# Adding Formal Verification to occam-π

Peter Welch<sup>a</sup>, Matt Pedersen<sup>b</sup>, Fred Barnes<sup>a</sup>, Carl Ritson<sup>a</sup> and Neil Brown<sup>a</sup> <sup>a</sup> School of Computing, University of Kent, UK <sup>b</sup> School of Computer Science, UNLV, USA



#### CPA 2011, University of Limerick, 22<sup>nd</sup>. June, 2011

24-Jun-11

Copyleft (GPL) P.H.Welch and J.B.Pedersen

# occam- $\pi$ , the process algebra

#### Aim:

To enable formal verification of  $occam-\pi$  programs to be conducted within the language itself ... as a matter of course by the programmer.

#### How:

Extend occom- $\pi$  with verification qualifiers and assertions. Modify the compiler to generate (minimal) CSP<sub>M</sub> code from programs using these qualifiers and assertions, bounce this off the FDR model checker and report back in terms of the source code.

# occam- $\pi$ , the process algebra



"Use of *autonomous* systems will require developing new methods to establish *'certifiable trust in autonomy*' through *Verification and Validation (V&V)* of the near-infinite state systems that result from high levels of adaptability; the lack of suitable V&V methods today prevents all but relatively low levels of autonomy from being certified for use ... *(This)* will require access to as-yet undeveloped methods for establishing certifiably reliable V&V."

Werner J.A. Dahm, Chief Scientist of the U.S. Air Force (AF/ST), "A Vision for Air Force Science & Technology (2010-2030)", May 2010

The following example has been developed from one first worked through in a single lesson of a graduate class in concurrency at UNLV in the spring of 2010.



**Device** : real-time controller for 8 channels (4 input, 4 output).



**Device** : real-time controller for 8 channels (4 input, 4 output).

There are 3 sub-components: **P0** (weapons systems), **P1** (vision processing) and **P2** (motion stabilizer).

They exchange information over internal channels (**ask**, **ans**, **ping**) and all coordinate actions with an internal barrier (**bar**).



**CSP** semantics apply. **Channel communication** is unbuffered (sender waits for receiver and vice-versa). Any process **reaching a barrier** waits for **all** processes to **reach the barrier**.

They exchange information over internal *channels* (ask, ans, **ping**) and all coordinate actions with an internal *barrier* (bar).



#### Behaviour: two representations



occam-π: for compiling to a runnable system. [memory overheads <= 32 bytes per process / synchronisation overheads of order tens of nanoseconds / eats multicore nodes for breakfast.]

**CSP**: for formal analysis

[FDR2 model checker + other (simple) formal reasoning.]

#### **Behaviour: one representation**



occam-π: for compiling to a runnable system. [memory overheads <= 32 bytes per process / synchronisation overheads of order tens of nanoseconds / eats multicore nodes for breakfast.]

**occam-** $\pi$ : for formal analysis.

[verify qualifiers and (FDR) assertions + other (simple) formal reasoning.]

## Behaviour: what are we looking for?



deadlock: *might* it ever stop?

[e.g. **PO** and **P2** want to synchronise on **bar**, but **P1** wants to **ping**.]

**livelock:** *might* it get busy ... but refuse all external signals? [e.g. **P0**, **P1** and **P2** start engaging in an infinite sequence of internal channel or barrier synchronisations (on **ask**, **ans**, **ping** and **bar**).]

## Behaviour: what are we looking for?



safety: might it ever engage in an incorrect sequence of
external signals?

**liveness:** *will* it engage in correct sequences of external signals, as required?

[Some specs allow alternative sequences to be performed – all are correct, but an implementation must only do one and is free to choose.]







```
PROC P0 (CHAN INT a0?, b0?, c0!, ask?, ans!, BARRIER bar)
WHILE TRUE
INT x, y, z:
SEQ
    ask ? x -- take question
    a0 ? y
    ans ! 0 -- return answer (will depend on x and y)
    b0 ? z
    SYNC bar -- wait for the others
    c0 ! 0
;
```



```
PROC Pl (CHAN INT al?, bl?, cl!, ask!, ans?, ping!,
BARRIER bar)
WHILE TRUE
INT X, Y, Z:
SEQ
ask ! 0 -- ask question
ans ? x -- wait for answer
al ? y
bl ? z
SYNC bar -- wait for the others
cl ! 0
ping ! 0 -- update neighbour
```

24-



| PROC P2 (CHAN INT d0!, d1!, ping?, BARRIER bar) |
|-------------------------------------------------|
| WHILE TRUE                                      |
| INT x:                                          |
| SEQ                                             |
| SYNC bar wait for the others                    |
| d0 ! 0                                          |
| ping ? x receive update                         |
| SYNC bar wait for the others                    |
| d1 ! 0                                          |
| ping ? x receive update                         |
|                                                 |













edersen






































































With *verification qualifiers* and *assertions*, we can ask the occam- $\pi$  compiler to *model check* the previous intuition (which was only about the opening behaviour of the system) and answer the open questions (and more) about its continuous behaviour.

