A High-Level Language for Modeling Algorithms andtheir Properties

Sabina Akhtar Stephan Merz Martin Quinson

LORIA – INRIA Nancy Grand Est and Nancy University, Nancy, France

SBMF 2010

1 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

2 / 55

Background

Formal verification of concurrent and distributed systemsProblems like deadlocks, race conditions,...TLA+: Specification language

developed by Leslie Lamporta language based on mathematical set theory

TLC: Model checkerfor verifying TLA+ specifications

Leslie Lamport. Specifying Systems, The TLA+ Language and Tools forHardware and Software Engineers. Addison-Wesley, 2002.

3 / 55

An Example

Lamport’s Mutual Exclusion Algorithm

4 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

5 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

6 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

7 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

8 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

9 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

10 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

11 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

12 / 55

TLA+ Specifications

Init ∆= ∧ clock = 0∧ . . .∧ ProcSet = SiteIDs ∪ CommunicatorIDs∧ pc = [self ∈ ProcSet 7→ CASE self ∈ SiteIDs → ”ncrit”

�self ∈ CommunicatorIDs → ”chkMsg”]

ncrit(self )∆= ∧ pc[self ] = ”ncrit”

∧ . . .∧ pc′ = [pc EXCEPT![self ] = ”try”]∧ UNCHANGED vars\{pc}

try(self )∆= ∧ pc[self ] = ”try”

∧ . . .. . .

Site(self )∆= ncrit(self ) ∨ try(self ) ∨ enter(self ) ∨ crit(self ) ∨ exit(self )

. . .

Communicator(self )∆= chkMsg(self )

Next ∆= ∨ ∃self ∈ SiteIDs : Site(self )∨ ∃self ∈ CommunicatorIDs : Communicator(self )∨ (∧ ∀self ∈ ProcSet : pc[self ] = ”Done”∧ UNCHANGED vars

)

Spec ∆= Init ∧ 2[Next]vars

13 / 55

PLUSCAL: A high-level language

TLA+: Specification languagerequires specifications in the form of formulasdifficult to write for algorithm designers

PLUSCAL: Algorithmic Languageproposed by Leslie Lamport for algorithm designersa language for modeling algorithmsgenerates TLA+ specifications for a given model

Featuresallows writing informal description of algorithmsno complicated conceptsconstructs for expressing non-determinism

Leslie Lamport. The +CAL Algorithm Language.Theoretical Aspects of Computing-ICTAC 2009, number 5684, pp. 36-60.

14 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

15 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

16 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

17 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

18 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

19 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

20 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

21 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

22 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

23 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL

—————————————–MODULE LamportMutex—————————————–EXTENDS Naturals, Sequences (* Modules to be imported *)CONSTANTS N, maxClock, Peers, Workers

(* - - algorithm LamportMutexvariable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]]macro send(from, to, msg) begin . . . (* Variables, define sections and macros *)process Site ∈ Peers (* Processes *)

variables clock = 1, . . .begin

start: skip;. . .

end processprocess Communicator ∈Workersbegin. . .

end processend algorithm*)\* BEGIN TRANSLATION

(* Compiler generates TLA+ formulas here. *)\* END TRANSLATION===================================================================

24 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

25 / 55

Why change PLUSCAL?

Need to understand TLA+ and the compilationcannot express properties in PLUSCAL algorithmsfairness assumptions should be added in generated TLA+

specificationsLack of process hierarchy and scoping rules

impossible to express distributed algorithms naturallyall variables are considered as global variables

Restrictions in specifying atomicitylabels define atomic blocksrestrictions on label placements

Other technical limitationsno primitive for iterating over a setrestriction on multiple assignments to a variable in a block

26 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

27 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

28 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

29 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

30 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

31 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

32 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

33 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

34 / 55

Lamport’s Mutual Exclusion algorithm in PLUSCAL-2

algorithm LamportMutexextends Naturals, Sequences (* Modules to be imported *)constants N, maxClock

variable network = [from ∈ Site 7→ [to ∈ Site 7→ 〈〉]] (* Variables and definitions *)definition send(from, to, msg) ∆

= . . .process Site[N] (* Processes *)

variables clock = 1, . . .fair process Communicator[1] (* subprocess Communicator *). . .end process. . .

end process

end algorithmtemporal ∀ s ∈ Site : Site[s]@enter ; Site[s]@critsection. . .(* Finite instance for model checking *)constants N = 3, maxclock = 5constraint ∀ s ∈ Site : Site[s].clock ≤ maxClock

35 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

36 / 55

The PLUSCAL-2 Statements

Assignment and skip statementsAtomic construct

atomiclabel1: x := 3;label2: y := 4;

end atomicNon-deterministic choice construct: either orConditional constructs

if, when, and either from previous PLUSCAL.new construct branch, inspired by Dijkstra’s guarded commands

Iteration constructswhile, loop and for constructs

37 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

38 / 55

The PLUSCAL-2 Compiler

PLUSCAL-2 ParserTranslation to intermediate format

PLUSCAL-2 algorithm

λ: while x > 4 dox := x + 1;

µ: . . .end while

ν: . . .

