lectureNote8

I636: Specification and Verification of
Distributed Systems
8. Suzuki‐Kasami Distributed
Mutual Exclusion Protocol (2)
Kazuhiro Ogata & Kokichi Futatsugi
Outline
• The OTS S SK modeling the Suzuki‐Kasami
protocol is specified in Maude.
• We model check that S SK (the Suzuki‐Kasami
protocol) satisfies (or does not satisfy) the
mutual exclusion property and the lockout
freedom property based on the specification.
• This lecture describes how to specify S SK in
Maude and how to model check the two
properties for S SK with Maude.
2

Quick Reminder (1)
• Consists of two procedures P1 and P2 for each node i.
When node i wants to enter the critical section, it calls P1.
procedure P1;
begin
requesting := true;
if not have_privilege then
begin
rn[i] := rn[i] + 1;
for all j in {1,…,N} – {i} do
send request(i,rn[i]) rn[i]) to node j;
wait until privilege(queue,ln)
is received.
have_privilege := true;
end;
Critical Section;
ln[i] := rn[i];
for all j in {1,…,N} – {i} do
if not in(queue,j) and (rn[j] = ln[j] + 1)
then queue := put(queue,j);
if queue ≠ empty then
begin
have_privilege := false;
send privilege(get(queue),ln)
to node top(queue)
end;
requesting := false
end;
3
Quick Reminder (2)
• When node i receives request(j,n), it calls P2, executing
it atomically.
procedure P2;
begin
rn[j] := max(rn[j],n);
if have_privilege and not requesting and (rn[j] = ln[j] + 1) then
begin
have_privilege := false;
variables Initial values
send privilege(queue,ln) iil ( l ) to node j
end
end;
Initially each process is in the section
(called the remainder section) that is
different from the protocol .
requesting
false
have_privilege true if i = 1, and false o/w
rn each element is 0
ln each element is 0
queue
empty
4

Quick Reminder (3)
• The observers used:
– pc : U NodeID → Label
– requesting : U NodeID → Bool
– havePriv : U NodeID → Bool
– rn : U NodeID → Array
– ln : U NodeID → Array
– queue : U NodeID → Queue
– idx : U NodeID → Nat
– nw : U → Network
where NodeID is the type of natural numbers i such that 1 i N,
Label is the type of the locations in the protocol at which nodes
are, Array is the type of natural number arrays of size N, Queue is
the type of queues of NodeID’s, and Network is the type of
multisets of messages.
5
Quick Reminder (4)
• A state u is a initial state if for all NodeID’s i,
– pc(u,i) is rem,
– requesting(u,i) is false,
– havePriv(u,i) is true if i is 1 and false otherwise,
– rn(u,i) is an array such that each element is 0,
– ln(u,i) is an array such that each element is 0,
– queue(u,i) is empty,
– idx(u,i) is an arbitrary natural number, and
– nw(u) is empty.
6

Quick Reminder (5)
• The transitions used:
– try : U NodeID → U
– setReq : U NodeID → U
– checkPriv : U NodeID → U
– incReqNo : U NodeID → U
– sendReq : U NodeID → U
rem
l1
l2
l3
l4
– waitPriv : U NodeID Privilege → U
cs
– exit : U NodeID → U
l6
l7
– completeReq : U NodeID → U
– updateQueue : U NodeID → U
l5
procedure P1;
begin
requesting := true;
if not have_privilege then
begin
rn[i] := rn[i] + 1;
for all j in {1,…,N} – {i} do
send request(i,rn[i]) to node j;
wait until privilege(queue,ln)
is received.
have_privilege := true;
end;
Critical Section;
ln[i] := rn[i];
for all j in {1,…,N} – {i} do
if not in(queue,j) and (rn[j] = ln[j] + 1)
then queue := put(queue,j);
7
Quick Reminder (6)
• The transitions used (cont.):
– checkQueue : U NodeID → U l8 if queue ≠ empty then
– transferPriv : U NodeID → U l9
begin
have_privilege := false;
– resetReq : U NodeID → U
send privilege(get(queue),ln)
to node top(queue)
l10 end;
requesting := false
– receiveReq : U NodeID Request → U end;
procedure P2;
begin
rn[j] := max(rn[j],n);
if have_privilege and not requesting and (rn[j] = ln[j] + 1) then
begin
have_privilege := false;
send privilege(queue,ln) to node j
end
end;
8

