SlideShare une entreprise Scribd logo

Doveryai, no proveryai - Introduction to tla+

S
Sandeep Joshi

Introduction to PlusCal and TLA+, formal specification language developed by Leslie Lamport.

Logiciels
1  sur  46
Doveryai, no Proveryai Introduction to TLA+ Sandeep Joshi 11 Nov, 2017, Pune https://expert-talks.in 1
Doveryai, no Proveryai A Russian proverb which means “Trust, but verify”. Popular during the Cold War when the US and Soviet Union were signing nuclear disarmament accords. 2
Talk overview 1. Problem definition 2. What is TLA+, PlusCal, TLC... 3. Example 1 : Childcare facility 4. Example 2 : Dining Philosophers 5. Example 3 : Alternating Bit Protocol 6. Concluding observations Code : https://github.com/sanjosh/tlaplus Slides: https://www.slideshare.net/SandeepJoshi55/ 3
Hard to prove correctness in a distributed system In a distributed system, how do you prove 1. Safety : Something bad will never happen 2. Liveness : Something good will eventually happen When you have 1. Multiple agents/actors, each with their state machine(FSM) 2. Non-determinism which leads to Arbitrary Interleaved execution 3. Failures and restarts 4
Microsoft .NET remote authentication FSMs https://msdn.microsoft.com/en-us/library/ms973909.aspx Verify if this 2-process FSM (.NET) is correct.. ? 5
Or this 2-process FSM (for TCP) is correct ? https://thewalnut.io/app/release/73/ 6
CHESS : Systematic testing of concurrent programs http://slideplayer.com/slide/13582/ Interleaved execution causes ... 7
How to reason about time in a distributed system Required : 1. A formal theory 2. A language to express the problem 3. A tool to verify 8
How to reason about time in a distributed system Required : 1. A formal theory : Temporal Logic 2. A language to express the problem : TLA+ and others. 3. A tool to verify : TLC and other model checkers 9
Temporal logic simplified In programs, we write formulae using Boolean operators (AND, OR, NOT). “Assert (a > 0 AND b < 0)” Temporal logic provides you with temporal operators which hold over one or more paths of execution (called “Path quantifiers”). 1. I will like chocolate from now on. 2. After weather becomes cold, at some point, I will start eating chocolate. https://en.wikipedia.org/wiki/Computation_tree_logic#Examples 10
What is TLA+ ● Language created by Leslie Lamport to express temporal logic. ● PlusCal is a simpler variant of TLA+ (This talk uses PlusCal). ● TLC is the “model checker” - the compiler which verifies if your PlusCal program is correct. ● It has a GUI called Toolbox. In this talk, only command line tool is used. 11
How to get started with TLA+ ● Read general background on model checkers ● Download the TLA toolbox (GUI + java jar file) ● Read the PlusCal manual and Lamport’s tutorial “Specifying systems” ● Read sample PlusCal programs written by others ● Start with a small problem and try writing your own program ● Run it... $ java pcal.trans myspec.tla $ java tlc2.TLC myspec.tla 12
Childcare facility problem Children and adults continuously enter and exit a childcare facility. Ensure that there is always one adult present for every three children. [ from The Little Book of Semaphores by Allen Downey ] 13
Childcare constraints Adult can enter anytime, but exit ONLY if 1. NEW number of adults is at least three times number of children Children can exit anytime, but enter ONLY if 1. Number of adults is at least three times NEW number of children 14
Childcare - create child & parent process Define a PlusCal “process” for each actor in your system -- algorithm childcare { Process (a in 1.. ADULTS) {... } Process (c in 1..CHILDREN) {... } } 15
Childcare - “labels” denote Atomic actions Use one PlusCal label for each atomic action of Child. Child performs two actions : enter and exit the childcare facility. Process { c_enter: number_children = number_children + 1 c_exit : number_children = number_children - 1 } 16
What are PlusCal Labels All statements within a label are atomically executed by TLC. TLC internally interleaves the execution of many processes in order to verify correctness LabelA : Y = X + 1 Label1 : X = Y + 1 17 Label2 : X = Y - 1 Child 1 Adult 2
Childcare - use “await” to wait for a condition Every Child will wait until there are sufficient number of adults present inside c_enter : Await (number_adults * 3 >= number_children + 1) number_children = number_children + 1 c_exit : number_children = number_children - 1 Assert (number_adults * 3 >= number_children) 18
