CSCI 6900: Design, Implementation, and Verification of Concurrent Software
description
Transcript of CSCI 6900: Design, Implementation, and Verification of Concurrent Software
![Page 1: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/1.jpg)
1
CSCI 6900: Design, Implementation, and Verification of Concurrent Software
Eileen KraemerSeptember 7th, 2010
The University of Georgia
![Page 2: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/2.jpg)
2
OutlineReview:
FSP and LTSA to represent concurrent processes (Ch.3)
Structure diagrams (Ch. 3)UML and Java code for simple threaded
programs (Ch. 3)Modeling the Ornamental Garden (Ch. 4)Testing a model (Ch.4)
![Page 3: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/3.jpg)
3
Parallel Composition
If P and Q are processes then (P||Q) represents the concurrent execution of P and Q. The operator || is the parallel composition operator.
ITCH = (scratch->STOP).CONVERSE = (think->talk->STOP).
||CONVERSE_ITCH = (ITCH || CONVERSE).Disjoint
alphabets
![Page 4: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/4.jpg)
4
Parallel composition - algebraic laws
Commutative: (P||Q) = (Q||P)Associative: (P||(Q||R)) = ((P||Q)||R)
= (P||Q||R).
Clock radio example:CLOCK = (tick->CLOCK).RADIO = (on->off->RADIO).
||CLOCK_RADIO = (CLOCK || RADIO).
![Page 5: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/5.jpg)
5
Modeling interaction - shared actions
MAKER = (make->ready->MAKER).USER = (ready->use->USER).
||MAKER_USER = (MAKER || USER).
MAKER synchronizes with USER when ready.
Non-disjoint alphabets
Actions with the same name are shared. They synchronize.
Actions with different names are interleaved.
![Page 6: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/6.jpg)
6
process instances and labeling
a:P prefixes each action label in the alphabet of P with a.
SWITCH = (on->off->SWITCH).||TWO_SWITCH = (a:SWITCH || b:SWITCH).
Two instances of a switch process:
||SWITCHES(N=3) = (forall[i:1..N] s[i]:SWITCH).||SWITCHES(N=3) = (s[i:1..N]:SWITCH).
An array of instances of the switch process:
a:SWITCHa.on
a.off
0 1b:SWITCH
b.on
b.off
0 1
![Page 7: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/7.jpg)
7
process labeling by a set of prefix labels
{a1,..,ax}::P replaces every action label n in the alphabet of P with the labels a1.n,…,ax.n. Further, every transition (n->X) in the definition of P is replaced with the transitions ({a1.n,…,ax.n} ->X).
Process prefixing is useful for modeling shared resources:
||RESOURCE_SHARE = (a:USER || b:USER || {a,b}::RESOURCE).
RESOURCE = (acquire->release->RESOURCE).USER = (acquire->use->release->USER).
![Page 8: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/8.jpg)
8
process prefix labels for shared resources
a:USERa.acquire a.use
a.release
0 1 2b:USER
b.acquire b.use
b.release
0 1 2
{a,b}::RESOURCEa.acquireb.acquire
a.releaseb.release
0 1
RESOURCE_SHARE
a.acquire
b.acquire b.use
b.release
a.use
a.release
0 1 2 3 4
![Page 9: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/9.jpg)
9
action relabeling
Relabeling to ensure that composed processes synchronize on particular actions.
Relabeling functions are applied to processes to change the names of action labels. The general form of the relabeling function is: /{newlabel_1/oldlabel_1,… newlabel_n/oldlabel_n}.
CLIENT = (call->wait->continue->CLIENT).SERVER = (request->service->reply->SERVER).
Note that both newlabel and oldlabel can be sets of labels.
![Page 10: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/10.jpg)
10
action relabeling
||CLIENT_SERVER = (CLIENT || SERVER) /{call/request, reply/wait}.
CLIENTcall reply
continue
0 1 2SERVER
call service
reply
0 1 2
CLIENT_SERVER call service reply
continue
0 1 2 3
![Page 11: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/11.jpg)
11
action relabeling - prefix labels
SERVERv2 = (accept.request ->service->accept.reply->SERVERv2).CLIENTv2 = (call.request ->call.reply->continue->CLIENTv2).
||CLIENT_SERVERv2 = (CLIENTv2 || SERVERv2) /{call/accept}.
An alternative formulation of the client server system is described below using qualified or prefixed labels:
![Page 12: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/12.jpg)
12
action hiding - abstraction to reduce complexity
When applied to a process P, the hiding operator \{a1..ax} removes the action names a1..ax from the alphabet of P and makes these concealed actions "silent". These silent actions are labeled tau. Silent actions in different processes are not shared.