Data Used
• Boolean values: Denoted by Bool; Specified in the built‐in module
BOOL.
• Natural numbers: Denoted dby Nat; Specified din the built‐in i module
NAT.
• Node identifiers: Denoted by NodeID; Specified in NODEID.
• Queues of node identifiers: Denoted by Queue; Specified in
QUEUE.
• Arrays of natural numbers: Denoted by Array; Specified in
ARRAY.
• Requests: Denoted by Request; Specified in REQUEST.
• Privileges: Denoted by Privilege; Specified in PRIVILEGE.
• Messages: Denoted by Message; Specified in MESSAGE.
• Multisests of messages: Denoted by Network; Specified in
NETWORK.
• Labels: Denoted by Label; Specified in LABEL.
9
Node Identifiers
• Specified as follows:
sort NodeID .
subsorts NodeID < NzNat .
op N : -> NzNat .
op M : -> Nat .
eq N = 2 .
eq M = 2 .
mb 1 : NodeID .
mb 2 : NodeID .
• N is the number of nodes involved.
• M is the number of requests each node makes.
• We suppose that there two nodes whose identifiers are 1 and 2.
10

Queues of Node Identifiers
• Specified as follows:
sort NeQueue Queue .
subsort NeQueue < Queue .
op empty : -> Queue .
op _|_ : NodeID Queue -> NeQueue .
• The following functions are defined:
– top(q) returns the top element of a non‐empty queue q.
– put(q,e) puts an element e into a queue q.
– get(q) delete the top element of a queue q.
– e \in q checks if an element e is in a queue q.
– empty?(q) checks if a queue q is empty.
11
Arrays of Natural Numbers
• Specified as follows:
sort AElm Array .
subsort AElm < Array .
op ia : -> Array .
op _:_ : NodeID Nat -> AElm .
op _,_ : Array Array -> Array [assoc comm id:
ia] .
• ia denotes the array, each of whose contents is 0.
• i : m denotes an array slot, where i is an index and m is a content.
• An array is represented as (1 : m 1 ) , … , (N : m N ).
• The following functions are defined:
– a[i] returns the content of an array a at the index i.
– a[i] := m returns the array a’ such that a’[i] = m, and a’[j] =
a[j] if j ≠ i.
12

Requests and Privileges
• Specified as follows:
sort Request .
op req : NodeID Nat -> Request .
sort Privilege .
op priv : Queue Array -> Privilege .
• req(i,n) denotes a request that contains a node
identifier i and a sequence number (natural number) n.
• priv(q,ln) denotes a privilege that contains a queue
q and an array ln.
13
Messages
• Specified as follows:
sort Message .
op msg : NodeID Request -> Message .
op msg : NodeID Privilege -> Message .
• msg(i,r), where r is a request, denotes a request
message addressed to node i.
• msg(i,p), where p is a privilege, denotes a privilege
message addressed to node i.
14

Multisets of Messages
• Specified as follows:
subsort Message < Network .
op void : -> Network .
op _ _ : Network Network -> Network
[assoc comm id: void] .
• void denotes the empty multiset.
• A multiset is represented as m 1 … m n , where each m i is a
message.
• The network is modeled as a multiset of messages to deal
with the communication delay.
15
Labels
• Specified as follows:
sort Label .
ops rem l1 l2 l3 l4 l5
cs l6 l7 l8 l9 l10 : -> Label .
• The constants denote the labels rem, l1, l2, l3, l4, l5,
cs, l6, l7, l8, l9, and l10, respectively.
16