Childcare - specify adult process Follow same steps to define adult process - using process, label, await 19 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ( number_adults * 3 >= number_children) number_adults = number_adults - 1 Assert (number_adults * 3 >= number_children) }
TLC (model checker) Failure output At this point, assert fires since adult exited due to incorrect “await” condition 20
Childcare - correct the condition Change the await condition to check new value instead of old 21 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ((number_adults - 1)* 3 >= number_children) number_adults = number_adults - 1 }
Childcare - complete spec 22
TLC (model checker) output on success 23
Dining Philosophers Problem Each philosopher keeps doing the following 1. Think 2. Take right fork 3. Take left fork 4. Eat 5. Put down both forks 24
Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 25 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; }
Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 26 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; }
Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 27 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
Dining Philosophers - complete spec 28
Dining Philosophers - deadlock ! 29
Dining Philosophers - deadlock ! All five philosophers are waiting for second fork ! 30
Dining Philosophers - Introduce asymmetry To resolve deadlock, third philosopher will pick left fork first. 31 Process (ph in 1..5) { Init : if (self = 3) { swap(right, left); }; Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
Dining Philosophers - complete spec 32
Dining Philosophers - no deadlock ! 33
Alternate bit protocol over lossy channel 34 Sender Receiver Message channel Ack channel Both channels are lossy https://en.wikipedia.org/wiki/Alternating_bit_protocol Discussed in Lamports’ book “Specifying Systems”.
Alternate bit protocol - define channel Use “Sequences” module to define the communication channels Declare the channels as a Sequence Variables msgChan = <<>>, ackChan = <<>> Append to channel Append(msgChan, m) Extract using “Head(msgChan)” or “Tail(msgChan)” 35
Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Send message OR Receive Ack } 36 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Receive message OR Send Ack }
Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Either { Append(<<input>>, msgChan) } or { Recv(ack, ackChan) } } 37 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Either { Append(rbit, ackChan) } or { Recv(msg, msgChan) } }
PlusCal - Either Or “Either Or” is an important feature of PlusCal language (TLA+) It allows you to simulate non-determinism TLC (model checker) will test both options at runtime. 38 Either { Do this } Or { Do that }
Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 39 Process (LoseMsg = “L”) { randomly delete messages from either channel }
Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 40 Process (LoseMsg = “L”) { While TRUE{ Either with (1 in 1..Len(msgChan)) { msgChan = Remove(i, msgChan) } or with (1 in 1..Len(ackChan)) { ackChan = Remove(i, ackChan); }
PlusCal constructs introduced 1. Algorithm : A problem that you want to model. 2. Process : An actor/thread of execution within the algorithm. 3. Labels : All statements inside a label are atomically executed. 4. Await : only execute after condition becomes true 5. Either-Or : non-deterministic execution of alternatives 6. With : Non-deterministically choose one element out of a Set. 41
Notable users of TLA+ 1. Intel CPU cache coherence protocol [Brannon Batson] 2. Microsoft CosmosDB 3. Amazon : S3, DynamoDB, EBS, Distributed Lock manager [Chris Newcombe] Newcombe(Amazon) has released two of their TLA+ specs (See my github for a copy) None of the others are publicly available 42
Conclusion 1. TLC can find bugs. 2. Complex programs can take hours to run (TLC also has “simulation” mode which does random verification) Learning curve 1. Formulation : Lack of sample programs, but google group is helpful. 2. Debugging : Check the backtrace; add prints ! 3. Mastery over TLA+ requires some Mathematics knowledge (i.e. Set theory). 4. [Newcombe, Experience of Software Engineers using TLA+] http://tla2012.loria.fr/contributed/newcombe-slides.pdf 43
Questions Code : https://github.com/sanjosh/tlaplus (README has references) Slides: https://www.slideshare.net/SandeepJoshi55/ 44
TLA+ operators 1. <> P : atleast one execution path has P true 2. [] P : P is eventually true 3. Q ~> P : If Q becomes true, P will be true 4. <>[] P : at some point P becomes true and stays true 45
Other model checkers besides TLA+ 46 https://en.wikipedia.org/wiki/List_of_model_checking_tools

