SlideShare a Scribd company logo

Doveryai, no proveryai - Introduction to tla+

S
Sandeep Joshi

Introduction to PlusCal and TLA+, formal specification language developed by Leslie Lamport.

Software
1 of 46
Doveryai, no Proveryai Introduction to TLA+ Sandeep Joshi 11 Nov, 2017, Pune https://expert-talks.in 1
Doveryai, no Proveryai A Russian proverb which means “Trust, but verify”. Popular during the Cold War when the US and Soviet Union were signing nuclear disarmament accords. 2
Talk overview 1. Problem definition 2. What is TLA+, PlusCal, TLC... 3. Example 1 : Childcare facility 4. Example 2 : Dining Philosophers 5. Example 3 : Alternating Bit Protocol 6. Concluding observations Code : https://github.com/sanjosh/tlaplus Slides: https://www.slideshare.net/SandeepJoshi55/ 3
Hard to prove correctness in a distributed system In a distributed system, how do you prove 1. Safety : Something bad will never happen 2. Liveness : Something good will eventually happen When you have 1. Multiple agents/actors, each with their state machine(FSM) 2. Non-determinism which leads to Arbitrary Interleaved execution 3. Failures and restarts 4
Microsoft .NET remote authentication FSMs https://msdn.microsoft.com/en-us/library/ms973909.aspx Verify if this 2-process FSM (.NET) is correct.. ? 5
Or this 2-process FSM (for TCP) is correct ? https://thewalnut.io/app/release/73/ 6
CHESS : Systematic testing of concurrent programs http://slideplayer.com/slide/13582/ Interleaved execution causes ... 7
How to reason about time in a distributed system Required : 1. A formal theory 2. A language to express the problem 3. A tool to verify 8
How to reason about time in a distributed system Required : 1. A formal theory : Temporal Logic 2. A language to express the problem : TLA+ and others. 3. A tool to verify : TLC and other model checkers 9
Temporal logic simplified In programs, we write formulae using Boolean operators (AND, OR, NOT). “Assert (a > 0 AND b < 0)” Temporal logic provides you with temporal operators which hold over one or more paths of execution (called “Path quantifiers”). 1. I will like chocolate from now on. 2. After weather becomes cold, at some point, I will start eating chocolate. https://en.wikipedia.org/wiki/Computation_tree_logic#Examples 10
What is TLA+ ● Language created by Leslie Lamport to express temporal logic. ● PlusCal is a simpler variant of TLA+ (This talk uses PlusCal). ● TLC is the “model checker” - the compiler which verifies if your PlusCal program is correct. ● It has a GUI called Toolbox. In this talk, only command line tool is used. 11
How to get started with TLA+ ● Read general background on model checkers ● Download the TLA toolbox (GUI + java jar file) ● Read the PlusCal manual and Lamport’s tutorial “Specifying systems” ● Read sample PlusCal programs written by others ● Start with a small problem and try writing your own program ● Run it... $ java pcal.trans myspec.tla $ java tlc2.TLC myspec.tla 12
Childcare facility problem Children and adults continuously enter and exit a childcare facility. Ensure that there is always one adult present for every three children. [ from The Little Book of Semaphores by Allen Downey ] 13
Childcare constraints Adult can enter anytime, but exit ONLY if 1. NEW number of adults is at least three times number of children Children can exit anytime, but enter ONLY if 1. Number of adults is at least three times NEW number of children 14
Childcare - create child & parent process Define a PlusCal “process” for each actor in your system -- algorithm childcare { Process (a in 1.. ADULTS) {... } Process (c in 1..CHILDREN) {... } } 15
Childcare - “labels” denote Atomic actions Use one PlusCal label for each atomic action of Child. Child performs two actions : enter and exit the childcare facility. Process { c_enter: number_children = number_children + 1 c_exit : number_children = number_children - 1 } 16
What are PlusCal Labels All statements within a label are atomically executed by TLC. TLC internally interleaves the execution of many processes in order to verify correctness LabelA : Y = X + 1 Label1 : X = Y + 1 17 Label2 : X = Y - 1 Child 1 Adult 2
Childcare - use “await” to wait for a condition Every Child will wait until there are sufficient number of adults present inside c_enter : Await (number_adults * 3 >= number_children + 1) number_children = number_children + 1 c_exit : number_children = number_children - 1 Assert (number_adults * 3 >= number_children) 18