When applied to a process P, the interface operator @{a1..ax} hides all actions in the alphabet of P not labeled in the set a1..ax.
Sometimes it is more convenient to specify the set of labels to be exposed....
![Page 13: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/13.jpg)
13
action hiding
USER = (acquire->use->release->USER) \{use}.
USER = (acquire->use->release->USER) @{acquire,release}.
The following definitions are equivalent:
acquire tau
release
0 1 2
Minimization removes hidden tau actions to produce an LTS with equivalent observable behavior. acquire
release
0 1
![Page 14: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/14.jpg)
14
structure diagrams – systems as interacting processes
P a
bProcess P withalphabet {a,b}.
P a b Qm Parallel Composition(P||Q) / {m/a,m/b,c/d}
P Qa
c dc
x xx
Syx
Composite process||S = (P||Q) @ {x,y}
![Page 15: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/15.jpg)
15
structure diagrams
We use structure diagrams to capture the structure of a model expressed by the static combinators: parallel composition, relabeling and hiding.
range T = 0..3BUFF = (in[i:T]->out[i]->BUFF).||TWOBUF = ?
a:BUFF b:BUFFa.out
TWOBUFF
outininoutin out
![Page 16: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/16.jpg)
16
Structure diagrams
Structure diagram for CLIENT_SERVER
Structure diagram for CLIENT_SERVERv2
CLIENTv2 call accept SERVERv2call
servicecontinue
CLIENT call request SERVERcall
replywait reply servicecontinue
![Page 17: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/17.jpg)
17
structure diagrams - resource sharing
a:USERprinter
b:USERprinter
printer:RESOURCE
acquirerelease
PRINTER_SHARE
RESOURCE = (acquire->release->RESOURCE).USER = (printer.acquire->use ->printer.release->USER)\{use}.
||PRINTER_SHARE = (a:USER||b:USER||{a,b}::printer:RESOURCE).
Indicates sharing
![Page 18: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/18.jpg)
18
3.2 Multi-threaded Programs in Java
Concurrency in Java occurs when more than one thread is alive. ThreadDemo has two threads which rotate displays.
![Page 19: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/19.jpg)
19
ThreadDemo model
Interpret run, pause, interrupt as inputs, rotate as an output.
ROTATOR = PAUSED,PAUSED = (run->RUN | pause->PAUSED |interrupt->STOP),RUN = (pause->PAUSED |{run,rotate}->RUN |interrupt->STOP).
||THREAD_DEMO = (a:ROTATOR || b:ROTATOR)
/{stop/{a,b}.interrupt}.
b:ROTATOR
a.run
a.pause
a.rotate
b.run
b.pause
b.rotate
THREAD_DEMO
a:ROTATORstop
![Page 20: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/20.jpg)
20
ThreadDemo implementation in Java - class diagramThreadDemo creates two ThreadPanel displays when initialized. ThreadPanel manages the display and control buttons, and delegates calls to rotate() to DisplayThread. Rotator implements the runnable interface.
Applet
ThreadDemo ThreadPanel
rotate()start()stop()
A,B
init()start()stop()
Runnable
Rotator
run()
GraphicCanvasPanel
Thread
DisplayThread
display
thread
target
rotate()
![Page 21: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/21.jpg)
21
Rotator class
class Rotator implements Runnable { public void run() { try { while(true) ThreadPanel.rotate(); } catch(InterruptedException e) {} }}
Rotator implements the runnable interface, calling ThreadPanel.rotate() to move the display.
run()finishes if an exception is raised by Thread.interrupt().
![Page 22: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/22.jpg)
22
ThreadPanel class
public class ThreadPanel extends Panel { // construct display with title and segment color c public ThreadPanel(String title, Color c) {…} // rotate display of currently running thread 6 degrees // return value not used in this example public static boolean rotate() throws InterruptedException {…} // create a new thread with target r and start it running public void start(Runnable r) { thread = new DisplayThread(canvas,r,…); thread.start(); } // stop the thread using Thread.interrupt() public void stop() {thread.interrupt();}}
ThreadPanel manages the display and control buttons for a thread.
Calls to rotate() are delegated to DisplayThread.
Threads are created by the start() method, and terminated by the stop() method.
![Page 23: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/23.jpg)
23
Chapter 4
Shared Objects & Mutual Exclusion
![Page 24: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/24.jpg)
24
Shared Objects & Mutual Exclusion
Concepts: process interference. mutual exclusion.