Recommandé

TLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTorao Takami
 
Trees - Data structures in C/Java
Trees - Data structures in C/JavaTrees - Data structures in C/Java
Trees - Data structures in C/Javageeksrik
 
dining philosophers problem using montiors
dining philosophers problem using montiorsdining philosophers problem using montiors
dining philosophers problem using montiorsWarda Chaudhry
 
Critical Section Problem - Ramakrishna Reddy Bijjam
Critical Section Problem - Ramakrishna Reddy BijjamCritical Section Problem - Ramakrishna Reddy Bijjam
Critical Section Problem - Ramakrishna Reddy BijjamRamakrishna Reddy Bijjam
 
Or graphical method, simplex method
Or graphical method, simplex methodOr graphical method, simplex method
Or graphical method, simplex methodnagathangaraj
 
Dining philosopher problem operating system
Dining philosopher problem operating system Dining philosopher problem operating system
Dining philosopher problem operating system anushkashastri
 
Concurrency Control
Concurrency ControlConcurrency Control
Concurrency ControlNishant Munjal
 
PostGreSQL Performance Tuning
PostGreSQL Performance TuningPostGreSQL Performance Tuning
PostGreSQL Performance TuningMaven Logix
 

Recommandé

TLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTorao Takami
 
Trees - Data structures in C/Java
Trees - Data structures in C/JavaTrees - Data structures in C/Java
Trees - Data structures in C/Javageeksrik
 
dining philosophers problem using montiors
dining philosophers problem using montiorsdining philosophers problem using montiors
dining philosophers problem using montiorsWarda Chaudhry
 
Critical Section Problem - Ramakrishna Reddy Bijjam
Critical Section Problem - Ramakrishna Reddy BijjamCritical Section Problem - Ramakrishna Reddy Bijjam
Critical Section Problem - Ramakrishna Reddy BijjamRamakrishna Reddy Bijjam
 
Or graphical method, simplex method
Or graphical method, simplex methodOr graphical method, simplex method
Or graphical method, simplex methodnagathangaraj
 
Dining philosopher problem operating system
Dining philosopher problem operating system Dining philosopher problem operating system
Dining philosopher problem operating system anushkashastri
 
Concurrency Control
Concurrency ControlConcurrency Control
Concurrency ControlNishant Munjal
 
PostGreSQL Performance Tuning
PostGreSQL Performance TuningPostGreSQL Performance Tuning
PostGreSQL Performance TuningMaven Logix
 
Monitors
MonitorsMonitors
MonitorsMohd Arif
 
Ch6 CPU Scheduling galvin
Ch6 CPU Scheduling galvinCh6 CPU Scheduling galvin
Ch6 CPU Scheduling galvinShubham Singh
 
operating system question bank
operating system question bankoperating system question bank
operating system question bankrajatdeep kaur
 
Transaction slide
Transaction slideTransaction slide
Transaction slideshawon roy
 
Operating system - Deadlock
Operating system - DeadlockOperating system - Deadlock
Operating system - DeadlockShashank Yenurkar
 
Producer consumer
Producer consumerProducer consumer
Producer consumerMohd Tousif
 