Specification of S SK (1)
• The operator corresponding to the observers:
op numOfReq[_]:_ : NodeID Nat -> Obs .
op pc[_]:_ : NodeID Label -> Obs .
op requesting[_]:_ : NodeID Bool -> Obs .
op havePriv[_]:_ : NodeID Bool -> Obs .
op rn[_]:_ : NodeID Array -> Obs .
op ln[_]:_ : NodeID Array -> Obs .
op queue[_]:_ : NodeID Queue -> Obs .
op idx[_]:_ : NodeID Nat -> Obs .
op nw: _
: Network -> Obs .
• The number of requests each node makes is restricted in order to make the
reachable state space bounded.
• numOfReq[i]: m is used to record the number m of requests node i
has made.
17
Specification of S SK (2)
• The rules defining the transitions:
procedure P1;
begin
rl [try] : (numOfReq[I]: X) (pc[I]: rem)
=> (numOfReq[I]: (if X < M then X + 1 else X fi))
(pc[I]: (if X < M then l1 else rem fi)) .
try : U NodeID → U
requesting := true;
rl [setReq] : (pc[I]: l1) (requesting[I]: F)
=> (pc[I]: l2) (requesting[I]: true) .
setReq : U NodeID → U
if not have_privilege then
begin
checkPriv : U NodeID → U
rl [checkPriv] : (pc[I]: l2) (havePriv[I]: F)
=> (pc[I]: (if F then cs else l3 fi)) (havePriv[I]: F) .
18

Specification of S SK (3)
• The rules defining the transitions (cont.):
rn[i] := rn[i] + 1;
incReqNo : U NodeID → U
rl [incRecNo] : (pc[I]: l3) (rn[I]: RN) (idx[I]: X)
=> (pc[I]: l4) (rn[I]: RN[I] := (RN[I]) + 1) (idx[I]: 1) .
for all j in {1,…,N} – {i} do
send request(i,rn[i]) to node j;
sendReq : U NodeID → U
rl [sendReq] : (pc[I]: l4) (idx[I]: X) (rn[I]: RN) (nw: NW)
=> (pc[I]: if X == N then l5 else l4 fi)
(idx[I]: if X == N then 1 else X + 1 fi) (rn[I]: RN)
(nw: (if X == I then NW else msg(X,req(I,RN[I])) NW fi)) .
19
Specification of S SK (4)
• The rules defining the transitions (cont.):
wait until privilege(queue,ln) is received.
have_privilege := true;
waitPriv : U NodeID Privilege → U
rl [waitPriv] : (pc[I]: l5) (havePriv[I]: F) (ln[I]: LN')
(queue[I]: Q') (nw: (msg(I,priv(Q,LN)) NW))
=> (pc[I]: cs) (havePriv[I]: true) (ln[I]: LN) (queue[I]: Q)
(nw: NW) .
Critical Section;
rl [exit] : (pc[I]: cs) => (pc[I]: l6) .
exit : U NodeID → U
ln[i] := rn[i];
completeReq : U NodeID → U
rl [completeReq] : (pc[I]: l6) (rn[I]: RN) (ln[I]: LN)
(idx[I]: X)
=> (pc[I]: l7) (rn[I]: RN) (ln[I]: LN[I] := RN[I])
(idx[I]: 1) .
20

Specification of S SK (5)
• The rules defining the transitions (cont.):
for all j in {1,…,N} – {i} do
if not in(queue,j) and (rn[j] = ln[j] + 1)
then queue := put(queue,j);
updateQueue : U NodeID → U
rl [updateQueue] : (pc[I]: l7) (idx[I]: X) (rn[I]: RN)
(ln[I]: LN) (queue[I]: Q)
=> (pc[I]: if X == N then l8 else l7 fi)
(idx[I]: if X == N then 1 else X + 1 fi)
(rn[I]: RN) (ln[I]: LN)
(queue[I]: if X =/= I and not(X \in Q) and
(RN[X] == (LN[X]) + 1) then put(Q,X) else Q fi) .
if queue ≠ empty then
begin
checkQueue : U NodeID → U
rl [checkQueue] : (pc[I]: l8) (queue[I]: Q)
=> (pc[I]: if empty?(Q) then l10 else l9 fi) (queue[I]: Q) .
21
Specification of S SK (6)
• The rules defining the transitions (cont.):
have_privilege := false;
send privilege(get(queue),ln) to node top(queue)
transferPriv : U NodeID → U
rl [transferPriv] : (pc[I]: l9) (havePriv[I]: F) (ln[I]: LN)
(queue[I]: Q) (nw: NW)
=> (pc[I]: l10) (havePriv[I]: false) (ln[I]: LN) (queue[I]: Q)
(nw: (msg(top(Q),priv(get(Q),LN)) NW)) .
requesting := false
end;
rl [resetReq] : (pc[I]: l10) (requesting[I]: F)
=> (pc[I]: rem) (requesting[I]: false) .
resetReq : U NodeID → U
22