The compiler does this by generating  $CSP_M$ , a *declarative* (*functional*) language, from the occom- $\pi$  source and using the FDR2 model checker.



If we generated  $CSP_M$  that fully reflected the semantics of the occam- $\pi$  source code, we would quickly produce a system with too many states for any feasible *model checking*. For instance, a single **INT** variable has 4G possible states!

By default, therefore, data values are ignored when generating the  $CSP_{M}$ . For instance:

PROC P (VAL INT i, CHAN INT c!)
 c ! i
:

maps just to: **P (c) = c -> SKIP** 



occam- $\pi$  code dependant on tests of *untracked* run-time values map to non-deterministic choice:



maps to:

Q (c, d) = c -> SKIP |~| d -> SKIP



If data values are significant, we qualify their types:

```
PROC Q (VAL VERIFY INT i, CHAN INT c!, d!)
IF
    i = 42
    c ! i
    TRUE
    d ! i
:
```

Such data variables are *tracked* and the above now maps to:

Q (i, c, d) = if i == 42 then c -> SKIP else d -> SKIP





If data values are significant, we qualify their types:

```
PROC Q (VAL VERIFY INT i, CHAN VERIFY INT c!, d!)
IF
    i = 42
    c ! i
    TRUE
    d ! i
;
```

Such data variables and channel messages are *tracked* and the above now maps to:

Q (i, c, d) = if i == 42 then c!i -> SKIP else d!i -> SKIP







| Formal Compiling: $occam - \pi \rightarrow CSP_M$                                         |  |  |
|-------------------------------------------------------------------------------------------|--|--|
|                                                                                           |  |  |
| P0 ask P1 ping P2                                                                         |  |  |
| Device bar                                                                                |  |  |
|                                                                                           |  |  |
| PROC Device (CHAN INT a0?, b0?, c0!, a1?, b1?, c1!, d0!, d1!)<br>CHAN INT ask, ans, ping: |  |  |
| BARRIER bar:                                                                              |  |  |
| PAR ENROLL bar                                                                            |  |  |
| PO (a0?, b0?, c0!, ask?, ans!, bar)                                                       |  |  |
| <pre>Pl (al?, bl?, cl!, ask!, ans?, ping!, bar)</pre>                                     |  |  |
| P2 (d0!, d1!, ping?, bar)                                                                 |  |  |
| •                                                                                         |  |  |





Formal

## Verify Assertions : $occam-\pi$

**VERIFY** <assertion><br/>VERIFY NOT <assertion>

<assertion>

| DETERMINISTIC.F  | <process></process> |
|------------------|---------------------|
| DETERMINISTIC.FD | <process></process> |
| DEADLOCK.FREE.F  | <process></process> |
| DEADLOCK.FREE.FD | <process></process> |
| LIVELOCK.FREE    | <process></process> |
| TERMINATES       | <process></process> |

| <process></process> | <b>REFINES.T</b>  | <process></process> |
|---------------------|-------------------|---------------------|
| <process></process> | <b>REFINES.F</b>  | <process></process> |
| <process></process> | <b>REFINES.FD</b> | <process></process> |

Only VAL VERIFY operands need to be supplied (channels and barriers are supplied automatically)

where <**process>** is an instance of a **PROC** 



## Verify Assertions : $occam-\pi$

Without testing the system, we can assert straight away that **Device** is *deterministic* and *free from deadlock* and *livelock* – and that it doesn't *terminate*:

VERIFY DETERMINISTIC.FD Device VERIFY DEADLOCK.FREE.FD Device VERIFY LIVELOCK.FREE Device VERIFY NOT TERMINATES Device

 $(\cdot \cdot)$ 

and the compiler says: " </ "!

(ご)

(:)

 $(\cdot)$ 



To verify behaviours beyond determinism, deadlock and livelock freedom and termination, we need some way to express the behaviours we want. We can use occam- $\pi$  for this, together with *refinement*.

```
VERIFY PROC P (...)
```

The occam- $\pi$  compiler generates only CSP<sub>M</sub> from such declarations – no executable code.

Within **VERIFY** processes, certain restrictions **occam**- $\pi$  imposes (currently) can be removed – for instance, **output guards** and **barrier guards** are allowed.

Only **VERIFY** processes can invoke **VERIFY** processes.

## Formal Behaviour: occom-π (verifyable)









| VERIFY PROC TO (CHAN INT a0?, b0?, c0!, a1?<br>INT x:<br>SEQ | , b1?, c1!, d0!, d1!)                                                                                   |
|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| a0 ? x<br>b0 ? x                                             | Informal understanding                                                                                  |
| al ? x<br>bl ? x<br>d0 ! 0<br>c0 ! 0                         | <a0, a1,="" b0,="" b1=""><br/><a0, a1,="" b0,="" b1=""><br/><a0, a1,="" b0="" b1,=""></a0,></a0,></a0,> |
| cl ! 0<br>STOP<br>:                                          | What next?                                                                                              |
| Define processes that have no choice in the matter e.g.      | (* any order)                                                                                           |

VERIFY TO REFINES.T Device



<a0, b0, a1, b1, d0, c0, c1> is clearly a trace of **T0**. Therefore, it is also a trace of **Device**.