Data structures and algorithms short note (version 14).pd
Data structures and algorithms short note (version 14).pdData structures and algorithms short note (version 14).pd
Data structures and algorithms short note (version 14).pdNimmi Weeraddana
 
concurrency-control
concurrency-controlconcurrency-control
concurrency-controlSaranya Natarajan
 
Transactions (Distributed computing)
Transactions (Distributed computing)Transactions (Distributed computing)
Transactions (Distributed computing)Sri Prasanna
 
Computer Organization and Architecture.pdf
Computer Organization and Architecture.pdfComputer Organization and Architecture.pdf
Computer Organization and Architecture.pdfmekelle university(EiT-M)
 
Google File System
Google File SystemGoogle File System
Google File SystemJunyoung Jung
 
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]Mumbai B.Sc.IT Study
 
Dining philosopher
Dining philosopherDining philosopher
Dining philosopher.AIR UNIVERSITY ISLAMABAD
 
Buffer management --database buffering
Buffer management --database buffering Buffer management --database buffering
Buffer management --database buffering julia121214
 
Binary search trees
Binary search treesBinary search trees
Binary search treesDwight Sabio
 
Expression trees
Expression treesExpression trees
Expression treesSalman Vadsarya
 
OS-Part-06.pdf
OS-Part-06.pdfOS-Part-06.pdf
OS-Part-06.pdfNguyenTienDungK17HL
 
Methods for handling deadlocks
Methods for handling deadlocksMethods for handling deadlocks
Methods for handling deadlocksA. S. M. Shafi
 
Multiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesMultiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesRaj vardhan
 
Operating system concepts ninth edition (2012), chapter 2 solution e1
Operating system concepts ninth edition (2012), chapter 2 solution e1Operating system concepts ninth edition (2012), chapter 2 solution e1
Operating system concepts ninth edition (2012), chapter 2 solution e1Navid Daneshvaran
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess CommunicationDilum Bandara
 
Process Synchronization -1.ppt
Process Synchronization -1.pptProcess Synchronization -1.ppt
Process Synchronization -1.pptjayverma27
 

Contenu connexe

Tendances

Ch6 CPU Scheduling galvin
Ch6 CPU Scheduling galvinCh6 CPU Scheduling galvin
Ch6 CPU Scheduling galvinShubham Singh
 
operating system question bank
operating system question bankoperating system question bank
operating system question bankrajatdeep kaur
 
Transaction slide
Transaction slideTransaction slide
Transaction slideshawon roy
 
Producer consumer
Producer consumerProducer consumer
Producer consumerMohd Tousif
 
Data structures and algorithms short note (version 14).pd
Data structures and algorithms short note (version 14).pdData structures and algorithms short note (version 14).pd
Data structures and algorithms short note (version 14).pdNimmi Weeraddana
 
Transactions (Distributed computing)
Transactions (Distributed computing)Transactions (Distributed computing)
Transactions (Distributed computing)Sri Prasanna
 
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]Mumbai B.Sc.IT Study
 
Buffer management --database buffering
Buffer management --database buffering Buffer management --database buffering
Buffer management --database buffering julia121214
 
Binary search trees
Binary search treesBinary search trees
Binary search treesDwight Sabio
 
Methods for handling deadlocks
Methods for handling deadlocksMethods for handling deadlocks
Methods for handling deadlocksA. S. M. Shafi
 
Multiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesMultiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesRaj vardhan
 
Operating system concepts ninth edition (2012), chapter 2 solution e1
Operating system concepts ninth edition (2012), chapter 2 solution e1Operating system concepts ninth edition (2012), chapter 2 solution e1
Operating system concepts ninth edition (2012), chapter 2 solution e1Navid Daneshvaran
 

Tendances (20)

