lectureNote8

I636: Specification and Verification of 

Distributed Systems 

8. Suzuki‐Kasami Distributed 

Mutual Exclusion Protocol (2) 

Kazuhiro Ogata & Kokichi Futatsugi 

Outline 

• The OTS S SK modeling the Suzuki‐Kasami 

protocol is specified in Maude. 

• We model check that S SK (the Suzuki‐Kasami 

protocol) satisfies (or does not satisfy) the 

mutual exclusion property and the lockout 

freedom property based on the specification. 

• This lecture describes how to specify S SK in 

Maude and how to model check the two 

properties for S SK with Maude. 

2

Quick Reminder (1) 

• Consists of two procedures P1 and P2 for each node i. 

When node i wants to enter the critical section, it calls P1. 

procedure P1; 

begin 

requesting := true; 

if not have_privilege then 

begin 

rn[i] := rn[i] + 1; 

for all j in {1,…,N} – {i} do 

send request(i,rn[i]) rn[i]) to node j; 

wait until privilege(queue,ln) 

is received. 

have_privilege := true; 

end; 

Critical Section; 

ln[i] := rn[i]; 


if not in(queue,j) and (rn[j] = ln[j] + 1) 

then queue := put(queue,j); 

if queue ≠ empty then 

begin 

have_privilege := false; 

send privilege(get(queue),ln) 

to node top(queue) 

end; 

requesting := false 

end; 

3 


• When node i receives request(j,n), it calls P2, executing 

it atomically. 

procedure P2; 

begin 

rn[j] := max(rn[j],n); 

if have_privilege and not requesting and (rn[j] = ln[j] + 1) then 

begin 


variables Initial values 

send privilege(queue,ln) iil ( l ) to node j 

end 

end; 

Initially each process is in the section 

(called the remainder section) that is 

different from the protocol . 

requesting 

false 

have_privilege true if i = 1, and false o/w 

rn each element is 0 

ln each element is 0 

queue 

empty 

4


• The observers used: 

– pc : U NodeID → Label 

– requesting : U NodeID → Bool 

– havePriv : U NodeID → Bool 

– rn : U NodeID → Array 

– ln : U NodeID → Array 

– queue : U NodeID → Queue 

– idx : U NodeID → Nat 

– nw : U → Network 

where NodeID is the type of natural numbers i such that 1 i N, 

Label is the type of the locations in the protocol at which nodes 

are, Array is the type of natural number arrays of size N, Queue is 

the type of queues of NodeID’s, and Network is the type of 

multisets of messages. 

5 


• A state u is a initial state if for all NodeID’s i, 

– pc(u,i) is rem, 

– requesting(u,i) is false, 

– havePriv(u,i) is true if i is 1 and false otherwise, 

– rn(u,i) is an array such that each element is 0, 

– ln(u,i) is an array such that each element is 0, 

– queue(u,i) is empty, 

– idx(u,i) is an arbitrary natural number, and 

– nw(u) is empty. 

6


• The transitions used: 

– try : U NodeID → U 

– setReq : U NodeID → U 

– checkPriv : U NodeID → U 

– incReqNo : U NodeID → U 

– sendReq : U NodeID → U 

rem 

l1 

l2 

l3 

l4 

– waitPriv : U NodeID Privilege → U 

cs 

– exit : U NodeID → U 

l6 

l7 

– completeReq : U NodeID → U 

– updateQueue : U NodeID → U 

l5 

procedure P1; 

begin 



begin 

rn[i] := rn[i] + 1; 


send request(i,rn[i]) to node j; 

wait until privilege(queue,ln) 

is received. 


end; 


ln[i] := rn[i]; 




7 


• The transitions used (cont.): 

– checkQueue : U NodeID → U l8 if queue ≠ empty then 

– transferPriv : U NodeID → U l9 

begin 


– resetReq : U NodeID → U 

send privilege(get(queue),ln) 

to node top(queue) 

l10 end; 


– receiveReq : U NodeID Request → U end; 

procedure P2; 

begin 



begin 


send privilege(queue,ln) to node j 

end 

end; 

8

Data Used 

• Boolean values: Denoted by Bool; Specified in the built‐in module 

BOOL. 

• Natural numbers: Denoted dby Nat; Specified din the built‐in i module 

NAT. 

• Node identifiers: Denoted by NodeID; Specified in NODEID. 

• Queues of node identifiers: Denoted by Queue; Specified in 

QUEUE. 

• Arrays of natural numbers: Denoted by Array; Specified in 

ARRAY. 

• Requests: Denoted by Request; Specified in REQUEST. 

• Privileges: Denoted by Privilege; Specified in PRIVILEGE. 