VERIFY T1 REFINES.T Device

At least one trace of **T1** is *not* a trace of **Device**. Comparing **T0** and **T1**, the fault lies in the mis-ordering of **d0** and **b1**.

X



Let's ask a more difficult question about the continuous running of the system. Suppose the robot would do something *very bad* if its controller **Device** were ever to accept a signal *twice* on **a**0 without a signal on **d**0 or **d1** *in between*. Might this *ever* happen?

Simple: write a process that checks all signals to/from **Device**, looking for the bad scenario and deliberately deadlocks (the monitored system) if spotted. This is just programming ...



Simple: write a process that checks all signals to/from **Device**, looking for the bad scenario and deliberately deadlocks (the monitored system) if spotted. This is just programming ...



Let's ask a more difficult question about the continuous running of the system. Suppose the robot would do something *very bad* if its controller **Device** were ever to signal *twice* on **a**0 without a signal on **d**0 or **d**1 *in between*. Might this *ever* happen?

Simple: write a process that checks all signals to/from **Device**, looking for the bad scenario and deliberately deadlocks (the monitored system) if spotted. This is just programming ...

| Formal Behaviour: occom-π (verifyable) Safety                                        |
|--------------------------------------------------------------------------------------|
| <pre>VERIFY PROC Check (CHAN INT a0!, b0!, c0?, al!, bl!, cl?,</pre>                 |
| * n : the number of a0 signals since the last d0 or d1<br>INITIAL VERIFY INT n IS 0: |
| WHILE TRUE<br>SEQ                                                                    |
| alive ! O<br>IF                                                                      |
| n >= 2<br>STOP refuse all further signals (forcing deadlock)                         |
| TRUE                                                                                 |
| process next signal (maintain n)<br>:                                                |

Let's ask a more difficult question about the continuous running of the system. Suppose the robot would do something *very bad* if its controller **Device** were ever to signal *twice* on **a**0 without a signal on **d**0 or **d**1 *in between*. Might this *ever* happen?













adherence at run-time (e.g. in device drivers). We are using **Check** purely for static analysis – it is not there at run-time and, therefore, has no impact on performance.



So far, our checks have concerned **safety** – namely that our system will not do harm (incorrect things). This is not enough! After all, the **STOP** process does not do incorrect things – it does nothing. **STOP trace refines** every process. **Trace refinement** is not enough.

A **CSP** *failure* is a state that a system reaches (represented by its *trace* to that point) where it *may refuse to synchronise* with its environment on some given set of events.

Process **p** failure refines **Q** if (all traces of **p** are traces of **Q**) and (all failures of **p** are failures of **Q**).



**Failure refinement** makes a powerful statement! **P** can only do **traces** of **Q** (so its safe). More: the **failures** of **P** are **allowed** by **Q**. If **P** and **Q** execute the same trace to a state where their environment offers a set of events that **Q** will not refuse, then **P** also will not refuse.

A **CSP** *failure* is a state that a system reaches (represented by its *trace* to that point) where it *may refuse to synchronise* with its environment on some given set of events.

Process **p** failure refines **Q** if (all traces of **p** are traces of **Q**) and (all failures of **p** are failures of **Q**).



We can describe " $\mathbf{p}$  failure refines  $\mathbf{q}$ " in a positive way: whenever  $\mathbf{q}$  stays alive (engaging with its environment), so does  $\mathbf{p}$  (and in the same way). So, if  $\mathbf{q}$  is a specification explicitly defining the required patterns of synchronisation,  $\mathbf{p}$  will provide them.

A **CSP** *failure* is a state that a system reaches (represented by its *trace* to that point) where it *may refuse to synchronise* with its environment on some given set of events.

Process **p** failure refines **Q** if (all traces of **p** are traces of **Q**) and (all failures of **p** are failures of **Q**).



Recall our informal understanding of (at least some of) the opening traces of **Device (slides 18-35)**...

We can formalise the expression of those traces a bit better ...

Informal understanding $\langle a0, b0, a1, b1 \rangle$  $\langle a0, a1, b0, b1 \rangle$  $\langle a0, a1, b1, b0 \rangle$ What next? $\bigcirc$  $\bigcirc$ 



Device (slides 18-35) ... —

We can formalise the expression of those traces a bit better ...

Informal understanding <a0, b0, a1, b1> <a0, a1, b0, b1> <a0, a1, b1, b0> <c0> ||| <c1> ||| <d0>

interleave



least some of) the opening traces of **Device (slides 18-35)** ...

We can formalise the expression of those traces a bit better ...







<a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d0>); <a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d1>)




From such trace expressions, we can directly write down an **occom-** $\pi$  process that offers all of them ...



From such trace expressions, we can directly write down an occom- $\pi$  process that offers all of them ...



| {{{ phase 0<br>SEQ |  |
|--------------------|--|
| a0 ? w             |  |
| PAR                |  |
| b0 ? x             |  |
| SEQ                |  |
| al ? y             |  |
| b1 ? Z             |  |
| PAR                |  |
| c0 ! 0             |  |
| c1 ! 0             |  |
| d0 ! 0             |  |
| }}}                |  |

From such trace expressions, we can directly write down an **occam**- $\pi$  process that offers all of them ...