Specification of S SK (7)
• The rules defining the transitions (cont.):
procedure P2; begin
rn[j] := max(rn[j],n);
if have_privilege and not requesting and (rn[j] = ln[j] + 1) then
begin
have_privilege := false;
send privilege(queue,ln) to node j
end
end;
receiveReq : U NodeID Request → U
crl [receiveReq] : (requesting[I]: F) (havePriv[I]: F')
(rn[I]: RN) (ln[I]: LN) (queue[I]: Q)
(nw: (msg(I,req(J,X)) NW))
=> (requesting[I]: F) (havePriv[I]: if C then false else F' fi)
(rn[I]: RN[J] := Max) (ln[I]: LN) (queue[I]: Q)
(nw: if C then (msg(J,priv(Q,LN)) NW) else NW fi)
if I =/= J /\
Max := if (RN[J]) < X then X else RN[J] fi /\
C := F' and not(F) and Max == (LN[J]) + 1 .
23
Model Checking (1)
• The state predicates defined:
eq (pc[I]: l5) S |= wait(I) = true .
eq (pc[I]: cs) S |= crit(I) = true .
eq (nw: (msg(I,P) NW)) S |= existPriv(I) = true .
eq (nw: (msg(I,req(J,X)) NW)) S
|= existReq(I,J) = true .
eq S |= PR = false [owise] .
• wait(i) holds if node i is at label l5 where node i waits for receiving a
privilege message.
• crit(i) holds if node i is at label cs, namely that node i is in its critical
section.
• existsPriv(i) holds if there exists a privilege message addressed to
node i in the network.
• existsReq(i,j) holds if there exists a request message addressed to
node i from node j in the network.
24

Model Checking (2)
• Properties to be checked:
eq mutex = [] ~(crit(1) /\ crit(2)) .
eq lofree = (wait(1) (1) |-> crit(1))
/\ (wait(2) |-> crit(2)) .
eq fairness = (existPriv(1) |-> ~(existPriv(1)))
/\ (existReq(1,2) |-> ~(existReq(1,2)))
/\ (existPriv(2) |-> ~(existPriv(2)))
/\ (existReq(2,1) |-> ~(existReq(2,1))) .
• mutex expresses the mutual exclusion property.
• lofree eeexpresses esses the lockout out freedom property. popety
• fairness expresses the fairness assumption used to check lofree,
which says that every message in the network will be eventually delivered
to its destination.
25
Model Checking (3)
• The initial state when we suppose that two processes are
involved:
eq node(I) = (numOfReq[I]: 0)
(pc[I]: rem)
(requesting[I]: false)
(havePriv[I]: (I == 1))
(rn[I]: ia)
(ln[I]: ia)
(queue[I]: empty)
(idx[I]: 1) .
eq init = node(1) node(2) (nw: void) .
26

Model Checking (4)
• Checking the mutual exclusion property:
red in SK-CHECK :
modelCheck(init,mutex) .
Maude returns true.
• Checking the lockout freedom property:
red in SK-CHECK :
modelCheck(init,(fairness -> lofree)) .
Maude returns a counterexample.
27
• The counterexample:
A se quence of transitions lea ding to the loop
Model Checking (5)
counterexample({nw: void … (pc[1]: rem) (pc[2]: rem)
(requesting[1]: false) (requesting[2]: false)
(havePriv[1]: true) (havePriv[2]: false) …,'try}
{nw: msg(1, req(2, 1)) … (pc[1]: l10) (pc[2]: l5)
(requesting[1]: true) (requesting[2]: true)
(havePriv[1]: true) (havePriv[2]: false) …,'receiveReq}
{nw: void … (pc[1]: l10) (pc[2]: l5)
(requesting[1]: true) (requesting[2]: true)
(havePriv[1]: true) (havePriv[2]: false) …,'resetReq},
{nw: void … (pc[1]: rem) (pc[2]: l5)
(requesting[1]: false) (requesting[2]: true)
(havePriv[1]: true) (havePriv[2]: false) …,'try} )
Node 1 will never transfer the privilege to node 2 because node 1 receives the
request message at l10 in the final (2 nd ) call of procedure P1.
28