Childcare - specify adult process Follow same steps to define adult process - using process, label, await 19 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ( number_adults * 3 >= number_children) number_adults = number_adults - 1 Assert (number_adults * 3 >= number_children) }
TLC (model checker) Failure output At this point, assert fires since adult exited due to incorrect “await” condition 20
Childcare - correct the condition Change the await condition to check new value instead of old 21 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ((number_adults - 1)* 3 >= number_children) number_adults = number_adults - 1 }
Childcare - complete spec 22
TLC (model checker) output on success 23
Dining Philosophers Problem Each philosopher keeps doing the following 1. Think 2. Take right fork 3. Take left fork 4. Eat 5. Put down both forks 24
Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 25 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; }
Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 26 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; }
Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 27 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
Dining Philosophers - complete spec 28
Dining Philosophers - deadlock ! 29
Dining Philosophers - deadlock ! All five philosophers are waiting for second fork ! 30
Dining Philosophers - Introduce asymmetry To resolve deadlock, third philosopher will pick left fork first. 31 Process (ph in 1..5) { Init : if (self = 3) { swap(right, left); }; Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
Dining Philosophers - complete spec 32
Dining Philosophers - no deadlock ! 33
Alternate bit protocol over lossy channel 34 Sender Receiver Message channel Ack channel Both channels are lossy https://en.wikipedia.org/wiki/Alternating_bit_protocol Discussed in Lamports’ book “Specifying Systems”.
Alternate bit protocol - define channel Use “Sequences” module to define the communication channels Declare the channels as a Sequence Variables msgChan = <<>>, ackChan = <<>> Append to channel Append(msgChan, m) Extract using “Head(msgChan)” or “Tail(msgChan)” 35
Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Send message OR Receive Ack } 36 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Receive message OR Send Ack }
Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Either { Append(<<input>>, msgChan) } or { Recv(ack, ackChan) } } 37 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Either { Append(rbit, ackChan) } or { Recv(msg, msgChan) } }
PlusCal - Either Or “Either Or” is an important feature of PlusCal language (TLA+) It allows you to simulate non-determinism TLC (model checker) will test both options at runtime. 38 Either { Do this } Or { Do that }
Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 39 Process (LoseMsg = “L”) { randomly delete messages from either channel }
Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 40 Process (LoseMsg = “L”) { While TRUE{ Either with (1 in 1..Len(msgChan)) { msgChan = Remove(i, msgChan) } or with (1 in 1..Len(ackChan)) { ackChan = Remove(i, ackChan); }
PlusCal constructs introduced 1. Algorithm : A problem that you want to model. 2. Process : An actor/thread of execution within the algorithm. 3. Labels : All statements inside a label are atomically executed. 4. Await : only execute after condition becomes true 5. Either-Or : non-deterministic execution of alternatives 6. With : Non-deterministically choose one element out of a Set. 41
Notable users of TLA+ 1. Intel CPU cache coherence protocol [Brannon Batson] 2. Microsoft CosmosDB 3. Amazon : S3, DynamoDB, EBS, Distributed Lock manager [Chris Newcombe] Newcombe(Amazon) has released two of their TLA+ specs (See my github for a copy) None of the others are publicly available 42
Conclusion 1. TLC can find bugs. 2. Complex programs can take hours to run (TLC also has “simulation” mode which does random verification) Learning curve 1. Formulation : Lack of sample programs, but google group is helpful. 2. Debugging : Check the backtrace; add prints ! 3. Mastery over TLA+ requires some Mathematics knowledge (i.e. Set theory). 4. [Newcombe, Experience of Software Engineers using TLA+] http://tla2012.loria.fr/contributed/newcombe-slides.pdf 43
Questions Code : https://github.com/sanjosh/tlaplus (README has references) Slides: https://www.slideshare.net/SandeepJoshi55/ 44
TLA+ operators 1. <> P : atleast one execution path has P true 2. [] P : P is eventually true 3. Q ~> P : If Q becomes true, P will be true 4. <>[] P : at some point P becomes true and stays true 45
Other model checkers besides TLA+ 46 https://en.wikipedia.org/wiki/List_of_model_checking_tools