{ <a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d0>); )\* <a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d1>)



| {{{ phase 1<br>SEQ |          |
|--------------------|----------|
| a0 ? w             |          |
| PAR                |          |
| b0 ? x             |          |
| SEQ                |          |
| al ? y             |          |
| b1 ? Z             |          |
| PAR                |          |
| c0 ! 0             |          |
| c1 ! 0             |          |
| d1 ! 0             | <b>←</b> |
| }}}                |          |

From such trace expressions, we can directly write down an **occom-** $\pi$  process that offers all of them ...

*This generation can be automated.* 





 $\left( \begin{array}{c} <a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d0>); \\ <a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d1>) \end{array} \right) *$ 

**Device** was not *implemented* as **DeviceSpec** because of the three independent functions (*weapons systems*, *vision processing* and *motion stability*) it had to perform. *Process-oriented design* led to its three communicating sub-systems.

Whilst our intuition indicated that the first two lines of **DeviceSpec** reflected the initial behaviour of **Device**, it was unclear whether the pattern repeated cleanly as its sub-components started looping.



However:

VERIFY Device REFINES.FD DeviceSpec

This is all we need. Any traces performed by **Device** are allowed by **DeviceSpec** – so it's safe. Any failures reached by **Device** are allowed by **DeviceSpec** – so it's as *alive* as **DeviceSpec** (which was built always to offer everything in the specified trace pattern). 24-Jun-11 Copyleft (GPL) P.H.Welch and J.B.Pedersen



<a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d0>); )\*
<a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d1>)</a>)

However:

VERIFY Device REFINES.FD DeviceSpec

Without this verification, we may be tempted to add another barrier (bar) sync at the end of each loop of **P0** and **P1** and half-loop of **P2**. The above *refinement* shows that the required pattern does indeed repeat cleanly and, so, this overhead is unnecessary.



<a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d0>); )\*<a0>; (<b0> ||| <a1, b1>); (<c0> ||| <c1> ||| <d1>)

However:

VERIFY Device REFINES.FD DeviceSpec

Rather than being deduced after implementation, **DeviceSpec** may be part of the specification for **Device**. We certainly need assurance of the behaviour of **Device** to use it securely with other components. All its patterns of synchronisation (for safety and liveness questions) can be trivially deduced from **DeviceSpec** 



However:

VERIFY Device REFINES.FD DeviceSpec

We also have:

VERIFY DeviceSpec REFINES.FD Device

But that's just icing on the cake! 🕲 🕲 🕲



VERIFY DEADLOCK.FREE.FD Device

channel a0\_42\_, b0\_42\_, c0\_42\_, a1\_42\_, b1\_42\_, c1\_42\_, d0\_42\_, d1\_42\_

The  $CSP_M$  channel names are generated from the occom- $\pi$  CHAN and **BARRIER** parameter names of the asserted process, suffixed by a unique number generated by the compiler.



VERIFY NOT TERMINATES Device

The  $CSP_M$  channel names are generated from the occom- $\pi$  CHAN and **BARRIER** parameter names of the asserted process, suffixed by a unique number generated by the compiler.



VERIFY NOT TERMINATES Device

Subsequent assertions about the same process may reuse channels previously generated.



VERIFY Device REFINES.FD DeviceSpec

Subsequent assertions about the same process may reuse channels previously generated. [*Note:* processes in *refinement* assertions should have the same parameter signatures, though the formal names can be different].

# Verify Assertions : verified data

The only arguments needed for  $CSP_M$  assertions are those for occom- $\pi$  VERIFY data parameters. Channels and barriers can be supplied automatically. Non-VERIFY data parameters are irrelevant.

For example, if we need an assertion about:

PROC System (VAL VERIFY INT n, CHAN VERIFY INT out!)

we must supply a value for **n**, since we have declared it relevant:

VERIFY DEADLOCK.FREE.FD System (42, \_)

where the underscore indicates arguments that are either irrelevant (*non-verify* data) or automatic (*channels* and *barriers*).

Formal

## **Verify Assertions : verification GUI**

Later, we plan an option for the occam- $\pi$  compiler just to generate  $CSP_M$  code to be picked up by a GUI with facilities for interactive generation, checking and reporting of **VERIFY** assertions. These will be similar to those given by the FDR2 GUI, but processes and assertions will be in terms of the occam- $\pi$  sources. FDR2, or some derivative, remains the underlying workhorse for model checking.

The **GUI** will allow flexible exploration of assertions with **VERIFY** data values. It will also prove useful when some assertions take a long time to check ... rather than wait for all checks to complete during compilation (as a single batch of assertions to **FDR2**).

Formal

## Reflection on Case Study (Device)

Further study:

All sorts of *what-ifs* on the behaviour of the system can be explored and answered without running any code ... e.g.

If the (internal) **ping** communications were removed, does **Check** still hold?

Do the **a0** and **a1** signals strictly alternate?

Do the **b0** and **b1** signals strictly alternate?