• Messages: Denoted by Message; Specified in MESSAGE. 

• Multisests of messages: Denoted by Network; Specified in 

NETWORK. 

• Labels: Denoted by Label; Specified in LABEL. 

9 

Node Identifiers 

• Specified as follows: 

sort NodeID . 

subsorts NodeID < NzNat . 

op N : -> NzNat . 

op M : -> Nat . 

eq N = 2 . 

eq M = 2 . 

mb 1 : NodeID . 

mb 2 : NodeID . 

• N is the number of nodes involved. 

• M is the number of requests each node makes. 

• We suppose that there two nodes whose identifiers are 1 and 2. 

10

Queues of Node Identifiers 


sort NeQueue Queue . 

subsort NeQueue < Queue . 

op empty : -> Queue . 

op _|_ : NodeID Queue -> NeQueue . 

• The following functions are defined: 

– top(q) returns the top element of a non‐empty queue q. 

– put(q,e) puts an element e into a queue q. 

– get(q) delete the top element of a queue q. 

– e \in q checks if an element e is in a queue q. 

– empty?(q) checks if a queue q is empty. 

11 

Arrays of Natural Numbers 


sort AElm Array . 

subsort AElm < Array . 

op ia : -> Array . 

op _:_ : NodeID Nat -> AElm . 

op _,_ : Array Array -> Array [assoc comm id: 

ia] . 

• ia denotes the array, each of whose contents is 0. 

• i : m denotes an array slot, where i is an index and m is a content. 

• An array is represented as (1 : m 1 ) , … , (N : m N ). 

• The following functions are defined: 

– a[i] returns the content of an array a at the index i. 

– a[i] := m returns the array a’ such that a’[i] = m, and a’[j] = 

a[j] if j ≠ i. 

12

Requests and Privileges 


sort Request . 

op req : NodeID Nat -> Request . 

sort Privilege . 

op priv : Queue Array -> Privilege . 

• req(i,n) denotes a request that contains a node 

identifier i and a sequence number (natural number) n. 

• priv(q,ln) denotes a privilege that contains a queue 

q and an array ln. 

13 

Messages 


sort Message . 

op msg : NodeID Request -> Message . 

op msg : NodeID Privilege -> Message . 

• msg(i,r), where r is a request, denotes a request 

message addressed to node i. 

• msg(i,p), where p is a privilege, denotes a privilege 

message addressed to node i. 

14

Multisets of Messages 


subsort Message < Network . 

op void : -> Network . 

op _ _ : Network Network -> Network 

[assoc comm id: void] . 

• void denotes the empty multiset. 

• A multiset is represented as m 1 … m n , where each m i is a 

message. 

• The network is modeled as a multiset of messages to deal 

with the communication delay. 

15 

Labels 


sort Label . 

ops rem l1 l2 l3 l4 l5 

cs l6 l7 l8 l9 l10 : -> Label . 

• The constants denote the labels rem, l1, l2, l3, l4, l5, 

cs, l6, l7, l8, l9, and l10, respectively. 

16

Specification of S SK (1) 

• The operator corresponding to the observers: 

op numOfReq[_]:_ : NodeID Nat -> Obs . 

op pc[_]:_ : NodeID Label -> Obs . 

op requesting[_]:_ : NodeID Bool -> Obs . 

op havePriv[_]:_ : NodeID Bool -> Obs . 

op rn[_]:_ : NodeID Array -> Obs . 

op ln[_]:_ : NodeID Array -> Obs . 

op queue[_]:_ : NodeID Queue -> Obs . 

op idx[_]:_ : NodeID Nat -> Obs . 

op nw: _ 

: Network -> Obs . 

• The number of requests each node makes is restricted in order to make the 

reachable state space bounded. 

• numOfReq[i]: m is used to record the number m of requests node i 

has made. 

17 


• The rules defining the transitions: 

procedure P1; 

begin 

rl [try] : (numOfReq[I]: X) (pc[I]: rem) 

=> (numOfReq[I]: (if X < M then X + 1 else X fi)) 

(pc[I]: (if X < M then l1 else rem fi)) . 

try : U NodeID → U 


rl [setReq] : (pc[I]: l1) (requesting[I]: F) 

=> (pc[I]: l2) (requesting[I]: true) . 

setReq : U NodeID → U 


begin 

checkPriv : U NodeID → U 

rl [checkPriv] : (pc[I]: l2) (havePriv[I]: F) 

=> (pc[I]: (if F then cs else l3 fi)) (havePriv[I]: F) . 

