupied releasei 1 i releasei i return the return the left stick right stick Figure 3.2: Transition systems for the ith philosopher and the ith stick. The complete system is of the form: Phil4 Stick3 Phil3 Stick2 Phil2 Stick1 Phil1 Stick0 Phil0 Stick4 Phil Stick Phil Stick Phil Stick Phil Stick Phil Stick k k4 ∥ 3 ∥k 3 ∥ k 2 ∥ 2k∥ 1 ∥ k 1 ∥ k0 ∥ 0 ∥ k 4 k HaoThis Zheng (initially (CSE, obvious)USF) design leadsComp to a Sys deadlock Verification situation, e.g., if all philosophers pick 8 / 53 up their left stick at the same time. A corresponding execution leads from the initial state think , avail , think , avail , think , avail , think , avail , think , avail ⟨ 4 3 3 2 2 1 1 0 0 4⟩ by means of the action sequence request 4, request 3, request 2, request 1, request 0 (or any other permutation of these 5 request actions) to the terminal state wait , occ , wait , occ , wait , occ , wait , occ , wait , occ . ⟨ 4,0 4,4 3,4 3,3 2,3 2,2 1,2 1,1 0,1 0,0⟩ This terminal state represents a deadlock with each philosopher waiting for the needed stick to be released. Apossiblesolutiontothisproblemistomakethesticksavailableforonlyonephilosopher at a time. The corresponding chopstick process is depicted in the right part of Figure 3.3. In state availablei,j only philosopher j is allowed to pick up the ith stick. The above- mentioned deadlock situation can be avoided by the fact that some sticks (e.g., the first, the third, and the fifth stick) start in state availablei,i,whiletheremainingsticksstartin state availablei,i+1.Itcanbeverifiedthatthissolutionisdeadlock-andstarvation-free. A Transition92 System for the Dining PhilosophersLinear-Time Properties think releasei i releasei 1 i requesti 1 i requesti i available wait for wait for left stick right stick reqi i reqi i 1 requesti i requesti 1 i reli i reli i 1 eat occupied occupied releasei 1 i releasei i return the return the left stick right stick Figure 3.2: Transition systems for the ith philosopher and the ith stick. Phil TheStick completePhil system is ofStick the form:Phil Stick Phil Stick Phil Stick 4 k 3 k 3 k 2 k 2 k 1 k 1 k 0 k 0 k 4 Philreq4 ;4Stick; req3Phil;3 ; reqStick2 ;2 ; reqPhil1 ;1 ;Stickreq0 ;0PhilleadsStick to aPhil deadlock.Stick 4 ∥ 3 ∥ 3 ∥ 2 ∥ 2 ∥ 1 ∥ 1 ∥ 0 ∥ 0 ∥ 4 HaoThis Zheng (initially (CSE, obvious)USF) design leadsComp to a Sys deadlock Verification situation, e.g., if all philosophers pick 8 / 53 up their left stick at the same time. A corresponding execution leads from the initial state think , avail , think , avail , think , avail , think , avail , think , avail ⟨ 4 3 3 2 2 1 1 0 0 4⟩ by means of the action sequence request 4, request 3, request 2, request 1, request 0 (or any other permutation of these 5 request actions) to the terminal state wait , occ , wait , occ , wait , occ , wait , occ , wait , occ . ⟨ 4,0 4,4 3,4 3,3 2,3 2,2 1,2 1,1 0,1 0,0⟩ This terminal state represents a deadlock with each philosopher waiting for the needed stick to be released. Apossiblesolutiontothisproblemistomakethesticksavailableforonlyonephilosopher at a time. The corresponding chopstick process is depicted in the right part of Figure 3.3. In state availablei,j only philosopher j is allowed to pick up the ith stick. The above- mentioned deadlock situation can be avoided by the fact that some sticks (e.g., the first, the third, and the fifth stick) start in state availablei,i,whiletheremainingsticksstartin state availablei,i+1.Itcanbeverifiedthatthissolutionisdeadlock-andstarvation-free. ImprovedDeadlock Transition System for the Stick 93 think reli i reli 1 i reqi 1 i reqi i availablei wait for wait for reli i 1 left stick right stick reqi i reqi i reqi 1 i occupied occupied eat reli 1 i reli i req return the return the reli i i i 1 left stick right stick availablei 1 Figure 3.3: Improved variant of the ith philosopher and the ith stick. AfurthercharacteristicoftenrequiredforconcurrentsystemsisrobustnessagainstfailureEven and odd numbered sticks start in different available states. •of their components. In the case of the dining philosophers, robustness can be formulated inHao a way Zheng that (CSE, ensures USF) deadlock andComp starvation Sys Verification freedom even if one of the philosophers is9 / 53 “defective” (i.e., does not leave the think phase anymore).1 The above-sketched deadlock- and starvation-free solution can be modified to a fault-tolerant solution by changing the transition systems of philosophers and sticks such that philosopher i+1 can pick up the ith stick even if philosopher i is thinking (i.e., does not need stick i)independentofwhether stick i is in state availablei,i or availablei,i+1.Thecorrespondingisalsotruewhentheroles of philosopher i and i+1 are reversed.