# Case Study of Reader/Writer System

Moonzoo Kim
School of Computing
KAIST





# **Outlines**

- System Description
- Formal Requirement Specification
- Formal Design Specification
- Formal Verification
- Testing





# Multiple Reader/Writer System



- System requirement
  - **♣** Concurrency (CON)
  - **♣** Exclusive writing (EW)
  - High priority of writer (HPW)



## Formal Requirement Specification

- 1 writer and 2 readers system
  - Execution tree
  - **RW** system has 9 events
    - {ir1,rs1,re1,ir2,rs2,re2,ww,ws,we}
  - $\bot$  A state s =  $(n_{ir1}, n_{rs1}, n_{ir2}, n_{rs2}, n_{ww}, n_{ws})$ 
    - s0 = (0,0,0,0,0,0)
    - s1 = (0,0,0,0,1,0)
    - s11=(1,0,0,0,1,0)
    - s12=(0,0,0,0,0,1)







## Valid execution paths

**Defn 1 (An execution path)** An execution tree is a labeled transition system  $(S, T_{\Sigma})$  where S is a set of states and  $T_{\Sigma}: S \times \Sigma \times S$  is a set of transition over S with a set of label  $\Sigma$ . A state s consists of the following 6 integer variables

$$s \stackrel{def}{=} (n_{ir1}, n_{rs1}, n_{ir2}, n_{rs2}, n_{ww}, n_{ws})$$

An execution path  $\sigma = s_0 s_1 .... s_n$  is a sequence of states in an execution tree.  $\sigma_{s_i}$  denotes the i th state of  $\sigma$ .

**Defn 2 (Definition of a state)**  $\#ir1(\sigma_{s_0}) \stackrel{def}{=} 0.$   $\#ir1(\sigma_{s_i}) \stackrel{def}{=} a$  number of event ir1 in an event trace  $\rho = l_0...l_{i-1}$  such that  $\sigma_{s_i} \stackrel{l_i}{\to} \sigma_{s_{i+1}}$  where i > 0. Similarly defined are #rs1, #re1, #ir2, #rs2, #re2, #ww, #ws, and #we.

**Defn 2 (Definition of a state)**  $\#ir1(\sigma_{s_0}) \stackrel{def}{=} 0.$   $\#ir1(\sigma_{s_i}) \stackrel{def}{=} a$  number of event ir1 in an event trace  $\rho = l_0...l_{i-1}$  such that  $\sigma_{s_i} \stackrel{l_i}{\to} \sigma_{s_{i+1}}$  where i > 0. Similarly defined are #rs1, #re1, #ir2, #rs2, #re2, #ww, #ws, and #we.

State  $\sigma_s$  of an execution path  $\sigma$  consists of the following 6 variables

$$n_{ir1}(\sigma_s) \stackrel{def}{=} \#ir1(\sigma_s) - \#rs1(\sigma_s)$$

$$n_{rs1}(\sigma_s) \stackrel{def}{=} \#rs1(\sigma_s) - \#re1(\sigma_s)$$

$$n_{ir2}(\sigma_s) \stackrel{def}{=} \#ir2(\sigma_s) - \#rs2(\sigma_s)$$

$$n_{rs2}(\sigma_s) \stackrel{def}{=} \#rs2(\sigma_s) - \#re2(\sigma_s)$$

$$n_{ww}(\sigma_s) \stackrel{def}{=} \#ww(\sigma_s) - \#ws(\sigma_s)$$

$$n_{ws}(\sigma_s) \stackrel{def}{=} \#ws(\sigma_s) - \#we(\sigma_s)$$

$$Initial state \sigma_{s_0} \stackrel{def}{=} (0, 0, 0, 0, 0, 0)$$

 $n_{ir1}(\sigma_s)$  indicates whether there is "active" ir1 in an execution path  $s_0...s$ . We can think that ith occurence of rs1 "cancels" the ith occurence of ir1.  $n_{ir1}(\sigma_s) = 1$  means that ir1 occurs i times and rs1 occurs (i-1) times upto state  $\sigma_s$ , which means that ir1 is "active".