18


• The rules defining the transitions (cont.): 

rn[i] := rn[i] + 1; 

incReqNo : U NodeID → U 

rl [incRecNo] : (pc[I]: l3) (rn[I]: RN) (idx[I]: X) 

=> (pc[I]: l4) (rn[I]: RN[I] := (RN[I]) + 1) (idx[I]: 1) . 


send request(i,rn[i]) to node j; 

sendReq : U NodeID → U 

rl [sendReq] : (pc[I]: l4) (idx[I]: X) (rn[I]: RN) (nw: NW) 

=> (pc[I]: if X == N then l5 else l4 fi) 

(idx[I]: if X == N then 1 else X + 1 fi) (rn[I]: RN) 

(nw: (if X == I then NW else msg(X,req(I,RN[I])) NW fi)) . 

19 



wait until privilege(queue,ln) is received. 


waitPriv : U NodeID Privilege → U 

rl [waitPriv] : (pc[I]: l5) (havePriv[I]: F) (ln[I]: LN') 

(queue[I]: Q') (nw: (msg(I,priv(Q,LN)) NW)) 

=> (pc[I]: cs) (havePriv[I]: true) (ln[I]: LN) (queue[I]: Q) 

(nw: NW) . 


rl [exit] : (pc[I]: cs) => (pc[I]: l6) . 

exit : U NodeID → U 

ln[i] := rn[i]; 

completeReq : U NodeID → U 

rl [completeReq] : (pc[I]: l6) (rn[I]: RN) (ln[I]: LN) 

(idx[I]: X) 

=> (pc[I]: l7) (rn[I]: RN) (ln[I]: LN[I] := RN[I]) 

(idx[I]: 1) . 

20






updateQueue : U NodeID → U 

rl [updateQueue] : (pc[I]: l7) (idx[I]: X) (rn[I]: RN) 

(ln[I]: LN) (queue[I]: Q) 

=> (pc[I]: if X == N then l8 else l7 fi) 

(idx[I]: if X == N then 1 else X + 1 fi) 

(rn[I]: RN) (ln[I]: LN) 

(queue[I]: if X =/= I and not(X \in Q) and 

(RN[X] == (LN[X]) + 1) then put(Q,X) else Q fi) . 

if queue ≠ empty then 

begin 

checkQueue : U NodeID → U 

rl [checkQueue] : (pc[I]: l8) (queue[I]: Q) 

=> (pc[I]: if empty?(Q) then l10 else l9 fi) (queue[I]: Q) . 

21 




send privilege(get(queue),ln) to node top(queue) 

transferPriv : U NodeID → U 

rl [transferPriv] : (pc[I]: l9) (havePriv[I]: F) (ln[I]: LN) 

(queue[I]: Q) (nw: NW) 

=> (pc[I]: l10) (havePriv[I]: false) (ln[I]: LN) (queue[I]: Q) 

(nw: (msg(top(Q),priv(get(Q),LN)) NW)) . 


end; 

rl [resetReq] : (pc[I]: l10) (requesting[I]: F) 

=> (pc[I]: rem) (requesting[I]: false) . 

resetReq : U NodeID → U 

22



procedure P2; begin 



begin 


send privilege(queue,ln) to node j 

end 

end; 

receiveReq : U NodeID Request → U 

crl [receiveReq] : (requesting[I]: F) (havePriv[I]: F') 

(rn[I]: RN) (ln[I]: LN) (queue[I]: Q) 

(nw: (msg(I,req(J,X)) NW)) 

=> (requesting[I]: F) (havePriv[I]: if C then false else F' fi) 

(rn[I]: RN[J] := Max) (ln[I]: LN) (queue[I]: Q) 

(nw: if C then (msg(J,priv(Q,LN)) NW) else NW fi) 

if I =/= J /\ 

Max := if (RN[J]) < X then X else RN[J] fi /\ 

C := F' and not(F) and Max == (LN[J]) + 1 . 

23 

Model Checking (1) 

• The state predicates defined: 

eq (pc[I]: l5) S |= wait(I) = true . 

eq (pc[I]: cs) S |= crit(I) = true . 

eq (nw: (msg(I,P) NW)) S |= existPriv(I) = true . 

eq (nw: (msg(I,req(J,X)) NW)) S 

|= existReq(I,J) = true . 

eq S |= PR = false [owise] . 

• wait(i) holds if node i is at label l5 where node i waits for receiving a 

privilege message. 

• crit(i) holds if node i is at label cs, namely that node i is in its critical 

section. 

• existsPriv(i) holds if there exists a privilege message addressed to 

node i in the network. 

• existsReq(i,j) holds if there exists a request message addressed to 

node i from node j in the network. 

