CS195Y Lecture 27

04/12/2017

---

Model Checking (4)

Can use graph vis to ask your shell to visualise a graph of your process for you. We'll provide you with the code for this.
You also get init which tells you the initialisation process.
You get a graph for each ltl propoerty you create.

If we write down always X100 or eventually x101 in spin, these always have to be true.

What about always eventually x102?

No matter which branch of the process you take, each trace will always eventually satisfy x101.

Difference between eventually and always eventually: eventually just says that at some point, all branches must lead to the variable. Once the variable has been reached, it doesn't ever need to be reached again. always eventually means that this variable must always remain something that will be reached or is reached.

eventually always means that at some point, inevitably, your trace will reach the variable and it will never stop being true.

How would we translate eventually to Alloy?
For the transitive closure of all starting states, eventually x101 is true.

Anderson's Queue Lock Algorithm in Spin

What is a flaw of Peterson's locking algorithm?

• Peterson only works for two
• If there were more than two processes, not every one might be able to access equitably
• Peterson isn't going to make someone wait forever, but it doesn't prevent one person from going twice as much as another

What is the most fair way to handle this?
In real life, we usually deal with hand-raises on a first-come-first-serve basis.

So, we will be talking about a first-come-first-serve locking algorithm with no starvation.

We will make a get-and-increment operation. This will take a variable, get its current value, and increment it. This operation will guarantee that no one else can access it.

Presume we have three people:

A  myslot:[0]
B  myslot:[0]
C  myslot:[0]

Each of them will have a number they can take.

Globally, there will be a next: [0] variable.
We will also have an array of flags: [T][F][F]

The idea is that the flags array can become a circular queue. We can use next mod to determine which person gets to go next. E.g. when we use next % 3 for three people: if next is 101, person with myslot:[2] can go, if next is 102, person with myslot:[0] can go.

Start with two processes to make sure it works.
Always make sure there is only one proess in the critical section.

Set your own flag to False before you enter critical section.
The next flag needs to be set to True such that the next process can go.

What happens when we run?
We get errors: 0! That means mutual exclusion holds true.

Spin handles overflow so the int goes from 255 to 0.
What about when we switch to three processes?
It hangs! Why is this? Because 255 mod 3 is not the same thing as 0 mod 3.