Monitors
MonitorsMonitors
Monitors
 
Ch6 CPU Scheduling galvin
Ch6 CPU Scheduling galvinCh6 CPU Scheduling galvin
Ch6 CPU Scheduling galvin
 
operating system question bank
operating system question bankoperating system question bank
operating system question bank
 
Transaction slide
Transaction slideTransaction slide
Transaction slide
 
Operating system - Deadlock
Operating system - DeadlockOperating system - Deadlock
Operating system - Deadlock
 
Producer consumer
Producer consumerProducer consumer
Producer consumer
 
Data structures and algorithms short note (version 14).pd
Data structures and algorithms short note (version 14).pdData structures and algorithms short note (version 14).pd
Data structures and algorithms short note (version 14).pd
 
concurrency-control
concurrency-controlconcurrency-control
concurrency-control
 
Transactions (Distributed computing)
Transactions (Distributed computing)Transactions (Distributed computing)
Transactions (Distributed computing)
 
Computer Organization and Architecture.pdf
Computer Organization and Architecture.pdfComputer Organization and Architecture.pdf
Computer Organization and Architecture.pdf
 
Google File System
Google File SystemGoogle File System
Google File System
 
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
Artificial Intelligence (November – 2018) [Choice Based | Question Paper]
 
Dining philosopher
Dining philosopherDining philosopher
Dining philosopher
 
Buffer management --database buffering
Buffer management --database buffering Buffer management --database buffering
Buffer management --database buffering
 
Binary search trees
Binary search treesBinary search trees
Binary search trees
 
Expression trees
Expression treesExpression trees
Expression trees
 
OS-Part-06.pdf
OS-Part-06.pdfOS-Part-06.pdf
OS-Part-06.pdf
 
Methods for handling deadlocks
Methods for handling deadlocksMethods for handling deadlocks
Methods for handling deadlocks
 
Multiversion Concurrency Control Techniques
Multiversion Concurrency Control TechniquesMultiversion Concurrency Control Techniques
Multiversion Concurrency Control Techniques
 
Operating system concepts ninth edition (2012), chapter 2 solution e1
Operating system concepts ninth edition (2012), chapter 2 solution e1Operating system concepts ninth edition (2012), chapter 2 solution e1
Operating system concepts ninth edition (2012), chapter 2 solution e1
 

Similaire à Doveryai, no proveryai - Introduction to tla+

Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess CommunicationDilum Bandara
 
Process Synchronization -1.ppt
Process Synchronization -1.pptProcess Synchronization -1.ppt
Process Synchronization -1.pptjayverma27
 
UNIT III Process Synchronization.docx
UNIT III Process Synchronization.docxUNIT III Process Synchronization.docx
UNIT III Process Synchronization.docxkarthikaparthasarath
 
Python - Control Structures
Python - Control StructuresPython - Control Structures
Python - Control StructuresLasithNiro
 
Concurrent programming with RTOS
Concurrent programming with RTOSConcurrent programming with RTOS
Concurrent programming with RTOSSirin Software
 
Mastering Python lesson 3a
Mastering Python lesson 3aMastering Python lesson 3a
Mastering Python lesson 3aRuth Marvin
 
Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011Paulo Gaspar
 
Control structures ii
Control structures ii Control structures ii
Control structures ii Ahmad Idrees
 
Chapter 6 - Process Synchronization
Chapter 6 - Process SynchronizationChapter 6 - Process Synchronization
Chapter 6 - Process SynchronizationWayne Jones Jnr
 
Unit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arraysUnit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arraysDevaKumari Vijay
 
Exception handling and templates
Exception handling and templatesException handling and templates
Exception handling and templatesfarhan amjad
 
the halting_problem
the halting_problemthe halting_problem
the halting_problemRajendran
 
White boxvsblackbox
White boxvsblackboxWhite boxvsblackbox
White boxvsblackboxsanerjjd
 
lab-8 (1).pptx
lab-8 (1).pptxlab-8 (1).pptx
lab-8 (1).pptxShimoFcis
 
Algorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo codeAlgorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo codehamza javed
 