If we added an extra **bar** sync at the end of each cycle in **P0** and **P1** and half-cycle in **P2**, would it make any difference?

If the elevator cabin is not at a floor, might the floor doors to the elevator shaft still open?







The story of The Dining Philosophers is due to Edsger Dijkstra – one of the founding fathers of Computer Science.

It illustrates a classic problem in concurrency: how to share resources safely between competing consumers.

http://www.cs.utexas.edu/users/EWD/ewd03xx/EWD310.PDF







```
Phil (thinking, eating, eatBar) =
   let
    Phil_0_ =
    thinking -> eatBar ->
    eating -> eatBar -> Phil_0_
   within
    Phil_0_
:
```





```
Fork (eatBarRight, eatBarLeft) =
    let
        Fork_0_ =
        eatBarRight -> eatBarRight -> Fork_0_
        []
        eatBarLeft -> eatBarLeft -> Fork_0_
        within
        Fork_0_
;
```



VAL INT nPhils IS 5:

nPhils = 5



```
Philosophers (thinking, eating, eatBar) =
    ||| id : {0..(nPhils - 1)} @
    Phil (thinking.id, eating.id, eatBar.id)
```

... except that FDR2 uses *much less memory and time* if replicated (or merely repeated) processes take *no parameters*, but instead use *event renaming* to wire up the different instances.



```
channel thinking_r0_, eating_r0_, eatBar_r0_
Philosophers (thinking, eating, eatBar) =
    let
    Philosophers_0 = Phil (thinking_r0_, eating_r0_, eatBar_r0_)
    within
    ||| id : {0..(nPhils - 1)} @
    Philosophers_0 [[
      thinking_r0_ <- thinking.id,
      eating_r0_ <- eating.id,
      eatBar_r0_ <- eatBar.id)
    ]]</pre>
```

VAL INT nPhils IS 5:

nPhils = 5



```
VERIFY PROC Forks ([nPhils]BARRIER eatBar)
PAR id = 0 FOR nPhils
VAL INT right IS id:
VAL INT left IS (id + 1)\nPhils:
Fork (eatBar[right], eatBar[left])
:
```

```
Forks (eatBar) =
    || id : {0..(nPhils - 1)} @
    [{ eatBar.id, eatBar.((id + 1)%nPhils) }]
    Fork (eatBar.id, eatBar.((id + 1)%nPhils))
```

... except that FDR2 uses *much less memory and time* if replicated (or merely repeated) processes take *no parameters*, but instead use *event renaming* to wire up the different instances.



```
channel eatBarRight_r2_, eatBarLeft_r2_
Forks (eatBar) =
    let
    Forks_0 = Fork (eatBarRight_r2_, eatBarLeft_r2_)
within
    || id : {0..(nPhils - 1)} @
    [{ eatBar.id, eatBar.((id + 1)%nPhils) }]
    Forks_0 [[
        eatBarRight_r2_ <- eatBar.id,
        eatBarLeft_r2_ <- eatBar.id,
        eatBarLeft_r2_ <- eatBar.id,
        eatBarLeft_r2_ <- eatBar.((id + 1)%nPhils)
    ]]</pre>
```







```
VERIFY PROC College ([nPhils]CHAN INT thinking!, eating!)
  [nPhils]BARRIER eatBar:
  PAR
  Philosophers (thinking!, eating!, eatBar)
  Forks (eatBar)
;
```





The previous model check verifies properties of a college with precisely **5** philosophers. The **FDR2** model check is almost instant.

Scaling to **10** philosophers puts a strain on my laptop – it gets very hot and takes a few minutes. Scaling to **20** fails.

In the FDR2 manual, Bill Roscoe explains how to verify a college with 10^200 philosophers ... we had better follow his guidelines ... and tackle the black art of compression in model checking ...

With our simpler college, we want to beat that scale! Further, we would like to verify a college of any number of philosophers ... using induction.



## Solving the problem *©*

The first guideline is *not* to build the *philosophers* and *forks* as separate sub-systems and, then, the college as their parallel combination. This is what we did and it doesn't let us use inductive reasoning very well.

Instead, first build a *philospher-fork* pair. Next, build chains of *philospher-fork* pairs using recursion (e.g. a chain of length *n* is a chain of length (*n-1*) plus one more pair). Verify properties of the chain, for any *n*. Finally, add one more pair that connects both ends of a chain and get the college. Verify the college using verified properties of the chain.



## Solving the problem ©

There are two further points that are needed: *hiding* and *compression*.

First, note that the *thinking* and *eating* reports from the *philosophers* play no role in the deadlock / livelock properties of the *college*. Each philosopher engages on its own *thinking* and *eating* channels with the environment of the *college*. The forks do not engage with those channels.

