Parameterised Systems - Three-valued abstraction and heuristic-guided refinement for verifying

one sender and one receiver in this system, both processes will eventually terminate. Note that for executing receive, Proc₂has to wait until Proc₁has send a value to the initially empty channel c. The exact semantics of the communication operations send and receive are given by:

l: send(c, e) ≡ l : hawait ¬full_c; buffer_c[rear_c] := e;

empty_c:=false;

rear_c:=rear_c+ 1mod n;

full_c:= (rear_c+ 1mod n = front_c)i and respectively,

l: receive(c, x) ≡ l : hawait ¬empty_c; x:=buffer_c[front_c];

full_c:=false;

front_c:=front_c+ 1mod n;

empty_c:= (rearc=front_c+ 1mod n)i

where c is a communication channel of length n, e is an expression of the same type as c and x is a variable, again of the same type as c. Hence, values transferred via channels have to be compatible with the channels type.

With message passing we have another form of inter-process communica-tion that we want to consider in our approach to the verificacommunica-tion of concurrent systems. Indeed, message passing is a concept of high practical relevance, especially in the field of distributed computing where no shared memory exists. Moreover, the introduction of communication channels involves several new issues with regard to the correctness of concurrent systems. For exam-ple, a processes might “starve” in front of a receive operation, because no communication partner is available. This and similar process synchronisation problems are in the focus of our verification technique.

3.2 Parameterised Systems

In the previous sections of this chapter we have introduced our notion of concurrent systems Sys = kⁿ_i=1Proc_i. In our examples we solely considered sys-tems with a fixed number n of processes. However, in practice, many syssys-tems are paramterised with regard to the number of processes: Network protocols for mutual exclusion, cache coherence or leader election are commonly de-fined for an arbitrary number of processes running in parallel. Verifying such

parameterised systems is particularly hard and even undecidable in the gen-eral case [7]. Nevertheless, these systems are in the focus of our verification technique, too. In this section we give a fundamental introduction to the field of parameterised systems. We start with a simple example:

y:semaphore where y = 1

The system Sys₄in Figure 3.4 consists of N processes competing for access to a critical section. In the parametrised setting we assume that the capital N does not represent a fixed integer but a parameter, and thus, an unbounded number of processes might run in parallel. As we can see, Sys₄is iteratively defined over the process index i, and each process Proc_iexecutes the same sequence of operations. The processes only differ in their unique index value. Therefore we say that Sys₄is fully symmetric with respect to process indices. Symmetry in paramterised systems is a characteristic that can be efficiently exploited for verification. Moreover, several real-life examples of parameterised systems are inherently symmetric, since their processes are commonly instances of one and the same process template. Hence, we also want to look at such fully symmetric systems in our approach to verification. In general, a fully symmetric system is defined as follows:

Definition 3.3 (Fully Symmetric System).

Let Proc be a process defined over Var_s∪ Var_l where Var_s is a set of shared variables and Var_l is a set of local variables. Then the corresponding fully symmetric system is defined as

Sys= k_i∈PID_NProc_iover Var = Var_s∪ (Var_l× PID_N)

where N ∈ N is a parameter of Sys and PIDN is a set of process indices of size N. Moreover, each Proc_i is a replication of Proc defined over Var_i= Var_s∪ (Var_l× i), i.e. Proc_i is obtained from Proc by preserving the control structure of Proc, and by replacing each basic operation bop in Proc by bop_i= bop[x/(x, i) | x ∈ Var_l].

Hence, all processes in Sys execute the same code and there exists a replication of the set of local variables Var_l for each process, i.e. the process indices are lifted to Var_l. Again, this fits into our general notion of concurrent systems, since we can rewrite Var_l× PID_Nas^S_i∈PID

NVar_i. Moreover, our understanding

3.2 Parameterised Systems 39 of symmetry demands that each process has the same initial condition, i.e.

that all replications of a variable from Var_l have the same initial value.

In the example system Sys₄we have one shared semaphore variable y and no (explicit) local variables. However, each process in Sys₄has a program counter ranging over identical locations, and thus, in a broader notion we can regard the program counter pc as a local variable with N replications:

pc× PID_N.

Full symmetry is a strong restriction on a parameterised system, because it demands that that all processes are identical. In fact, only few real-life systems fulfill this requirement. Nevertheless, in much more cases the processes of a parameterised system can at least be divided into classes of fully symmetric processes. We call such a system class-wise symmetric. A simple example is given below in Figure 3.5.

Fig. 3.5 Class-wise symmetric system Sys5= k_i∈PIDRd

NRd Rdik_j∈PIDWrt

NWrt Wrtj consisting of a reader class Rd and a writer class Wrt. PID^Rd_N

Rd and PID^Wrt_N

Wrtare sets of process indices with parameterised sizes NRd∈ N resp. NWrt∈ N.

The system Sys₅ implements an algorithm for the readers-writers problem [45]. We have two classes of processes: readers Rd_iand writers W rt_j. Multiple readers may enter the critical section at the same time, whereas if one writer is modifying data, no other process is allowed to access the critical section. The problem is solved via a semaphore with a capacity of N_Rd, which is actually the (parameterised) number of reader processes in the system. As we have two classes, the overall set of process indices PID_N is partitioned into PID^Rd_N

(readers) and PID^{W rt}_N

W rt(writers). More generally, a class-wise symmetric system consisting of k classes is defined as follows:

Definition 3.4 (Class-Wise Symmetric System).

Let {Proc¹, . . . , Proc^k} be a set of processes where each Proc^m(1 ≤ m ≤ k) is defined over a set of variables Var^m= Var_s^m∪Var^m_l with Var_l¹, . . . ,Var^k_l pairwise disjoint. We call the index m the class of a process Proc^m. Then, according to Definition 3.3, we obtain a corresponding fully symmetric system Sys^m for each class m:

Sys^m= k_i∈PIDm

NmProc^m_i over Var^m= Var^m_s ∪ (Var^m_l × PID^m_N_m)

We assume that the sets PID¹_N

1, . . . , PID^k_N

kare pairwise disjoint, and thus, every process Proc^m_i has a unique index. In addition, we assume that each class m has a dedicated program counter pc^mwith a replication for each process in the class: pc^m× PID^m_N

m. Now, the corresponding class-wise symmetric system is defined as

Sys= k^k_m=1Sys^mover Var =

k [

m=1

Var^m_s ∪ (Var^m_l × PID^m_N_m) .

We explicitly allow that the variable sets Var¹_s, . . . ,Var_s^khave common elements, i.e. communication between processes of different classes is permitted.

So far, we have seen that there exists a wide range of different kinds of concurrent systems in practical use. The systems can be distinguished by the underlying concept of communication, by symmetry characteristics, and whether they are finite or not. Nevertheless, we have introduced a general notion of concurrent systems, under which all these different kinds are com-prised. In the next section we will show how our systems can be transferred into a computational model for verification.

In document Three-valued abstraction and heuristic-guided refinement for verifying concurrent systems (Page 49-52)