Similaire à Doveryai, no proveryai - Introduction to tla+ (20)

Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess Communication
 
Process Synchronization -1.ppt
Process Synchronization -1.pptProcess Synchronization -1.ppt
Process Synchronization -1.ppt
 
Os unit 3
Os unit 3Os unit 3
Os unit 3
 
UNIT III Process Synchronization.docx
UNIT III Process Synchronization.docxUNIT III Process Synchronization.docx
UNIT III Process Synchronization.docx
 
Algorithms
AlgorithmsAlgorithms
Algorithms
 
Loops and iteration.docx
Loops and iteration.docxLoops and iteration.docx
Loops and iteration.docx
 
Python - Control Structures
Python - Control StructuresPython - Control Structures
Python - Control Structures
 
Concurrent programming with RTOS
Concurrent programming with RTOSConcurrent programming with RTOS
Concurrent programming with RTOS
 
Mastering Python lesson 3a
Mastering Python lesson 3aMastering Python lesson 3a
Mastering Python lesson 3a
 
M C6java6
M C6java6M C6java6
M C6java6
 
02 - Prepcode
02 - Prepcode02 - Prepcode
02 - Prepcode
 
Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011
 
Control structures ii
Control structures ii Control structures ii
Control structures ii
 
Chapter 6 - Process Synchronization
Chapter 6 - Process SynchronizationChapter 6 - Process Synchronization
Chapter 6 - Process Synchronization
 
Unit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arraysUnit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arrays
 
Exception handling and templates
Exception handling and templatesException handling and templates
Exception handling and templates
 
the halting_problem
the halting_problemthe halting_problem
the halting_problem
 
White boxvsblackbox
White boxvsblackboxWhite boxvsblackbox
White boxvsblackbox
 
lab-8 (1).pptx
lab-8 (1).pptxlab-8 (1).pptx
lab-8 (1).pptx
 
Algorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo codeAlgorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo code
 

Plus de Sandeep Joshi

Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generationSandeep Joshi
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in softwareSandeep Joshi
 
Programming workshop
Programming workshopProgramming workshop
Programming workshopSandeep Joshi
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscapeSandeep Joshi
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensionsSandeep Joshi
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systemsSandeep Joshi
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheadsSandeep Joshi
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithmsSandeep Joshi
 

Plus de Sandeep Joshi (11)

Block ciphers
Block ciphersBlock ciphers
Block ciphers
 
Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generation
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in software
 
Programming workshop
Programming workshopProgramming workshop
Programming workshop
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscape
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensions
 
Lockless
LocklessLockless
Lockless
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systems
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheads
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithms
 