Therefore, no *thinking* or *eating* report can block the operations of the *college*. Verifying deadlock and livelock freedom in a college with the *thinking* and *eating* events *hidden* will also verify the result for a college that doesn't hide them.



```
Phil' (thinking, eating, eatBar) =
   let
    Phil_0_ =
    thinking -> eatBar ->
    eating -> eatBar -> Phil_0_
   within
    Phil_0_
:
```



#### Which is the same as ...



```
Phil' (eatBar) =
   let
    Phil_0_ = eatBar -> eatBar -> Phil_0_
   within
    Phil_0_
:
```

... but without changing source code *©* 

# We can ask for the size of the state transition machine generated by FDR ....



#### Compress ....



... a big win !! Adding such a (non-reporting, compressed) philosopher to any system cannot increase the number of states.

And is the same as ...



```
Phil'' (eatBar) =
   let
    Phil_0_ = eatBar -> Phil_0_
   within
    Phil_0_
:
```

... but without changing source code *©*








### Now build a chain ... using recursion



Generating the  $CSP_{M}$  code for this requires an extra care ... (because FDR2 does something it shouldn't – claim!)

The following does not work correctly ...

### Now build a chain ... using recursion

```
channel eatBarMiddle
Chain (length, eatBarRight, eatBarLeft)
if length == 1 then
PhilFork' (eatBarRight, eatBarLeft)
else
normalise (
   ( Chain (length - 1, eatBarRight, eatBarMiddle)
      [| {eatBarMiddle} |]
      PhilFork' (eatBarMiddle, eatBarLeft)
      ) \ {eatBarMiddle}
;
```

eatBarMiddle events "hidden" inside the recursive instance of Chain get confused with the eatBarMiddle connecting that instance with PhilFork'.  $\otimes \otimes \otimes$ 

We have to manufacture lots of eatBarMiddle events ...

### Now build a chain ... using recursion

```
channel eatBarMiddle : Int
Chain (length, eatBarRight, eatBarLeft)
if length == 1 then
  PhilFork' (eatBarRight, eatBarLeft)
else
  normalise (
    ( Chain (length - 1, eatBarRight, eatBarMiddle)
      [| {eatBarMiddle.length} |]
      PhilFork' (eatBarMiddle, eatBarLeft)
      ) \ {eatBarMiddle.length}
    )
;
```

... and use a different one for each length. Now we are OK!  $\bigcirc \odot \odot \bigcirc$ 

But it really should not be up to us to declare and use this infinite set of hidden events. Why doesn't *FDR2* just rename hidden events to unique names that cannot be expressed by the *FDR2* coder? *Not doing so seems to break the semantics of hiding ... ???* 

### What's happening with the sizes?

```
VERIFY PROC Chain (VAL VERIFY INT length,
                                              -- assume >= 1
                  BARRIER eatBarRight, eatBarLeft)
  IF
   length = 1
     PhilFork. (eatBarRight, eatBarLeft)
   TRUE
     NORMALTSE
       BARRIER eatBarMiddle:
       PAR
         Chain (length - 1, eatBarRight, eatBarMiddle)
         PhilFork, (eatBarMiddle, eatBarLeft)
2
VERIFY SIZE Chain (1, _, _) --> 3 states, 4 transitions
VERIFY SIZE Chain (2, _, _) --> 1 state, 2 transitions
VERIFY SIZE Chain (3, _, _) --> 1 state, 2 transitions
VERIFY SIZE Chain (4, , ) --> 1 state, 2 transitions
```

### How similar are they and might they deadlock?

```
VERIFY PROC Chain (VAL VERIFY INT length, -- assume >= 1
                          BARRIER eatBarRight, eatBarLeft)

IF
    length = 1
        PhilFork. (eatBarRight, eatBarLeft)

    TRUE
        NORMALISE
        BARRIER eatBarMiddle:
        PAR
        Chain (length - 1, eatBarRight, eatBarMiddle)
        PhilFork. (eatBarMiddle, eatBarLeft)
;
```

From Chain (2, \_, \_) upwards, they can certainly *livelock* – infinite sequences of eatBarMiddle events!

So, deadlock and refinement checking must only be done with the *failures* model.

### How similar are they and might they deadlock?



Let *H(i)* be the hypothesis that:

Chain (4, \_, \_) EQUIVALENT.F Chain (i, \_, \_)

Clearly H(4) and, by model checking, H(5).

H(i) is: Chain (4, \_, \_) EQUIVALENT.F Chain (i, \_, \_)

We have H(4) and H(5). Suppose H(i) for any  $i \ge 4$ . Consider:

Chain (i+1, eatBarRight, eatBarLeft)

This reduces to:

```
BARRIER eatBarMiddle:

PAR

Chain (i, eatBarRight, eatBarMiddle)

PhilFork. (eatBarMiddle, eatBarLeft)
```

By **H(i)**, this is **EQUIVALENT.F** to:

```
BARRIER eatBarMiddle:

PAR

Chain (4, eatBarRight, eatBarMiddle)

PhilFork. (eatBarMiddle, eatBarLeft)

But this is the same as: Chain (5, eatBarRight, eatBarLeft)

Which, by H(5), is EQUIVALENT.F to: Chain (4, eatBarRight, eatBarLeft)
```

H(i+1)

**H(i)** is: Chain (4, \_, \_) EQUIVALENT.F Chain (i, \_, \_)

Clearly H(4) and, by model checking, H(5).