## Valid execution path σ

- $\clubsuit$  An execution path  $\sigma = s_0, s_1, \ldots, s_n$ 
  - $\sigma_{si}$  denotes the i th state of  $\sigma$

#### ♣ Definition of a state s<sub>i</sub>.

- $\#ir1(\sigma_{s0}) = 0$
- #ir1( $\sigma_{si}$ ) = # of ir1 in a trace  $I_0...I_{i-1}$  s.t.  $\sigma_{si}-I_i$  >  $\sigma_{si+1}$
- $n_{ir1}(\sigma_s) = \#ir1(\sigma_s) \#rs1(\sigma_s)$
- $n_{rs1}(\sigma_s) = \#rs1(\sigma_s) \#re1(\sigma_s)$

#### Correct Event Ordering

- For all state s<sub>i</sub> in σ
  - $n_{ir1}(s_i)$ ≥0 ∧  $n_{rs1}(s_i)$ ≥0 ∧  $n_{ir1}(s_i)$ + $n_{rs1}(s_i)$ ≤1
  - $n_{ir2}(s_i) \ge 0 \land n_{rs2}(s_i) \ge 0 \land n_{ir2}(s_i) + n_{rs2}(s_i) \le 1$
  - $n_{ww}(s_i)$ ≥0 ∧  $n_{ws}(s_i)$ ≥0 ∧  $n_{ww}(s_i)$ + $n_{ws}(s_i)$  ≤1







## Valid execution paths

- **Lesson** Exclusive Writing
  - $n_{ws}(s_i)=1 \rightarrow (n_{rs1}(s_i)=0 \land n_{rs2}(s_i)=0)$



### **4** High Priority of Writer

• 
$$(n_{ww}(s_i)=1 \land n_{rs1}(s_i)=0 \land n_{rs2}(s_i)=0)$$
  
->  $(n_{rs1}(s_{i+1})=0 \land n_{rs2}(s_{i+1})=0)$ 











```
**********
* Requirement Specification *
********
proc S0 = ir1.B + ww.S2 + ir2.C
                                        proc B = rs1.B1 + ww.B2 + ir2.A
proc S2 = ir1.S21 + ws.S22 + ir2.S23
                                        proc B1 = re1.S0 + ww.B12 + ir2.A1
proc S21 = ws.S212 + ir2.S213
                                        proc B2 = ws.B22 + ir2.B23
proc S22 = ir1.S212 + we.S0 + ir2.S232
                                        proc B12 = re1.S2 + ir2.B123
proc S23 = ir1.S213 + ws.S232
                                        proc B22 = we.B + ir2.B223
proc S212 = we.B + ir2.S2123
                                        proc B23 = ws.B223
proc S213 = ws.S2123
                                        proc B123 = re1.S23
proc S232 = ir1.S2123 + we.C
                                        proc B223 = we.A
proc S2123 = we.A
                                        proc C = ir1.A + ww.C2 + rs2.C3
proc A = rs1.A1 + ww.A2 + rs2.A3
                                        proc C2 = ir1.C21 + ws.C22
proc A1 = re1.C + ww.A12 + rs2.A13
                                        proc C3 = ir1.A3 + ww.C32 + re2.S0
proc A_2 = ws.we.A
                                        proc C21 = ws.C221
proc A3 = rs1.A13 + ww.A32 + re2.B
                                        proc C22 = ir1.C221 + we.C
proc A12 = re1.C2 + rs2.A123
                                        proc C32 = ir1.C321 + re2.S2
proc A13 = re1.C3 + ww.A123 + re2.B1
                                        proc C221 = we.A
proc A32 = rs1.A123 + re2.B2
                                        proc C321 = re2.S21
proc A123 = re1.C32 + re2.B12
```