Dernier

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 

Dernier (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 

Doveryai, no proveryai - Introduction to tla+

  • 1. Doveryai, no Proveryai Introduction to TLA+ Sandeep Joshi 11 Nov, 2017, Pune https://expert-talks.in 1
  • 2. Doveryai, no Proveryai A Russian proverb which means “Trust, but verify”. Popular during the Cold War when the US and Soviet Union were signing nuclear disarmament accords. 2
  • 3. Talk overview 1. Problem definition 2. What is TLA+, PlusCal, TLC... 3. Example 1 : Childcare facility 4. Example 2 : Dining Philosophers 5. Example 3 : Alternating Bit Protocol 6. Concluding observations Code : https://github.com/sanjosh/tlaplus Slides: https://www.slideshare.net/SandeepJoshi55/ 3
  • 4. Hard to prove correctness in a distributed system In a distributed system, how do you prove 1. Safety : Something bad will never happen 2. Liveness : Something good will eventually happen When you have 1. Multiple agents/actors, each with their state machine(FSM) 2. Non-determinism which leads to Arbitrary Interleaved execution 3. Failures and restarts 4
  • 5. Microsoft .NET remote authentication FSMs https://msdn.microsoft.com/en-us/library/ms973909.aspx Verify if this 2-process FSM (.NET) is correct.. ? 5
  • 6. Or this 2-process FSM (for TCP) is correct ? https://thewalnut.io/app/release/73/ 6
  • 7. CHESS : Systematic testing of concurrent programs http://slideplayer.com/slide/13582/ Interleaved execution causes ... 7
  • 8. How to reason about time in a distributed system Required : 1. A formal theory 2. A language to express the problem 3. A tool to verify 8
  • 9. How to reason about time in a distributed system Required : 1. A formal theory : Temporal Logic 2. A language to express the problem : TLA+ and others. 3. A tool to verify : TLC and other model checkers 9
  • 10. Temporal logic simplified In programs, we write formulae using Boolean operators (AND, OR, NOT). “Assert (a > 0 AND b < 0)” Temporal logic provides you with temporal operators which hold over one or more paths of execution (called “Path quantifiers”). 1. I will like chocolate from now on. 2. After weather becomes cold, at some point, I will start eating chocolate. https://en.wikipedia.org/wiki/Computation_tree_logic#Examples 10
  • 11. What is TLA+ ● Language created by Leslie Lamport to express temporal logic. ● PlusCal is a simpler variant of TLA+ (This talk uses PlusCal). ● TLC is the “model checker” - the compiler which verifies if your PlusCal program is correct. ● It has a GUI called Toolbox. In this talk, only command line tool is used. 11
  • 12. How to get started with TLA+ ● Read general background on model checkers ● Download the TLA toolbox (GUI + java jar file) ● Read the PlusCal manual and Lamport’s tutorial “Specifying systems” ● Read sample PlusCal programs written by others ● Start with a small problem and try writing your own program ● Run it... $ java pcal.trans myspec.tla $ java tlc2.TLC myspec.tla 12
  • 13. Childcare facility problem Children and adults continuously enter and exit a childcare facility. Ensure that there is always one adult present for every three children. [ from The Little Book of Semaphores by Allen Downey ] 13
  • 14. Childcare constraints Adult can enter anytime, but exit ONLY if 1. NEW number of adults is at least three times number of children Children can exit anytime, but enter ONLY if 1. Number of adults is at least three times NEW number of children 14
  • 15. Childcare - create child & parent process Define a PlusCal “process” for each actor in your system -- algorithm childcare { Process (a in 1.. ADULTS) {... } Process (c in 1..CHILDREN) {... } } 15
  • 16. Childcare - “labels” denote Atomic actions Use one PlusCal label for each atomic action of Child. Child performs two actions : enter and exit the childcare facility. Process { c_enter: number_children = number_children + 1 c_exit : number_children = number_children - 1 } 16
  • 17. What are PlusCal Labels All statements within a label are atomically executed by TLC. TLC internally interleaves the execution of many processes in order to verify correctness LabelA : Y = X + 1 Label1 : X = Y + 1 17 Label2 : X = Y - 1 Child 1 Adult 2
  • 18. Childcare - use “await” to wait for a condition Every Child will wait until there are sufficient number of adults present inside c_enter : Await (number_adults * 3 >= number_children + 1) number_children = number_children + 1 c_exit : number_children = number_children - 1 Assert (number_adults * 3 >= number_children) 18
  • 19. Childcare - specify adult process Follow same steps to define adult process - using process, label, await 19 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ( number_adults * 3 >= number_children) number_adults = number_adults - 1 Assert (number_adults * 3 >= number_children) }