Models: model checking for interferencemodeling mutual exclusion
Practice: thread interference in shared Java objects
mutual exclusion in Java (synchronized objects/methods).
![Page 25: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/25.jpg)
25
4.1 Interference
Garden
WestTurnstile
EastTurnstile
people
People enter an ornamental garden through either of two turnstiles. Management wish to know how many are in the garden at any time.
The concurrent program consists of two concurrent threads and a shared counter object.
Ornamental garden problem:
![Page 26: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/26.jpg)
26
ornamental garden Program - class diagram
The Turnstile thread simulates the periodic arrival of a visitor to the garden every second by sleeping for a second and then invoking the increment() method of the counter object.
setvalue()NumberCanvas
Applet
init()go()
Garden
Thread
Turnstile
run()
Counterincrement()
displaydisplay
east,west people
eastD,westD,counterD
![Page 27: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/27.jpg)
27
ornamental garden program
private void go() { counter = new Counter(counterD); west = new Turnstile(westD,counter); east = new Turnstile(eastD,counter); west.start(); east.start();}
The Counter object and Turnstile threads are created by the go() method of the Garden applet:
Note that counterD, westD and eastD are objects of NumberCanvas used in chapter 2.
![Page 28: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/28.jpg)
28
Turnstile class
class Turnstile extends Thread { NumberCanvas display; Counter people;
Turnstile(NumberCanvas n,Counter c) { display = n; people = c; }
public void run() { try{ display.setvalue(0); for (int i=1;i<=Garden.MAX;i++){ Thread.sleep(500); //0.5 second between arrivals display.setvalue(i); people.increment(); } } catch (InterruptedException e) {} }}
The run() method exits and the thread terminates after Garden.MAX visitors have entered.
![Page 29: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/29.jpg)
29
Counter class
class Counter { int value=0; NumberCanvas display;
Counter(NumberCanvas n) { display=n; display.setvalue(value); }
void increment() { int temp = value; //read value Simulate.HWinterrupt(); value=temp+1; //write value display.setvalue(value); }}
Hardware interrupts can occur at arbitrary times.
The counter simulates a hardware interrupt during an increment(), between reading and writing to the shared counter value. Interrupt randomly calls Thread.sleep() to force a thread switch.
![Page 30: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/30.jpg)
30
ornamental garden program - display
After the East and West turnstile threads have each incremented its counter 20 times, the garden people counter is not the sum of the counts displayed. Counter increments have been lost. Why?
![Page 31: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/31.jpg)
31
concurrent method activation
Java method activations are not atomic - thread objects east and west may be executing the code for the increment method at the same time.
east
west
increment:
read value
write value + 1
programcounter program
counter
PC PCshared code
![Page 32: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/32.jpg)
32
ornamental garden Model
Process VAR models read and write access to the shared counter value.
Increment is modeled inside TURNSTILE since Java method activations are not atomic i.e. thread objects east and west may interleave their read and write actions.
value:VARdisplay
write
GARDEN
west:TURNSTILE
valueendgo
arrive
east:TURNSTILE
valueendgo
arrive
goend
read
![Page 33: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/33.jpg)
33
ornamental garden model
const N = 4range T = 0..Nset VarAlpha = { value.{read[T],write[T]} }
VAR = VAR[0],VAR[u:T] = (read[u] ->VAR[u] |write[v:T]->VAR[v]).
TURNSTILE = (go -> RUN),RUN = (arrive-> INCREMENT |end -> TURNSTILE),INCREMENT = (value.read[x:T] -> value.write[x+1]->RUN )+VarAlpha.
||GARDEN = (east:TURNSTILE || west:TURNSTILE || { east,west,display}::value:VAR) /{ go /{ east,west} .go, end/{ east,west} .end} .
The alphabet of shared process VAR is declared explicitly as a set constant, VarAlpha.
The TURNSTILE alphabet is extended with VarAlpha to ensure no unintended free (autonomous) actions in VAR eg. value.write[0]. All actions in the shared VAR must be controlled (shared) by a TURNSTILE.
![Page 34: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/34.jpg)
34
checking for errors - animation
Scenario checking - use animation to produce a trace.
Is this trace correct?
![Page 35: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/35.jpg)
35
checking for errors - exhaustive analysis
TEST = TEST[0],TEST[v:T] = (when (v<N){east.arrive,west.arrive}->TEST[v+1] |end->CHECK[v] ),CHECK[v:T] = (display.value.read[u:T] -> (when (u==v) right -> TEST[v] |when (u!=v) wrong -> ERROR ) )+{display.VarAlpha}.