Recommended

TLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTorao Takami
 
Rate limits and Performance
Rate limits and PerformanceRate limits and Performance
Rate limits and Performancesupergigas
 
CPU Scheduling
CPU SchedulingCPU Scheduling
CPU SchedulingChristalin Nelson
 
Integrating PostgreSql with RabbitMQ
Integrating PostgreSql with RabbitMQIntegrating PostgreSql with RabbitMQ
Integrating PostgreSql with RabbitMQGavin Roy
 
Time triggered arch.
Time triggered arch.Time triggered arch.
Time triggered arch.Gichelle Amon
 
Fault tolerance and computing
Fault tolerance and computingFault tolerance and computing
Fault tolerance and computingPalani murugan
 
Application of Kruskals algorithm
Application of Kruskals algorithmApplication of Kruskals algorithm
Application of Kruskals algorithmLina Guha Roy
 
Sky x technology
Sky x technologySky x technology
Sky x technologyHafsa Hayath
 

Recommended

TLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTLA+ and PlusCal / An engineer's perspective
TLA+ and PlusCal / An engineer's perspectiveTorao Takami
 
Rate limits and Performance
Rate limits and PerformanceRate limits and Performance
Rate limits and Performancesupergigas
 
CPU Scheduling
CPU SchedulingCPU Scheduling
CPU SchedulingChristalin Nelson
 
Integrating PostgreSql with RabbitMQ
Integrating PostgreSql with RabbitMQIntegrating PostgreSql with RabbitMQ
Integrating PostgreSql with RabbitMQGavin Roy
 
Time triggered arch.
Time triggered arch.Time triggered arch.
Time triggered arch.Gichelle Amon
 
Fault tolerance and computing
Fault tolerance and computingFault tolerance and computing
Fault tolerance and computingPalani murugan
 
Application of Kruskals algorithm
Application of Kruskals algorithmApplication of Kruskals algorithm
Application of Kruskals algorithmLina Guha Roy
 
Sky x technology
Sky x technologySky x technology
Sky x technologyHafsa Hayath
 
Paris Kafka Meetup - Concepts & Architecture
Paris Kafka Meetup - Concepts & ArchitectureParis Kafka Meetup - Concepts & Architecture
Paris Kafka Meetup - Concepts & ArchitectureFlorian Hussonnois
 
PCF Platform Monitoring with Prometheus and Grafana
PCF Platform Monitoring with Prometheus and GrafanaPCF Platform Monitoring with Prometheus and Grafana
PCF Platform Monitoring with Prometheus and GrafanaVMware Tanzu
 
Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA)Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA)Mohammed Abuibaid
 
Computer network
Computer networkComputer network
Computer networksweetysweety8
 
Plny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesPlny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesDimas Prasetyo
 
AusNOG 2019: TCP and BBR
AusNOG 2019: TCP and BBRAusNOG 2019: TCP and BBR
AusNOG 2019: TCP and BBRAPNIC
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker ContainersAndrey Sibirev
 
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...Altinity Ltd
 
Flow control main
Flow control mainFlow control main
Flow control mainNitesh Singh
 
Introduction to RTOS
Introduction to RTOSIntroduction to RTOS
Introduction to RTOSYong Heui Cho
 
Fault tolerant presentation
Fault tolerant presentationFault tolerant presentation
Fault tolerant presentationskadyan1
 
Mining event streams with BeepBeep 3
Mining event streams with BeepBeep 3Mining event streams with BeepBeep 3
Mining event streams with BeepBeep 3Sylvain Hallé
 