We have just shown that, for any  $i \ge 4$ , H(i) implies H(i+1).

By induction therefore, for all  $i \ge 4$ , we have H(i).

All chains of (no reporting) *philosopher-fork* pairs with lengths equal to or greater than 4 are *failures equivalent*. Further, all such chains are *deadlock free* (since model checking gave us that for chains of lengths 1 through 4).

But ... what about Colleges?

### But ... what about *Colleges*?

```
VERIFY PROC CollegeChain (VAL VERIFY INT size) -- assume >= 2
NORMALISE
[2]BARRIER eatBar:
PAR
PhilFork. (eatBar[0], eatBar[1])
Chain (size - 1, eatBar[1], eatBar[0])
;
```

We can immediately deduce that all **collegeChains** with size equal to or greater than **5** are **failures equivalent** (since their **Chain** sub-components have lengths equal to or greater than **4** and are **failures equivalent**).



Hence, all **collegeChains** with size equal to or greater than **2** are **deadlock free**. Of course, with no reporting, they are hopelessly **livelocked**!

### So ... what about reporting Colleges?

An earlier argument showed that a *deadlock free* result for a college with *external reports hidden* implies a *deadlock free* result for a college with *external reports* (since the external reporting cannot cause internal blocking). So all reporting colleges of any size are deadlock-free.

The following argument shows that a college with external reports is also *livelock free* ...

From simple code inspection, a Phil process cannot engage in two eatBar events (internal) without an (external) intervening report.

This could be model-checked, using techniques discussed earlier, if it was felt necessary!





From simple code inspection, a Phil process cannot engage in two eatBar events (internal) without an (external) intervening report.

This could be model-checked, using techniques discussed earlier, if it was felt necessary!



For the college not to be *livelock free* ... it must be possible for it to engage in an *infinite* sequence of internal events ... and the only internal events are **eatBars**. Suppose that this happens!

If the college has size *n*, it has only *n* eatBars. After at most (*n*+1) eatBar events, at least one must have occurred at least twice. But the Phil process engaging with that eatBar must (by the above) have made an external report ... so the college is *not* livelocked.

This is a contradiction! So the supposition is false – and the college is *livelock free.* 

In Roscoe's book, chains are not built up **one-at-a-time** like this **(possibly because the standard dining philosophers solution analysed does not collapse as nicely as this one, when reporting is hidden?).** Instead, they are built up in powers of 10. We can do this too:

```
--* A chain of (length^level) philospher-fork pairs.

VERIFY PROC Chain2 (VAL VERIFY INT level, length,

BARRIER eatBarRight, eatBarLeft)

IF

level = 0

PhilFork. (eatBarRight, eatBarLeft)

TRUE

NORMALISE

[length-1]BARRIER eatBar:

PAR

Chain2 (level - 1, length, eatBarRight, eatBar[0])

PAR id = 1 FOR length - 2

Chain2 (level - 1, length, eatBar[id - 1], eatBar[id])

Chain2 (level - 1, length, eatBar[id - 2], eatBarLeft)
```

```
--* A chain of (length^level) philospher-fork pairs.
VERIFY PROC Chain2 (VAL VERIFY INT level, length,
                     BARRIER eatBarRight, eatBarLeft)
  • • •
2
VERIFY DEADLOCK.FREE.F Chain2 (0, 10, _, _)
VERIFY DEADLOCK.FREE.F Chain2 (1, 10, _, _)
VERIFY DEADLOCK.FREE.F Chain2 (10, 10, _, _)
VERIFY DEADLOCK.FREE.F Chain2 (100, 10, _, _)
VERIFY DEADLOCK.FREE.F Chain2 (1000, 10, _, _)
VERIFY Chain2 (1, 2, _, _) EQUIVALENT.F Chain2 (2, 2, _, _)
VERIFY Chain2 (2, 2, _, _) EQUIVALENT.F Chain2 (3, 2, _, _)
VERIFY Chain2 (1, 10, _, _) EQUIVALENT.F Chain2 (2, 10, _, _)
```

And the Colleges ...

```
--* A college of size (length^level) + 1.
VERIFY PROC CollegeChain2 (VAL VERIFY INT level, length)
 NORMALISE
    [2]BARRIER eatBar:
   PAR
     PhilFork. (eatBar[0], eatBar[1])
     Chain2 (level, length, eatBar[1], eatBar[0])
2
VERIFY DEADLOCK.FREE.F CollegeChain2 (0, 10, _, _)
VERIFY DEADLOCK.FREE.F CollegeChain2 (1, 10, , )
VERIFY DEADLOCK.FREE.F CollegeChain2 (10, 10, , )
VERIFY DEADLOCK.FREE.F CollegeChain2 (100, 10, , )
VERIFY DEADLOCK.FREE.F CollegeChain2 (1000, 10, , )
VERIFY DEADLOCK.FREE.F CollegeChain2 (2000, 10, , )
VERIFY DEADLOCK.FREE.F CollegeChain2 (2500, 10, _, _)
```

FDR2 verifies the first four above almost instantly. The college of size (10^1000 + 1) takes around 8 seconds and (10^2000 + 1) around 20 seconds. The last one crashes FDR2: "broken pipe" on the terminal launch window.

```
--* A college of size (length^level) + 1.
VERIFY PROC CollegeChain2 (VAL VERIFY INT level, length)
NORMALISE
[2]BARRIER eatBar:
PAR
PhilFork. (eatBar[0], eatBar[1])
Chain2 (level, length, eatBar[1], eatBar[0])
:
VERIFY DEADLOCK.FREE.F CollegeChain2 (2000, 10, _, _) ✓
```

The same arguments as before reveal that removing the *report hiding* from these colleges leaves them *deadlock* and *livelock free*.