# Formal Design Specification

- RW system designed in "Concurrent Programming in Java[Lea99]"
  - | proc S =
     (R1|R2|W|AR0|WW0|AW0|
     LOCK|SLEEP0)\
     { dec\_WW, inc\_WW, dec\_AW,inc\_AW,...}
     proc R1 = ...
    - Processes (R1, R2, W, Lock, etc) communicate each other through signals (dec\_WW, inc\_WW, etc)
    - variables in RW code are represented as processes (AR0, AW0, etc)

```
class RW {
  int activeReaders = 0;
  int activeWriters_= 0;
  int waitingReaders_= 0;
  int waitingWriters = 0;
  void read()
         beforeRead();
         read ();
         afterRead();
  void beforeRead()
                           {...}
                           {...}
  void read_()
  void afterRead()
```





## **Testing using Formal Specification**

- Insert probe into the RW source code
  - Probe generates event signal
- Testing RW code utilizing formal requirement spec as a test oracle
  - Use CWB-NC based simulation feature
  - Inappropriate event signal means violation

```
public abstract class RW{
  protected int activeReaders_ = 0;
  protected int activeWriters_= 0;
  protected int waitingReaders_= 0;
  protected int waitingWriters = 0;
  public void read(String id) {
         beforeRead();
         read_(id);
         afterRead();
  protected synchronized void beforeRead(){
         Event("ir");
  public void read () {
          Event("rs");...
  protected synchronized void afterRead(){
          Event("re");...
```



## **RW Java Code**

```
public abstract class RW2 {
  protected int activeReaders = 0; //threads executing read
  protected int activeWriters = 0;
                                   //always 0 or 1
  protected int waitingReaders = 0; //threads not yet in read
  protected int waitingWriters = 0; //same for write
  protected abstract void read (String id);
  protected abstract void write (String id);
  void Event(String s){ }//System.out.println(s);}
  public void read(String id) {
     /*Event("ir" + id);*/ beforeRead();
     /*Event("rs" + id);*/ read (id);
     /*Event("re" + id);*/ afterRead();
  public void write(String id) {
     /*Event("ww");*/ beforeWrite();
    /*Event("ws");*/ write (id);
     /*Event("we");*/ afterWrite();
  protected boolean allowReader() {
     if (waitingWriters == 0 && activeWriters == 0)
       return true;
     else
       return false:
```

```
protected boolean allowWriter()
  if(activeReaders == 0 && activeWriters == 0) {
    return true:
  } else return false;
protected synchronized void beforeRead()
  ++waitingReaders;
  while(!allowReader())
     try{ wait();}
     catch(InterruptedException ex){}
  --waitingReaders;
  ++activeReaders;
protected synchronized void afterRead()
  --activeReaders;
  notifyAll();
protected synchronized void beforeWrite()
  ++waitingWriters;
  while(!allowWriter())
    try{wait();}
    catch(InterruptedException ex){}
  --waitingWriters;
  ++activeWriters;
protected synchronized void afterWrite()
  --activeWriters;
  notifyAll();
```