Congestion control in TCP
Congestion control in TCPCongestion control in TCP
Congestion control in TCPselvakumar_b1985
 
Machine Learning Orchestration with Airflow
Machine Learning Orchestration with AirflowMachine Learning Orchestration with Airflow
Machine Learning Orchestration with AirflowAnant Corporation
 
CSMA/CD
CSMA/CDCSMA/CD
CSMA/CDsainadh kamatala
 
Notes on NUMA architecture
Notes on NUMA architectureNotes on NUMA architecture
Notes on NUMA architectureIntel Software Brasil
 
Putting Kafka Into Overdrive
Putting Kafka Into OverdrivePutting Kafka Into Overdrive
Putting Kafka Into OverdriveTodd Palino
 
The Dark Side Of Go -- Go runtime related problems in TiDB in production
The Dark Side Of Go -- Go runtime related problems in TiDB in productionThe Dark Side Of Go -- Go runtime related problems in TiDB in production
The Dark Side Of Go -- Go runtime related problems in TiDB in productionPingCAP
 
Http4s
Http4s Http4s
Http4s Knoldus Inc.
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performanceMarkTaylorIBM
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess CommunicationDilum Bandara
 
Process Synchronization -1.ppt
Process Synchronization -1.pptProcess Synchronization -1.ppt
Process Synchronization -1.pptjayverma27
 

More Related Content

What's hot

Paris Kafka Meetup - Concepts & Architecture
Paris Kafka Meetup - Concepts & ArchitectureParis Kafka Meetup - Concepts & Architecture
Paris Kafka Meetup - Concepts & ArchitectureFlorian Hussonnois
 
PCF Platform Monitoring with Prometheus and Grafana
PCF Platform Monitoring with Prometheus and GrafanaPCF Platform Monitoring with Prometheus and Grafana
PCF Platform Monitoring with Prometheus and GrafanaVMware Tanzu
 
Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA)Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA)Mohammed Abuibaid
 
Plny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesPlny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesDimas Prasetyo
 
AusNOG 2019: TCP and BBR
AusNOG 2019: TCP and BBRAusNOG 2019: TCP and BBR
AusNOG 2019: TCP and BBRAPNIC
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker ContainersAndrey Sibirev
 
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...Altinity Ltd
 
Introduction to RTOS
Introduction to RTOSIntroduction to RTOS
Introduction to RTOSYong Heui Cho
 
Fault tolerant presentation
Fault tolerant presentationFault tolerant presentation
Fault tolerant presentationskadyan1
 
Mining event streams with BeepBeep 3
Mining event streams with BeepBeep 3Mining event streams with BeepBeep 3
Mining event streams with BeepBeep 3Sylvain Hallé
 
Machine Learning Orchestration with Airflow
Machine Learning Orchestration with AirflowMachine Learning Orchestration with Airflow
Machine Learning Orchestration with AirflowAnant Corporation
 
Putting Kafka Into Overdrive
Putting Kafka Into OverdrivePutting Kafka Into Overdrive
Putting Kafka Into OverdriveTodd Palino
 
The Dark Side Of Go -- Go runtime related problems in TiDB in production
The Dark Side Of Go -- Go runtime related problems in TiDB in productionThe Dark Side Of Go -- Go runtime related problems in TiDB in production
The Dark Side Of Go -- Go runtime related problems in TiDB in productionPingCAP
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performanceMarkTaylorIBM
 

What's hot (20)

Paris Kafka Meetup - Concepts & Architecture
Paris Kafka Meetup - Concepts & ArchitectureParis Kafka Meetup - Concepts & Architecture
Paris Kafka Meetup - Concepts & Architecture
 
PCF Platform Monitoring with Prometheus and Grafana
PCF Platform Monitoring with Prometheus and GrafanaPCF Platform Monitoring with Prometheus and Grafana
PCF Platform Monitoring with Prometheus and Grafana
 
Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA)Carrier Sense Multiple Access (CSMA)
Carrier Sense Multiple Access (CSMA)
 
Computer network
Computer networkComputer network
Computer network
 
Plny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesPlny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practices
 
AusNOG 2019: TCP and BBR
AusNOG 2019: TCP and BBRAusNOG 2019: TCP and BBR
AusNOG 2019: TCP and BBR
 
[En] IPVS for Docker Containers
[En] IPVS for Docker Containers[En] IPVS for Docker Containers
[En] IPVS for Docker Containers
 
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
ClickHouse and the Magic of Materialized Views, By Robert Hodges and Altinity...
 
