View
1
Download
0
Category
Preview:
Citation preview
A High-Level Language for Modeling Algorithms andtheir Properties
Sabina Akhtar Stephan Merz Martin Quinson
LORIA – INRIA Nancy Grand Est and Nancy University, Nancy, France
SBMF 2010
1 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
2 / 55
Background
Formal verification of concurrent and distributed systemsProblems like deadlocks, race conditions,...TLA+: Specification language
developed by Leslie Lamporta language based on mathematical set theory
TLC: Model checkerfor verifying TLA+ specifications
Leslie Lamport. Specifying Systems, The TLA+ Language and Tools forHardware and Software Engineers. Addison-Wesley, 2002.
3 / 55
An Example
Lamport’s Mutual Exclusion Algorithm
4 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
5 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
6 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
7 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
8 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
9 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
10 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
11 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
12 / 55
TLA+ Specifications
Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”
�self ∈ CommunicatorIDs → ”chkMsg”]
ncrit(self )∆= ∧ pc[self ] = ”ncrit”
∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}
try(self )∆= ∧ pc[self ] = ”try”
∧ . . .. . .
Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )
. . .
Communicator(self )∆= chkMsg(self )
Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars
)
Spec ∆= Init ∧ 2[Next]vars
13 / 55
PLUSCAL: A high-level language
TLA+: Specification languagerequires specifications in the form of formulasdifficult to write for algorithm designers
PLUSCAL: Algorithmic Languageproposed by Leslie Lamport for algorithm designersa language for modeling algorithmsgenerates TLA+ specifications for a given model
Featuresallows writing informal description of algorithmsno complicated conceptsconstructs for expressing non-determinism
Leslie Lamport. The +CAL Algorithm Language.Theoretical Aspects of Computing-ICTAC 2009, number 5684, pp. 36-60.
14 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
15 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
16 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
17 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
18 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
19 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
20 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
21 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
22 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
23 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL
—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers
(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)
variables clock = 1, . . .begin
start: skip;. . .
end processprocess Communicator ∈Workersbegin. . .
end processend algorithm*)\* BEGIN TRANSLATION
(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================
24 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
25 / 55
Why change PLUSCAL?
Need to understand TLA+ and the compilationcannot express properties in PLUSCAL algorithmsfairness assumptions should be added in generated TLA+
specificationsLack of process hierarchy and scoping rules
impossible to express distributed algorithms naturallyall variables are considered as global variables
Restrictions in specifying atomicitylabels define atomic blocksrestrictions on label placements
Other technical limitationsno primitive for iterating over a setrestriction on multiple assignments to a variable in a block
26 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
27 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
28 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
29 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
30 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
31 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
32 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
33 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
34 / 55
Lamport’s Mutual Exclusion algorithm in PLUSCAL-2
algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock
variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆
= . . .process Site[N] (* Processes *)
variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .
end process
end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock
35 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
36 / 55
The PLUSCAL-2 Statements
Assignment and skip statementsAtomic construct
atomiclabel1: x := 3;label2: y := 4;
end atomicNon-deterministic choice construct: either orConditional constructs
if, when, and either from previous PLUSCAL.new construct branch, inspired by Dijkstra’s guarded commands
Iteration constructswhile, loop and for constructs
37 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
38 / 55
The PLUSCAL-2 Compiler
PLUSCAL-2 ParserTranslation to intermediate format
PLUSCAL-2 algorithm
λ: while x > 4 dox := x + 1;
µ: . . .end while
ν: . . .
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
µ: . . .pc[self] := λ;
39 / 55
The PLUSCAL-2 Compiler
PLUSCAL-2 ParserTranslation to intermediate format
PLUSCAL-2 algorithm
λ: while x > 4 dox := x + 1;
µ: . . .end while
ν: . . .
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
µ: . . .pc[self] := λ;
40 / 55
The PLUSCAL-2 Compiler
PLUSCAL-2 ParserTranslation to intermediate format
PLUSCAL-2 algorithm
λ: while x > 4 dox := x + 1;
µ: . . .end while
ν: . . .
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
µ: . . .pc[self] := λ;
41 / 55
The PLUSCAL-2 Compiler
PLUSCAL-2 ParserTranslation to intermediate format
PLUSCAL-2 algorithm
λ: while x > 4 dox := x + 1;
µ: . . .end while
ν: . . .
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
µ: . . .pc[self] := λ;
42 / 55
The PLUSCAL-2 Compiler
PLUSCAL-2 ParserTranslation to intermediate format
PLUSCAL-2 algorithm
λ: while x > 4 dox := x + 1;
µ: . . .end while
ν: . . .
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
µ: . . .pc[self] := λ;
43 / 55
The PLUSCAL-2 Compiler
PLUSCAL-2 ParserTranslation to intermediate format
PLUSCAL-2 algorithm
λ: while x > 4 dox := x + 1;
µ: . . .end while
ν: . . .
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
µ: . . .pc[self] := λ;
44 / 55
The PLUSCAL Compiler
Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
TLA+ code
λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}
45 / 55
The PLUSCAL Compiler
Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
TLA+ code
λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}
46 / 55
The PLUSCAL Compiler
Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
TLA+ code
λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}
47 / 55
The PLUSCAL Compiler
Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
TLA+ code
λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}
48 / 55
The PLUSCAL Compiler
Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands
Intermediate format
λ: branchx > 4 then
x := x + 1; pc[self] := µ;¬(x > 4) then
pc[self] := ν;end branch
TLA+ code
λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}
49 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
50 / 55
Verification results for PLUSCAL-2 algorithms
No degradation found in the output of TLC model checkerGenerated state space doesn’t increase
More natural representation of the algorithms in PLUSCAL-2Except for the TLA+ specifications, they become less readable.Users are not supposed to read TLA+ specifications
Comparison between TLC output for PLUSCAL and PLUSCAL-2
Algorithm # proc. PLUSCAL PLUSCAL-2Peterson 2 37 23FastMutex 2 2679 2679Naimi-Trehel 3 111749 53905
51 / 55
Outline
1 IntroductionBackgroundMotivations for PLUSCAL-2
2 PLUSCAL-2The LanguageThe StatementsThe Compiler
3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL
4 Summary
52 / 55
Comparison with PLUSCAL
Models have become self-containedfairness assumptions, correctness properties or model checkingconstraints can be expressed within PLUSCAL-2 algorithm
Nested processes and scoped declarationsrepresent the locality informationincrease readability of algorithmsless errors are expected while modeling an algorithm
Representation is more flexible, without losing any performancenew statements like atomic, for,...multiple assignments to same variable in a block
53 / 55
Conclusions and work in progress
AchievementsEasily accessible for algorithm designersNo need to read/modify TLA+ specifications
Ongoing/Future WorkImplementation of Partial order reduction for TLC geared towardsPLUSCAL-2 algorithmsImplementation of the module for collecting locality informationIntegration of the module in PLUSCAL-2
54 / 55
Questions!
55 / 55
Recommended