24


• Properties to be checked: 

eq mutex = [] ~(crit(1) /\ crit(2)) . 

eq lofree = (wait(1) (1) |-> crit(1)) 

/\ (wait(2) |-> crit(2)) . 

eq fairness = (existPriv(1) |-> ~(existPriv(1))) 

/\ (existReq(1,2) |-> ~(existReq(1,2))) 

/\ (existPriv(2) |-> ~(existPriv(2))) 

/\ (existReq(2,1) |-> ~(existReq(2,1))) . 

• mutex expresses the mutual exclusion property. 

• lofree eeexpresses esses the lockout out freedom property. popety 

• fairness expresses the fairness assumption used to check lofree, 

which says that every message in the network will be eventually delivered 

to its destination. 

25 


• The initial state when we suppose that two processes are 

involved: 

eq node(I) = (numOfReq[I]: 0) 

(pc[I]: rem) 

(requesting[I]: false) 

(havePriv[I]: (I == 1)) 

(rn[I]: ia) 

(ln[I]: ia) 

(queue[I]: empty) 

(idx[I]: 1) . 

eq init = node(1) node(2) (nw: void) . 

26


• Checking the mutual exclusion property: 

red in SK-CHECK : 

modelCheck(init,mutex) . 

Maude returns true. 

• Checking the lockout freedom property: 

red in SK-CHECK : 

modelCheck(init,(fairness -> lofree)) . 

Maude returns a counterexample. 

27 

• The counterexample: 

A se quence of transitions lea ding to the loop 


counterexample({nw: void … (pc[1]: rem) (pc[2]: rem) 

(requesting[1]: false) (requesting[2]: false) 

(havePriv[1]: true) (havePriv[2]: false) …,'try} 

{nw: msg(1, req(2, 1)) … (pc[1]: l10) (pc[2]: l5) 

(requesting[1]: true) (requesting[2]: true) 

(havePriv[1]: true) (havePriv[2]: false) …,'receiveReq} 

{nw: void … (pc[1]: l10) (pc[2]: l5) 


(havePriv[1]: true) (havePriv[2]: false) …,'resetReq}, 

{nw: void … (pc[1]: rem) (pc[2]: l5) 

(requesting[1]: false) (requesting[2]: true) 

(havePriv[1]: true) (havePriv[2]: false) …,'try} ) 

Node 1 will never transfer the privilege to node 2 because node 1 receives the 

request message at l10 in the final (2 nd ) call of procedure P1. 

28


• A possible modification is that each node does not receive any 

request messages when it is at label l10. 

• The rule receiveReq is modified d as follows: 

crl [receiveReq] : (pc[I]: L) (requesting[I]: F) 

(havePriv[I]: F') (rn[I]: RN) (ln[I]: LN) (queue[I]: Q) 


=> (pc[I]: L) (requesting[I]: F) 

(havePriv[I]: if C then false else F' fi) 



if I =/= J /\ L =/= l10 /\ 



• Maude still returns a counterexample for the lockout freedom 

property. 

29 

A sequence of transitions 

le eading to 


counterexample( 




(havePriv[1]: true) (havePriv[2]: false) …,'receiveReq} 

{nw: void … (pc[1]: l8) (pc[2]: l5) 


(havePriv[1]: true) (havePriv[2]: false) …,'checkQueue} 

the loop 

{nw: void … (pc[1]: rem) (pc[2]: l5) 

(requesting[1]: false) (requesting[2]: true) 

(havePriv[1]: true) (havePriv[2]: false) …,'try}) 

What is wrong is that node 1 receives the request message at l8 in the final (2 nd ) 

call of procedure P1. 

30



request messages either when it is at label l8. 









if I =/= J /\ L =/= l10 /\ L =/= l8 /\ 



• Maude still returns a counterexample for the lockout freedom 

property. 

31 

A sequence of transitions 

le eading to 


counterexample( 




(havePriv[1]: false) (havePriv[2]: true) …,'receiveReq} 

{nw: void … (pc[1]: l5) (pc[2]: l7) 


(havePriv[1]: false) (havePriv[2]: true) …,'updateQueue} 

the loop 

{nw: void … (pc[1]: l5) (pc[2]: rem) 

(requesting[1]: true) (requesting[2]: false) 

(havePriv[1]: false) (havePriv[2]: true …,'try}) 

What is wrong is that node 2 receives the request message at l7 in the final (2 nd ) 

call of procedure P1. 

32



request messages either when it is at label l7. 









if I =/= J /\ L =/= l10 /\ L =/= l8 /\ L =/= l7 /\ 



• Maude returns true for the lockout freedom property. 

33

lectureNote8

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?