Flow control main
Flow control mainFlow control main
Flow control main
 
Introduction to RTOS
Introduction to RTOSIntroduction to RTOS
Introduction to RTOS
 
Fault tolerant presentation
Fault tolerant presentationFault tolerant presentation
Fault tolerant presentation
 
Mining event streams with BeepBeep 3
Mining event streams with BeepBeep 3Mining event streams with BeepBeep 3
Mining event streams with BeepBeep 3
 
Congestion control in TCP
Congestion control in TCPCongestion control in TCP
Congestion control in TCP
 
Machine Learning Orchestration with Airflow
Machine Learning Orchestration with AirflowMachine Learning Orchestration with Airflow
Machine Learning Orchestration with Airflow
 
CSMA/CD
CSMA/CDCSMA/CD
CSMA/CD
 
Notes on NUMA architecture
Notes on NUMA architectureNotes on NUMA architecture
Notes on NUMA architecture
 
Putting Kafka Into Overdrive
Putting Kafka Into OverdrivePutting Kafka Into Overdrive
Putting Kafka Into Overdrive
 
The Dark Side Of Go -- Go runtime related problems in TiDB in production
The Dark Side Of Go -- Go runtime related problems in TiDB in productionThe Dark Side Of Go -- Go runtime related problems in TiDB in production
The Dark Side Of Go -- Go runtime related problems in TiDB in production
 
Http4s
Http4s Http4s
Http4s
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performance
 

Similar to Doveryai, no proveryai - Introduction to tla+

Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess CommunicationDilum Bandara
 
Process Synchronization -1.ppt
Process Synchronization -1.pptProcess Synchronization -1.ppt
Process Synchronization -1.pptjayverma27
 
UNIT III Process Synchronization.docx
UNIT III Process Synchronization.docxUNIT III Process Synchronization.docx
UNIT III Process Synchronization.docxkarthikaparthasarath
 
Python - Control Structures
Python - Control StructuresPython - Control Structures
Python - Control StructuresLasithNiro
 
Concurrent programming with RTOS
Concurrent programming with RTOSConcurrent programming with RTOS
Concurrent programming with RTOSSirin Software
 
Mastering Python lesson 3a
Mastering Python lesson 3aMastering Python lesson 3a
Mastering Python lesson 3aRuth Marvin
 
Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011Paulo Gaspar
 
Control structures ii
Control structures ii Control structures ii
Control structures ii Ahmad Idrees
 
Chapter 6 - Process Synchronization
Chapter 6 - Process SynchronizationChapter 6 - Process Synchronization
Chapter 6 - Process SynchronizationWayne Jones Jnr
 
Unit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arraysUnit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arraysDevaKumari Vijay
 
Exception handling and templates
Exception handling and templatesException handling and templates
Exception handling and templatesfarhan amjad
 
the halting_problem
the halting_problemthe halting_problem
the halting_problemRajendran
 
White boxvsblackbox
White boxvsblackboxWhite boxvsblackbox
White boxvsblackboxsanerjjd
 
lab-8 (1).pptx
lab-8 (1).pptxlab-8 (1).pptx
lab-8 (1).pptxShimoFcis
 
Algorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo codeAlgorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo codehamza javed
 

Similar to Doveryai, no proveryai - Introduction to tla+ (20)

Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess Communication
 
Process Synchronization -1.ppt
Process Synchronization -1.pptProcess Synchronization -1.ppt
Process Synchronization -1.ppt
 