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

µ: . . .pc[self] := λ;

39 / 55

The PLUSCAL-2 Compiler

PLUSCAL-2 ParserTranslation to intermediate format

PLUSCAL-2 algorithm

λ: while x > 4 dox := x + 1;

µ: . . .end while

ν: . . .

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

µ: . . .pc[self] := λ;

40 / 55

The PLUSCAL-2 Compiler

PLUSCAL-2 ParserTranslation to intermediate format

PLUSCAL-2 algorithm

λ: while x > 4 dox := x + 1;

µ: . . .end while

ν: . . .

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

µ: . . .pc[self] := λ;

41 / 55

The PLUSCAL-2 Compiler

PLUSCAL-2 ParserTranslation to intermediate format

PLUSCAL-2 algorithm

λ: while x > 4 dox := x + 1;

µ: . . .end while

ν: . . .

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

µ: . . .pc[self] := λ;

42 / 55

The PLUSCAL-2 Compiler

PLUSCAL-2 ParserTranslation to intermediate format

PLUSCAL-2 algorithm

λ: while x > 4 dox := x + 1;

µ: . . .end while

ν: . . .

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

µ: . . .pc[self] := λ;

43 / 55

The PLUSCAL-2 Compiler

PLUSCAL-2 ParserTranslation to intermediate format

PLUSCAL-2 algorithm

λ: while x > 4 dox := x + 1;

µ: . . .end while

ν: . . .

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

µ: . . .pc[self] := λ;

44 / 55

The PLUSCAL Compiler

Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

TLA+ code

λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}

45 / 55

The PLUSCAL Compiler

Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

TLA+ code

λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}

46 / 55

The PLUSCAL Compiler

Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

TLA+ code

λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}

47 / 55

The PLUSCAL Compiler

Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

TLA+ code

λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}

48 / 55

The PLUSCAL Compiler

Generation of TLA+ codegenerates the actual TLA+ model from the list of guardedcommands

Intermediate format

λ: branchx > 4 then

x := x + 1; pc[self] := µ;¬(x > 4) then

pc[self] := ν;end branch

TLA+ code

λ(self )∆= ∧ pc[self ] = λ∧ ∨ ∧ x > 4∧ x ′ = x + 1∧ pc′ = [pc EXCEPT ![self ] = µ]∧ UNCHANGED vars \ {x , pc}∨ ∧ ¬(x > 4)∧ pc′ = [pc EXCEPT ![self ] = ν]∧ UNCHANGED vars \ {pc}

49 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

50 / 55

Verification results for PLUSCAL-2 algorithms

No degradation found in the output of TLC model checkerGenerated state space doesn’t increase

More natural representation of the algorithms in PLUSCAL-2Except for the TLA+ specifications, they become less readable.Users are not supposed to read TLA+ specifications

Comparison between TLC output for PLUSCAL and PLUSCAL-2

Algorithm # proc. PLUSCAL PLUSCAL-2Peterson 2 37 23FastMutex 2 2679 2679Naimi-Trehel 3 111749 53905

51 / 55

Outline

1 IntroductionBackgroundMotivations for PLUSCAL-2

2 PLUSCAL-2The LanguageThe StatementsThe Compiler

3 ResultsVerification of PLUSCAL-2 algorithmsComparison with PLUSCAL

4 Summary

52 / 55

Comparison with PLUSCAL

Models have become self-containedfairness assumptions, correctness properties or model checkingconstraints can be expressed within PLUSCAL-2 algorithm

Nested processes and scoped declarationsrepresent the locality informationincrease readability of algorithmsless errors are expected while modeling an algorithm

Representation is more flexible, without losing any performancenew statements like atomic, for,...multiple assignments to same variable in a block

53 / 55

Conclusions and work in progress

AchievementsEasily accessible for algorithm designersNo need to read/modify TLA+ specifications

Ongoing/Future WorkImplementation of Partial order reduction for TLC geared towardsPLUSCAL-2 algorithmsImplementation of the module for collecting locality informationIntegration of the module in PLUSCAL-2

54 / 55

Questions!

55 / 55