Model Checking (6)
• A possible modification is that each node does not receive any
request messages when it is at label l10.
• The rule receiveReq is modified d as follows:
crl [receiveReq] : (pc[I]: L) (requesting[I]: F)
(havePriv[I]: F') (rn[I]: RN) (ln[I]: LN) (queue[I]: Q)
(nw: (msg(I,req(J,X)) NW))
=> (pc[I]: L) (requesting[I]: F)
(havePriv[I]: if C then false else F' fi)
(rn[I]: RN[J] := Max) (ln[I]: LN) (queue[I]: Q)
(nw: if C then (msg(J,priv(Q,LN)) NW) else NW fi)
if I =/= J /\ L =/= l10 /\
Max := if (RN[J]) < X then X else RN[J] fi /\
C := F' and not(F) and Max == (LN[J]) + 1 .
• Maude still returns a counterexample for the lockout freedom
property.
29
A sequence of transitions
le eading to
• The counterexample:
counterexample(
Model Checking (7)
{nw: msg(1, req(2, 1)) … (pc[1]: l8) (pc[2]: l5)
(requesting[1]: true) (requesting[2]: true)
(havePriv[1]: true) (havePriv[2]: false) …,'receiveReq}
{nw: void … (pc[1]: l8) (pc[2]: l5)
(requesting[1]: true) (requesting[2]: true)
(havePriv[1]: true) (havePriv[2]: false) …,'checkQueue}
the loop
{nw: void … (pc[1]: rem) (pc[2]: l5)
(requesting[1]: false) (requesting[2]: true)
(havePriv[1]: true) (havePriv[2]: false) …,'try})
What is wrong is that node 1 receives the request message at l8 in the final (2 nd )
call of procedure P1.
30

Model Checking (8)
• A possible modification is that each node does not receive any
request messages either when it is at label l8.
• The rule receiveReq is modified d as follows:
crl [receiveReq] : (pc[I]: L) (requesting[I]: F)
(havePriv[I]: F') (rn[I]: RN) (ln[I]: LN) (queue[I]: Q)
(nw: (msg(I,req(J,X)) NW))
=> (pc[I]: L) (requesting[I]: F)
(havePriv[I]: if C then false else F' fi)
(rn[I]: RN[J] := Max) (ln[I]: LN) (queue[I]: Q)
(nw: if C then (msg(J,priv(Q,LN)) NW) else NW fi)
if I =/= J /\ L =/= l10 /\ L =/= l8 /\
Max := if (RN[J]) < X then X else RN[J] fi /\
C := F' and not(F) and Max == (LN[J]) + 1 .
• Maude still returns a counterexample for the lockout freedom
property.
31
A sequence of transitions
le eading to
• The counterexample:
counterexample(
Model Checking (9)
{nw: msg(2, req(1, 1)) … (pc[1]: l5) (pc[2]: l7)
(requesting[1]: true) (requesting[2]: true)
(havePriv[1]: false) (havePriv[2]: true) …,'receiveReq}
{nw: void … (pc[1]: l5) (pc[2]: l7)
(requesting[1]: true) (requesting[2]: true)
(havePriv[1]: false) (havePriv[2]: true) …,'updateQueue}
the loop
{nw: void … (pc[1]: l5) (pc[2]: rem)
(requesting[1]: true) (requesting[2]: false)
(havePriv[1]: false) (havePriv[2]: true …,'try})
What is wrong is that node 2 receives the request message at l7 in the final (2 nd )
call of procedure P1.
32

Model Checking (8)
• A possible modification is that each node does not receive any
request messages either when it is at label l7.
• The rule receiveReq is modified d as follows:
crl [receiveReq] : (pc[I]: L) (requesting[I]: F)
(havePriv[I]: F') (rn[I]: RN) (ln[I]: LN) (queue[I]: Q)
(nw: (msg(I,req(J,X)) NW))
=> (pc[I]: L) (requesting[I]: F)
(havePriv[I]: if C then false else F' fi)
(rn[I]: RN[J] := Max) (ln[I]: LN) (queue[I]: Q)
(nw: if C then (msg(J,priv(Q,LN)) NW) else NW fi)
if I =/= J /\ L =/= l10 /\ L =/= l8 /\ L =/= l7 /\
Max := if (RN[J]) < X then X else RN[J] fi /\
C := F' and not(F) and Max == (LN[J]) + 1 .
• Maude returns true for the lockout freedom property.
33