  • 20. TLC (model checker) Failure output At this point, assert fires since adult exited due to incorrect “await” condition 20
  • 21. Childcare - correct the condition Change the await condition to check new value instead of old 21 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ((number_adults - 1)* 3 >= number_children) number_adults = number_adults - 1 }
  • 23. TLC (model checker) output on success 23
  • 24. Dining Philosophers Problem Each philosopher keeps doing the following 1. Think 2. Take right fork 3. Take left fork 4. Eat 5. Put down both forks 24
  • 25. Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 25 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; }
  • 26. Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 26 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; }
  • 27. Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 27 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
  • 28. Dining Philosophers - complete spec 28
  • 29. Dining Philosophers - deadlock ! 29
  • 30. Dining Philosophers - deadlock ! All five philosophers are waiting for second fork ! 30
  • 31. Dining Philosophers - Introduce asymmetry To resolve deadlock, third philosopher will pick left fork first. 31 Process (ph in 1..5) { Init : if (self = 3) { swap(right, left); }; Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
  • 32. Dining Philosophers - complete spec 32
  • 33. Dining Philosophers - no deadlock ! 33
  • 34. Alternate bit protocol over lossy channel 34 Sender Receiver Message channel Ack channel Both channels are lossy https://en.wikipedia.org/wiki/Alternating_bit_protocol Discussed in Lamports’ book “Specifying Systems”.
  • 35. Alternate bit protocol - define channel Use “Sequences” module to define the communication channels Declare the channels as a Sequence Variables msgChan = <<>>, ackChan = <<>> Append to channel Append(msgChan, m) Extract using “Head(msgChan)” or “Tail(msgChan)” 35
  • 36. Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Send message OR Receive Ack } 36 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Receive message OR Send Ack }
  • 37. Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Either { Append(<<input>>, msgChan) } or { Recv(ack, ackChan) } } 37 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Either { Append(rbit, ackChan) } or { Recv(msg, msgChan) } }
  • 38. PlusCal - Either Or “Either Or” is an important feature of PlusCal language (TLA+) It allows you to simulate non-determinism TLC (model checker) will test both options at runtime. 38 Either { Do this } Or { Do that }
  • 39. Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 39 Process (LoseMsg = “L”) { randomly delete messages from either channel }
  • 40. Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 40 Process (LoseMsg = “L”) { While TRUE{ Either with (1 in 1..Len(msgChan)) { msgChan = Remove(i, msgChan) } or with (1 in 1..Len(ackChan)) { ackChan = Remove(i, ackChan); }
  • 41. PlusCal constructs introduced 1. Algorithm : A problem that you want to model. 2. Process : An actor/thread of execution within the algorithm. 3. Labels : All statements inside a label are atomically executed. 4. Await : only execute after condition becomes true 5. Either-Or : non-deterministic execution of alternatives 6. With : Non-deterministically choose one element out of a Set. 41
  • 42. Notable users of TLA+ 1. Intel CPU cache coherence protocol [Brannon Batson] 2. Microsoft CosmosDB 3. Amazon : S3, DynamoDB, EBS, Distributed Lock manager [Chris Newcombe] Newcombe(Amazon) has released two of their TLA+ specs (See my github for a copy) None of the others are publicly available 42
  • 43. Conclusion 1. TLC can find bugs. 2. Complex programs can take hours to run (TLC also has “simulation” mode which does random verification) Learning curve 1. Formulation : Lack of sample programs, but google group is helpful. 2. Debugging : Check the backtrace; add prints ! 3. Mastery over TLA+ requires some Mathematics knowledge (i.e. Set theory). 4. [Newcombe, Experience of Software Engineers using TLA+] http://tla2012.loria.fr/contributed/newcombe-slides.pdf 43
  • 44. Questions Code : https://github.com/sanjosh/tlaplus (README has references) Slides: https://www.slideshare.net/SandeepJoshi55/ 44
  • 45. TLA+ operators 1. <> P : atleast one execution path has P true 2. [] P : P is eventually true 3. Q ~> P : If Q becomes true, P will be true 4. <>[] P : at some point P becomes true and stays true 45
  • 46. Other model checkers besides TLA+ 46 https://en.wikipedia.org/wiki/List_of_model_checking_tools