For the college with  $(10^{2000} + 1)$  philosophers, all we need is a universe large enough to contain the computer on which to run it.

We may actually need **several** parallel universes. Establishing the barrier syncs and channel communications between them is an open question.

# **Reflection**

## occam- $\pi$ / CSP<sub>M</sub>

occam- $\pi$  teams well with CSP<sub>M</sub> to provide efficient executables and rich formal analysis.

This presentation reflects a proposal to extend **occam-** $\pi$  to include *verification assertions* (about *deadlock*, *livelock*, *determinism* and *refinement*). Its compiler will generate suitably abstracted **CSP**<sub>M</sub> and interact with the **FDR2** model checker, feeding back results in terms of the source **occam-** $\pi$  program.

Together with the ancient formal *Laws of occam Programming*<sup>\*</sup>, this moves occam- $\pi$  towards a process algebra in its own right.

http://portal.acm.org/citation.cfm?id=53255

[A.W.Roscoe and C.A.R.Hoare, 1988]

\*

# **Reflection**

### Observation

Formal verification of the behaviour of concurrent processes can be achieved – *by students* – even though they engaged in only simple reasoning themselves.

The complexity of synchronisation and communication analysed goes far beyond the *embarrassingly parallel*.

Aside: model checking found an error overlooked in developing the **(Device)** case study on paper (the need for **ping**) ... which shows the necessity for formal checks **(especially when those responsible think they won't make mistakes!)**.

Further reading: Santa Claus: Formal Analysis of a Process Oriented Solution\*.

http:/doi.acm.org/10.1145/1734206.1734211

TOPLAS, [April, 2010]

\*

# **Reflection**

### Class experience

The **(Device)** case study presented was developed from one first worked through in a single lesson of a graduate class in concurrency at UNLV in the spring of 2010.

They had previously studied a range of concurrency approaches, including *process-oriented* material from the Kent "Concurrency **Design and Practice**" course. <u>https://moodle.kent.ac.uk/</u>

https://moodle.kent.ac.uk/ external/course/view.php?id=31

They were comfortable with using occam- $\pi$  in non-trivial projects (thousands of interacting processes), so the example system here would be considered fairly simple.

Nevertheless, it was appreciated that relying just on intuitive understanding is unsafe – especially if the application were safety critical.



*can* we (and *should* we) teach concurrency at the start of the undergraduate CS curriculum ...



we **can** (and we **should**) teach formal analysis and verification of this concurrency at the same time ...



*can* we (and *should* we) teach concurrency at the start of the undergraduate CS curriculum ...



### Not only

can we (and should we) teach concurrency at the start of the undergraduate CS curriculum ...



Complex and high-performance systems cannot avoid concurrent design, implementation *and reasoning*.

Common concurrency bugs are intermittent – not repeatable on demand. *Untestable in practice*.

We stand on the shoulders of giants (who made the theory and model checkers). We verify programs just by writing programs ... it becomes everyday practice.

#### But also

we **can** (and we **should**) teach formal analysis and verification of this concurrency at the same time ...

#### Observation

Can we teach students *(those who love to program, anyway)* concurrency so that:

they quickly develop a correct and intuitive understanding of the primitive mechanisms (e.g. processes, communication, synchronisation, networks) and higher level patterns (e.g. client-server, phased barrier, I/O-PAR) ... ?

they can use those primitives and patterns with the same fluency as they use serial computing primitives, without tripping over dark hazards ... ?

they can develop their own patterns when the standard ones don't apply ...?

they can use formal methods to verify good behaviour (e.g. freedom from deadlock and livelock, safety, liveness), without training in the underlying mathematics (process algebra, denotational semantics) ... ?

they can do this as normal everyday practice, without any sense of fear ...?

#### Observation

### Any questions?

Can we teach students *(those who love to program, anyway)* concurrency so that:

they quickly develop a correct and intuitive understation mechanisms (e.g. processes, communication, sy and higher level patterns (e.g. client-server, pb the primitive *n, networks)* I/O-PAR) ... ?

they can use those primitives and patter serial computing primitives, without tri

they can develop their own pat

Jame fluency as they use Jark hazards ... ?

ne standard ones don't apply ... ?

they can use formal met deadlock and livelock mathematics (proc

they can do this

y good behaviour (e.g. freedom from ness), without training in the underlying denotational semantics) ... ?

al everyday practice, without any sense of fear ... ?

24-Jun-11

Copyleft (GPL) P.H.Welch and J.B.Pedersen