并发模型的验证(例子)
互斥协议模型：示意图
s0
t0
y=1,t=1
x=1,t=0
s1
t1
x==0||t==0
y==0||t==1
s2
t2
y=0
x=0
s3
t3
初始状态
s0
t0
x=0
y=0
t=0
2
互斥协议模型(2)
a=s0
b=t0
x=0
y=0
t=0
并发模型的验证
验证问题
建模
Model
并发模型(主程序)
VVM
VAR
x: 0..1; y: 0..1; t: 0..1;
INIT
x=0; y=0; t=0;
PROC
p0: p0m();
p1: p1m();
SPEC
AG(!(p0.a=s2&p1.b=t2));
AG((!p0.a=s1|AF(p0.a=s2|p1.b=t2))&(!p1.b=t1|AF(p0.a=s2|p1.b=t2)));
AG((!p0.a=s1|AF(p0.a=s2))&(!p1.b=t1|AF(p1.b=t2)));
AG((!p0.a=s1|EF(p0.a=s2))&(!p1.b=t1|EF(p1.b=t2)));
并发模型(进程模块说明1)
MODULE p0m()
VAR
a: {s0,s1,s2,s3};
INIT
a=s0;
TRANS
a=s0:
(y,t,a):=(1,1,s1);
a=s1&(x=0|t=0): (a):=(s2);
a=s1&!(x=0|t=0): (a):=(s1);
a=s2:
(y,a):=(0,s3);
a=s2:
(a):=(s2);
a=s3:
(y,t,a):=(1,1,s1);
并发模型(进程模块说明2)
MODULE p1m()
VAR
b: {t0,t1,t2,t3};
INIT
b=t0;
TRANS
b=t0:
(x,t,b):=(1,0,t1);
b=t1&(y=0|t=1): (b):=(t2);
b=t1&!(y=0|t=1): (b):=(t1);
b=t2:
(x,b):=(0,t3);
b=t2:
(b):=(t2);
b=t3:
(x,t,b):=(1,0,t1);
模型检测
./verds -ck 1 me002.vvm
VERSION:
FILE:
PROPERTY:
bound = 1
---------bound = 2
---------bound = 3
---------bound = 4
---------bound = 5
---------bound = 6
---------CONCLUSION:
verds 1.42 - DEC 2012
me001.vvm
A G ! ((a = 2 )& (b = 2 ))
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
time = 0
TRUE (time=0)
模型检测结论
Property
Conclusion
AG(!(p0.a=2&p1.a=2))
true
AG((!p0.a=1|AF(p0.a=2|p1.a=2))&(!p1.a=1|AF(p0.a=2|p1.a=2))) false
AG((!p0.a=1|AF(p0.a=2))&(!p1.a=1|AF(p1.a=2)))
false
AG((!p0.a=1|EF(p0.a=2))&(!p1.a=1|EF(p1.a=2)))
true
进程公平性说明
并发模型(主程序)
VVM
VAR
x: 0..1; y: 0..1; t: 0..1;
INIT
x=0; y=0; t=0;
PROC
p0: p0m();
p1: p1m();
SPEC
AG(!(p0.a=s2&p1.b=t2));
AG((!p0.a=s1|AF(p0.a=s2|p1.b=t2))&(!p1.b=t1|AF(p0.a=s2|p1.b=t2)));
AG((!p0.a=s1|AF(p0.a=s2))&(!p1.b=t1|AF(p1.b=t2)));
AG((!p0.a=s1|EF(p0.a=s2))&(!p1.b=t1|EF(p1.b=t2)));
并发模型(进程模块说明1a)
MODULE p0m()
VAR
a: {s0,s1,s2,s3};
INIT
a=s0;
TRANS
a=s0:
(y,t,a):=(1,1,s1);
a=s1&(x=0|t=0): (a):=(s2);
a=s1&!(x=0|t=0): (a):=(s1);
a=s2:
(y,a):=(0,s3);
a=s2:
(a):=(s2);
a=s3:
(y,t,a):=(1,1,s1);
FAIRNESS running;
并发模型(进程模块说明2a)
MODULE p1m()
VAR
b: {t0,t1,t2,t3};
INIT
b=t0;
TRANS
b=t0:
(x,t,b):=(1,0,t1);
b=t1&(y=0|t=1): (b):=(t2);
b=t1&!(y=0|t=1): (b):=(t1);
b=t2:
(x,b):=(0,t3);
b=t2:
(b):=(t2);
b=t3:
(x,t,b):=(1,0,t1);
FAIRNESS running;
模型检测结论
Property
Conclusion
AG(!(p0.a=2&p1.a=2))
true
AG((!p0.a=1|AF(p0.a=2|p1.a=2))&(!p1.a=1|AF(p0.a=2|p1.a=2))) true
AG((!p0.a=1|AF(p0.a=2))&(!p1.a=1|AF(p1.a=2)))
false
AG((!p0.a=1|EF(p0.a=2))&(!p1.a=1|EF(p1.a=2)))
true
进程公平性说明2
并发模型(主程序)
VVM
VAR
x: 0..1; y: 0..1; t: 0..1;
INIT
x=0; y=0; t=0;
PROC
p0: p0m();
p1: p1m();
SPEC
AG(!(p0.a=s2&p1.b=t2));
AG((!p0.a=s1|AF(p0.a=s2|p1.b=t2))&(!p1.b=t1|AF(p0.a=s2|p1.b=t2)));
AG((!p0.a=s1|AF(p0.a=s2))&(!p1.b=t1|AF(p1.b=t2)));
AG((!p0.a=s1|EF(p0.a=s2))&(!p1.b=t1|EF(p1.b=t2)));
并发模型(进程模块说明1b)
MODULE p0m()
VAR
a: {s0,s1,s2,s3};
INIT
a=s0;
TRANS
a=s0:
(y,t,a):=(1,1,s1);
a=s1&(x=0|t=0): (a):=(s2);
a=s1&!(x=0|t=0): (a):=(s1);
a=s2:
(y,a):=(0,s3);
a=s2:
(a):=(s2);
a=s3:
(y,t,a):=(1,1,s1);
FAIRNESS running; a!=s2;
并发模型(进程模块说明2b)
MODULE p1m()
VAR
b: {t0,t1,t2,t3};
INIT
b=t0;
TRANS
b=t0:
(x,t,b):=(1,0,t1);
b=t1&(y=0|t=1): (b):=(t2);
b=t1&!(y=0|t=1): (b):=(t1);
b=t2:
(x,b):=(0,t3);
b=t2:
(b):=(t2);
b=t3:
(x,t,b):=(1,0,t1);
FAIRNESS running; b!=t2;
模型检测结论
Property
Conclusion
AG(!(p0.a=2&p1.a=2))
true
AG((!p0.a=1|AF(p0.a=2|p1.a=2))&(!p1.a=1|AF(p0.a=2|p1.a=2))) true
AG((!p0.a=1|AF(p0.a=2))&(!p1.a=1|AF(p1.a=2)))
true
AG((!p0.a=1|EF(p0.a=2))&(!p1.a=1|EF(p1.a=2)))
true
验证过程
验证问题
建模
Model
VERDS
Model Checker
Positive
Conclusion
Negative
Conclusion
安全性质
http://lcs.ios.ac.cn/~zwh/verds/
Error Trace
问题?