Program correctness
The State-transition model
transition
A global state S  s0 x s1 x … x sm
C
{sk = local state of process k}
action
S0
 S1
action
action
 S2  …
A
D
E
B
F
G
Each state transition is caused by an
action by an eligible process.
state
H
L
I
Initial
state
J
K
We reason using interleaving
semantics, and assume that concurrent
actions are serialized in an arbitrary order
A sample computation (or behavior) is ABGHIFL
Correctness criteria
• Safety properties
• Bad things never happen
• Liveness properties
• Good things eventually happen
Testing vs. Proof
Testing: Apply inputs and observe if the outputs
satisfy the specifications. Fool proof testing can be
painfully slow, even for small systems. Most testing
are partial.
Proof: Has a mathematical foundation, and is a
complete guarantee. Sometimes not scalable.
Testing vs. Proof
To test this program, you have
to test all possible interleavings.
With n processes p0, p1, … pn-1,
and m steps per process, the
number of interleavings is
(n.m)!
(m!) n
The state explosion problem
p0
p1
p2
p3
step1 step1 step1 step1
step2 step2 step2 step2
step3 step3 step3 step3
Example: Mutual Exclusion
Process 0
do true 
Entry protocol
Critical section
Exit protocol
od
Process 1
do true 
Entry protocol
Critical section
Exit protocol
od
Safety properties
(1) There is no deadlock
(2) At most one process is in its critical section.
Liveness property
A process trying to enter the CS must eventually succeed.
(This is also called the progress property)
CS
CS
Exercise
program mutex 1
{two process mutual exclusion algorithm: shared memory model}
define busy :shared boolean (initially busy = false}
{process 0}
{process 1}
do true 
do true 
do busy  skip od;
do busy  skip od;
busy:= true;
busy:= true;
critical section;
critical section
busy := false;
busy := false
{remaining codes}
{remaining codes}
od
od
Does this mutual exclusion protocol satisfy liveness and safety properties?
Safety invariants
Invariant means: something meaningful should always hold
Example: Total no. of processes in CS ≤ 1 (mutual exclusion problem)
Another safety property is Partial correctness. It implies that
“If the program terminates then the postcondition will hold.”
Consider the following:
do G0  S1 [] G1  S1 [] … [] Gk  Sk od
Safety invariant: (G0  G1  G2 … Gk)  postcondition
It does not say if the program will terminate.
(termination is a liveness property)
Total correctness = partial correctness + termination.
Exercise
Starting from the given initial state, devise an algorithm to color the
nodes of the graph using the colors 0 and 1, so that no
two adjacent nodes have the same color.
0
program colorme {for process Pi }
0
p1
p2
p0
p3
1
1
define color c  {0, 1}
Initially colors are arbitrary
do j : j  neighbor(i) :: (c[i] = c[j]) 
c[i] := 1 - c[i]
od
Is the program partially
correct? YES (why?)
Does it terminate? NO (why?)
Liveness properties
Eventuality is tricky. There is no need to guarantee when
the desired thing will happen, as long as it happens..
Some examples






The message will eventually reach the receiver.
The process will eventually enter its critical section.
The faulty process will be eventually be diagnosed
Fairness (if an action will eventually be scheduled)
The program will eventually terminate.
The criminal will eventually be caught.
Absence of liveness cannot be determined from finite prefix
of the computation
Proving safety
define
c1, c2 : channel; {init c1 =  c2 =}
r, t : integer; {init r = 5, t = 5}
{program for T}
1
do t > 0 send msg along c1; t := t -1
2
[] ¬empty (c2)  rcv msg from c2; t := t + 1
od
{program for R}
3
do ¬empty (c1)  rcv msg from c1; r := r+1
4
[]
r>0
 send msg along c2; r := r-1
od
the safety property P:
P  n1 + n2 ≤ 10
We want to prove
n1= # of messages in c1
n2= # of messages in c2
c1
T
R
c2
transmitter
receiver
Proving safety
n1, n2 = # of messages in c1and c2 respectively.
We will establish the following invariant:
c1
I  (t ≥ 0)  (r ≥ 0)  (n1 + t + n2 + r = 10)
(I ⇒ P). Check if I holds after every action.
{program for T}
1
do t > 0 send msg along c1; t := t -1
2
[] ¬empty (c2)  rcv msg from c2; t := t+1
od
{program for R}
3
do ¬empty (c1)  rcv msg from c1; r := r+1
4
[]
r>0
 send msg along c2; r := r-1
od
T
R
c2
Use the method of induction
Show that I initially holds, and
holds after each action.
Proving liveness
Global state
Global state
S1 S2  S3  S4 
 f f
f f
w1 w2 w3 w4
o w1, w2, w3, w4  WF
o WF is a well-founded set whose
elements can be ordered by »
f is called a variant function
If there is no infinite chain like
w1 » w2 » w3 » w4 .., i.e.
f(si) » f(si+1) » f(si+2) ..
then the computation will
definitely terminate!
Example?