# RW System Design

```
**************
                                                                        proc R2 = 'lock.ir2.'unlock.'lock.
* RW system description of 2 Readers and 1 Writer *
                                                                           ( 'zero WW.
***************
                                                                              ('zero AW.'inc AR.'unlock.READ2
proc S = (R1|R2|W|AR0|WW0|AW0|LOCK|SLEEP0)\
                                                                                 + 'non zero AW.'inc sleep.'unlock.R2')
              {dec WW, inc WW, dec AW, inc AW, dec AR, inc AR,
                                                                              + 'non zero WW.'inc sleep.'unlock.R2')
               zero_WW, zero_AW, zero_AR, non_zero_WW,non_zero_AW, proc R2' = wake_up.'lock.
               non zero AR, lock, unlock,
                                                                            ( 'zero WW.
               zero sleep, one sleep, two sleep, dec sleep, inc sleep,
                                                                               ('zero AW.'inc AR.<del>'unlock.</del>READ2
               wake up}
                                                                                 + 'non zero AW.'inc_sleep.'unlock.R2')
                                                                               + 'non zero WW.'inc sleep.'unlock.R2')
proc WW0 = zero WW.WW0 + inc WW.WW1
proc WW1 = dec WW.WW0 + non zero WW.WW1
                                                                        proc W = 'lock.ww.'inc WW.'unlock.'lock.
                                                                           ('zero AR.
proc AW0 = zero AW.AW0 + inc AW.AW1
                                                                              ('zero AW.'dec WW.'inc AW.'unlock.WRITE
proc AW1 = dec AW.AW0 + non zero AW.AW1
                                                                                +'non zero AW.'inc sleep.'unlock.W')
                                                                              + 'non zero AR.'inc sleep.'unlock.W')
proc AR0 = zero AR.AR0 + inc AR.AR1
                                                                        proc W' = wake up.'lock.
proc AR1 = dec AR.AR0 + inc AR.AR2
                                                                           ('zero AR.
     + non zero AR.AR1
                                                                               ('zero AW.'dec WW.'inc AW.'unlock.WRITE
proc AR2 = dec AR.AR1 + non zero AR.AR2
                                                                                 +'non zero AW.'inc sleep.'unlock.W')
                                                                               + 'non zero AR.'inc sleep.'unlock.W')
proc SLEEP0 = zero sleep.SLEEP0 + inc sleep.SLEEP1
proc SLEEP1 = one sleep.SLEEP1 + inc sleep.SLEEP2 + dec sleep.SLEEP0
                                                                        proc READ1 = rs1.'unlock.'lock. re1.'lock.'dec AR.
proc SLEEP2 = two sleep.SLEEP2 + dec sleep.SLEEP1
                                                                              ('zero sleep.'unlock.R1 +
                                                                               'one sleep.'wake up.'dec sleep.'unlock.R1 +
proc R1 = 'lock.ir1.'unlock.'lock.
                                                                               'two sleep.'wake up.'dec sleep.'wake up.'dec sleep.'unlock.R1)
     'zero WW.
                                                                        proc READ2 = rs2.'unlock.'lock. re2.'lock.'dec AR.
               ('zero AW.'inc AR.'unlock.READ1
                                                                              ('zero sleep.'unlock.R2+
                  + 'non zero AW.'inc sleep.'unlock.R1')
                                                                               'one sleep.'wake up.'dec sleep.'unlock.R2+
               + 'non zero WW.'inc sleep.'unlock.R1')
                                                                               'two sleep.'wake up.'dec sleep.'wake up.'dec sleep.'unlock.R2)
proc R1' =
           wake up.'lock.
                                                                        proc WRITE = ws.'unlock.'lock. we.'lock.'dec AW.
     'zero WW.
                                                                              ('zero sleep.'unlock.W +
               ('zero AW.'inc AR.'unlock.READ1
                                                                              'one sleep.'wake up.'dec sleep.'unlock.W +
                  + 'non zero AW.'inc sleep.'unlock.R1')
                                                                              'two sleep.'wake up.'dec sleep.'wake up.'dec sleep.'unlock.W)
               + 'non zero WW.'inc sleep.'unlock.R1')
    Kaist
                                                                        proc LOCK = lock.unlock.LOCK
```

# May Preorder

- May preorder (classical trace inclusion)
  - $+P \cdot_{mav} Q \text{ iff on } T'(P)\mu T'(Q)$ 
    - Ex. le –S may "a.nil" "a.b.nil"
      - Since  $T'(a.nil) = \{a\}, T'(a.b.nil) = \{a,a.b\}$
      - But not le –S may "a.b.nil" "a.nil"



## **Formal Verification Result**

```
01:cwb-nc> le -S may S S0
                                01: cwb-nc> le -S may S0 S
02:Building automaton...
                                02: Building automaton...
03:States: 333
                                03: States: 34
04:Transitions: 361
                                04: Transitions: 69
05:Done building automaton.
                                05: Done building automaton.
06:Building automaton...
                                06: Building automaton...
07:States: 34
                                07: States: 333
08:Transitions: 69
                                08: Transitions: 361
09:Done building automaton.
                                09: Done building automaton.
10:Transforming automaton...
                                10: Transforming automaton...
11:Done transforming automaton
                                11: Done transforming automaton.
12:TRUE
                                12: FALSE...
13:cwb-nc>
                                 13: SO has trace:
                                14: ir1 rs1 re2 ir1
                                15: S does not.
                                16: cwb-nc>
```

