Logic Model Checking, CS 118
First Assignment
This assignment counts for 10% of the final grade.
(late submissions lose 10 pts from the score, cumulatively each day at noon)
Solutions are due: Noon, 19 January 2017
via email to [email protected]
(keep it small – don’t send executables)
1. (16pts) Consider the following sequence of three instructions (the “program”):
read(x,r);
// copy the value of global variable x into a local process register r
inc(r);
// increment the value stored in local process register r by one
write(r,x)
// copy the value from local register r back into global variable x
Consider two threads of execution running identical copies of the above program with
initially the shared variable x equal to 0. At each step, a scheduler selects an arbitrary
thread that has not yet terminated, and allows that thread to execute one instruction
indivisibly (i.e., without interference from any other thread). Thus, an execution of
the system can be characterized by a totally ordered sequence of the instructions from
both threads. If we use superfixes to identify the thread executing, one such execution
is: read1, inc1, write1, read2, inc2, write2.
a) (4pts) How many different executions of this system with two threads are
possible? (different meaning different interleaving orders of the instructions)
b) (4pts) How many different final values for the shared variable x are possible?
c) (4pts) How many different executions of the system are there with T threads,
each executing the above program? (T>0)
d) (4pts) How many different final values for x are possible with T=3?
2. (24pts) Consider a variation on the above system where the three instructions are
executed in a loop that is executed precisely four times.
a) (8pts) Write a Spin model for the cyclic case, using two threads of execution,
and analyze its behavior with Spin. Declare the variable x as a byte (with
possible values 0..255). The default starting value for global variables is
always zero.
b) (8pts) Use an assert statement to find the minimum and the maximum possible
value of x at the end of an execution.
Hint: See http://spinroot.com/spin/Man/promela.html for a basic reference
to the specification language. Use Spin to generate a verifier from the
model (spin –run model.pml). Assert that you know that the value cannot
be smaller/larger than N (you pick N), and let the model checker tell you if
you’re wrong.
c) (8pts) Demonstrate the existence of an execution that realizes the minimum
value by generating and then replaying the execution trail that shows it.
Hint: Use spin –t –p –g –replay model.pml to replay the trail once it has
been generated. Try to gain an intuitive understanding of how the system
can end with x equal to this minimum.
3. (30 pts) Consider the following finite state description of a concurrent system:
The graph above shows seven reachable system states, numbered 0 through 6.
Execution starts in the state numbered 0 and at each step one of the outgoing
transitions from the current state is selected at random. Transition (i,j) corresponds to
the execution of instruction j in thread i. The execution of this system terminates only
when it reaches a state with no outgoing transitions. Clearly this system allows both
finite and infinite executions.
A sample finite execution is the transition sequence: (1,1), (1,2), (2, 2), (1, 4), (1,5).
Only finite executions that terminate in state 6 (circled red) are considered to have
terminated correctly. State 6 is said to be a valid endstate; all other states where
execution might terminate are considered invalid endstates.
Given a description of a system like this, we can formalize some basic properties of
executions, and check if the system satisfies these properties. For instance:
Deadlock is possible if the system can reach a state in which no threads can
execute, but which is not marked as a valid end-state.
Starvation is possible if the system can perform an execution cycle that does not
include any steps from at least one thread that is nonetheless able to execute
instructions (i.e., it has not reached an end-state).
a) (15 pts) Give two executions of the above system for each property: one that
does and one that does not have the property.
b) (15 pts) Formalize the notion of starvation given above as a property of a
directed graph. (A graph is starvation free if and only if…)
4. (30 pts): Below is a small piece of C code that is meant to compute the greatest
common divisor of two non-negative integers.
a) (10 pts) Draw the control-flow graph for the algorithm, similar to the graph
shown in Problem 3 and define a property of the graph that can formalize the
correctness of the algorithm. In this case you’ll have only one thread of
execution. Use your best insight about what it means for the algorithm to be
“correct” – there may be multiple requirements.
b) (10 pts) How many test cases would you minimally need to execute each
statement at least once? Define those test(s). Does the algorithm satisfy the
properties you defined in 4a?
c) (10 pts) Can you give an argument to show that the algorithm will necessarily
terminate on all inputs?
void
gcd(unsigned int a, unsigned int b)
{
while (b != 0)
{
if (a > b)
{
a = a - b;
} else
{
b = b - a;
}
}
printf("%d", a);
}