Exhaustive checking - compose the model with a TEST process which sums the arrivals and checks against the display value:
Like STOP, ERROR is a predefined FSP local process (state), numbered -1 in the equivalent LTS.
![Page 36: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/36.jpg)
36
ornamental garden model - checking for errors
||TESTGARDEN = (GARDEN || TEST).
Use LTSA to perform an exhaustive search for ERROR.Trace to property violation in TEST:
goeast.arriveeast.value.read.0west.arrivewest.value.read.0east.value.write.1west.value.write.1enddisplay.value.read.1
wrong
LTSA produces the shortest path to reach ERROR.
![Page 37: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/37.jpg)
37
Interference and Mutual Exclusion
Destructive update, caused by the arbitrary interleaving of read and write actions, is termed interference.
Interference bugs are extremely difficult to locate. The general solution is to give methods mutually exclusive access to shared objects. Mutual exclusion can be modeled as atomic actions.
![Page 38: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/38.jpg)
38
4.2 Mutual exclusion in Java
class SynchronizedCounter extends Counter {
SynchronizedCounter(NumberCanvas n) {super(n);}
synchronized void increment() { super.increment(); }}
We correct COUNTER class by deriving a class from it and making the increment method synchronized:
Concurrent activations of a method in Java can be made mutually exclusive by prefixing the method with the keyword synchronized, which uses a lock on the object.
acquire lock
release lock
![Page 39: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/39.jpg)
39
mutual exclusion - the ornamental garden
Java associates a lock with every object. The Java compiler inserts code to acquire the lock before executing the body of the synchronized method and code to release the lock before the method returns. Concurrent threads are blocked until the lock is released.
![Page 40: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/40.jpg)
40
Java synchronized statement
Access to an object may also be made mutually exclusive by using the synchronized statement:
synchronized (object) { statements }A less elegant way to correct the example would be to modify the Turnstile.run() method:
synchronized(people) {people.increment();}
Why is this “less elegant”?
To ensure mutually exclusive access to an object, all object methods should be synchronized.
![Page 41: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/41.jpg)
41
To add locking to our model, define a LOCK, compose it with the shared VAR in the garden, and modify the alphabet set :
4.3 Modeling mutual exclusion
LOCK = (acquire->release->LOCK).||LOCKVAR = (LOCK || VAR).
set VarAlpha = {value.{read[T],write[T], acquire, release}}
TURNSTILE = (go -> RUN),RUN = (arrive-> INCREMENT |end -> TURNSTILE),INCREMENT = (value.acquire -> value.read[x:T]->value.write[x+1] -> value.release->RUN )+VarAlpha.
Modify TURNSTILE to acquire and release the lock:
![Page 42: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/42.jpg)
42
Revised ornamental garden model - checking for errors
Use TEST and LTSA to perform an exhaustive check. Is TEST satisfied?
go east.arrive east.value.acquire east.value.read.0 east.value.write.1 east.value.release west.arrive west.value.acquire west.value.read.1 west.value.write.2 west.value.release end display.value.read.2 right
A sample animation execution trace
![Page 43: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/43.jpg)
43
COUNTER: Abstraction using action hiding
To model shared objects directly in terms of their synchronized methods, we can abstract the details by hiding. For SynchronizedCounter we hide read, write, acquire, release actions.
const N = 4range T = 0..N
VAR = VAR[0],VAR[u:T] = ( read[u]->VAR[u] | write[v:T]->VAR[v]).
LOCK = (acquire->release->LOCK).
INCREMENT = (acquire->read[x:T] -> (when (x<N) write[x+1] ->release->increment->INCREMENT ) )+{read[T],write[T]}.
||COUNTER = (INCREMENT||LOCK||VAR)@{increment}.
![Page 44: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/44.jpg)
44
COUNTER: Abstraction using action hiding
Minimized LTS:
We can give a more abstract, simpler description of a COUNTER which generates the same LTS:
This therefore exhibits “equivalent” behavior i.e. has the same observable behavior.
COUNTER = COUNTER[0]COUNTER[v:T] = (when (v<N) increment -> COUNTER[v+1]).
increment increment increment increment
0 1 2 3 4
![Page 45: CSCI 6900: Design, Implementation, and Verification of Concurrent Software](https://reader036.fdocuments.in/reader036/viewer/2022081422/56816743550346895ddbf73f/html5/thumbnails/45.jpg)
45
Summary
Conceptsprocess interferencemutual exclusion
Modelsmodel checking for interference modeling mutual exclusion
Practicethread interference in shared Java objects mutual exclusion in Java (synchronized
objects/methods).