Os unit 3
Os unit 3Os unit 3
Os unit 3
 
UNIT III Process Synchronization.docx
UNIT III Process Synchronization.docxUNIT III Process Synchronization.docx
UNIT III Process Synchronization.docx
 
Algorithms
AlgorithmsAlgorithms
Algorithms
 
Loops and iteration.docx
Loops and iteration.docxLoops and iteration.docx
Loops and iteration.docx
 
Python - Control Structures
Python - Control StructuresPython - Control Structures
Python - Control Structures
 
Concurrent programming with RTOS
Concurrent programming with RTOSConcurrent programming with RTOS
Concurrent programming with RTOS
 
Mastering Python lesson 3a
Mastering Python lesson 3aMastering Python lesson 3a
Mastering Python lesson 3a
 
M C6java6
M C6java6M C6java6
M C6java6
 
02 - Prepcode
02 - Prepcode02 - Prepcode
02 - Prepcode
 
Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011Exception+Logging=Diagnostics 2011
Exception+Logging=Diagnostics 2011
 
Control structures ii
Control structures ii Control structures ii
Control structures ii
 
Chapter 6 - Process Synchronization
Chapter 6 - Process SynchronizationChapter 6 - Process Synchronization
Chapter 6 - Process Synchronization
 
Unit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arraysUnit 2-data types,Variables,Operators,Conitionals,loops and arrays
Unit 2-data types,Variables,Operators,Conitionals,loops and arrays
 
Exception handling and templates
Exception handling and templatesException handling and templates
Exception handling and templates
 
the halting_problem
the halting_problemthe halting_problem
the halting_problem
 
White boxvsblackbox
White boxvsblackboxWhite boxvsblackbox
White boxvsblackbox
 
lab-8 (1).pptx
lab-8 (1).pptxlab-8 (1).pptx
lab-8 (1).pptx
 
Algorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo codeAlgorithm and flowchart with pseudo code
Algorithm and flowchart with pseudo code
 

More from Sandeep Joshi

Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generationSandeep Joshi
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in softwareSandeep Joshi
 
Programming workshop
Programming workshopProgramming workshop
Programming workshopSandeep Joshi
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscapeSandeep Joshi
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensionsSandeep Joshi
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systemsSandeep Joshi
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheadsSandeep Joshi
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithmsSandeep Joshi
 

More from Sandeep Joshi (11)

Block ciphers
Block ciphersBlock ciphers
Block ciphers
 
Synthetic data generation
Synthetic data generationSynthetic data generation
Synthetic data generation
 
How to build a feedback loop in software
How to build a feedback loop in softwareHow to build a feedback loop in software
How to build a feedback loop in software
 
Programming workshop
Programming workshopProgramming workshop
Programming workshop
 
Hash function landscape
Hash function landscapeHash function landscape
Hash function landscape
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Apache spark undocumented extensions
Apache spark undocumented extensionsApache spark undocumented extensions
Apache spark undocumented extensions
 
Lockless
LocklessLockless
Lockless
 
Rate limiters in big data systems
Rate limiters in big data systemsRate limiters in big data systems
Rate limiters in big data systems
 
Virtualization overheads
Virtualization overheadsVirtualization overheads
Virtualization overheads
 
Data streaming algorithms
Data streaming algorithmsData streaming algorithms
Data streaming algorithms
 

Recently uploaded

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 

Recently uploaded (20)

Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 

Doveryai, no proveryai - Introduction to tla+

  • 1. Doveryai, no Proveryai Introduction to TLA+ Sandeep Joshi 11 Nov, 2017, Pune https://expert-talks.in 1
  • 2. Doveryai, no Proveryai A Russian proverb which means “Trust, but verify”. Popular during the Cold War when the US and Soviet Union were signing nuclear disarmament accords. 2
  • 3. Talk overview 1. Problem definition 2. What is TLA+, PlusCal, TLC... 3. Example 1 : Childcare facility 4. Example 2 : Dining Philosophers 5. Example 3 : Alternating Bit Protocol 6. Concluding observations Code : https://github.com/sanjosh/tlaplus Slides: https://www.slideshare.net/SandeepJoshi55/ 3
  • 4. Hard to prove correctness in a distributed system In a distributed system, how do you prove 1. Safety : Something bad will never happen 2. Liveness : Something good will eventually happen When you have 1. Multiple agents/actors, each with their state machine(FSM) 2. Non-determinism which leads to Arbitrary Interleaved execution 3. Failures and restarts 4
  • 5. Microsoft .NET remote authentication FSMs https://msdn.microsoft.com/en-us/library/ms973909.aspx Verify if this 2-process FSM (.NET) is correct.. ? 5
  • 6. Or this 2-process FSM (for TCP) is correct ? https://thewalnut.io/app/release/73/ 6
  • 7. CHESS : Systematic testing of concurrent programs http://slideplayer.com/slide/13582/ Interleaved execution causes ... 7
  • 8. How to reason about time in a distributed system Required : 1. A formal theory 2. A language to express the problem 3. A tool to verify 8
  • 9. How to reason about time in a distributed system Required : 1. A formal theory : Temporal Logic 2. A language to express the problem : TLA+ and others. 3. A tool to verify : TLC and other model checkers 9
  • 10. Temporal logic simplified In programs, we write formulae using Boolean operators (AND, OR, NOT). “Assert (a > 0 AND b < 0)” Temporal logic provides you with temporal operators which hold over one or more paths of execution (called “Path quantifiers”). 1. I will like chocolate from now on. 2. After weather becomes cold, at some point, I will start eating chocolate. https://en.wikipedia.org/wiki/Computation_tree_logic#Examples 10
  • 11. What is TLA+ ● Language created by Leslie Lamport to express temporal logic. ● PlusCal is a simpler variant of TLA+ (This talk uses PlusCal). ● TLC is the “model checker” - the compiler which verifies if your PlusCal program is correct. ● It has a GUI called Toolbox. In this talk, only command line tool is used. 11
  • 12. How to get started with TLA+ ● Read general background on model checkers ● Download the TLA toolbox (GUI + java jar file) ● Read the PlusCal manual and Lamport’s tutorial “Specifying systems” ● Read sample PlusCal programs written by others ● Start with a small problem and try writing your own program ● Run it... $ java pcal.trans myspec.tla $ java tlc2.TLC myspec.tla 12
  • 13. Childcare facility problem Children and adults continuously enter and exit a childcare facility. Ensure that there is always one adult present for every three children. [ from The Little Book of Semaphores by Allen Downey ] 13
  • 14. Childcare constraints Adult can enter anytime, but exit ONLY if 1. NEW number of adults is at least three times number of children Children can exit anytime, but enter ONLY if 1. Number of adults is at least three times NEW number of children 14
  • 15. Childcare - create child & parent process Define a PlusCal “process” for each actor in your system -- algorithm childcare { Process (a in 1.. ADULTS) {... } Process (c in 1..CHILDREN) {... } } 15
  • 16. Childcare - “labels” denote Atomic actions Use one PlusCal label for each atomic action of Child. Child performs two actions : enter and exit the childcare facility. Process { c_enter: number_children = number_children + 1 c_exit : number_children = number_children - 1 } 16
  • 17. What are PlusCal Labels All statements within a label are atomically executed by TLC. TLC internally interleaves the execution of many processes in order to verify correctness LabelA : Y = X + 1 Label1 : X = Y + 1 17 Label2 : X = Y - 1 Child 1 Adult 2
  • 18. Childcare - use “await” to wait for a condition Every Child will wait until there are sufficient number of adults present inside c_enter : Await (number_adults * 3 >= number_children + 1) number_children = number_children + 1 c_exit : number_children = number_children - 1 Assert (number_adults * 3 >= number_children) 18
  • 19. Childcare - specify adult process Follow same steps to define adult process - using process, label, await 19 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ( number_adults * 3 >= number_children) number_adults = number_adults - 1 Assert (number_adults * 3 >= number_children) }
  • 20. TLC (model checker) Failure output At this point, assert fires since adult exited due to incorrect “await” condition 20
  • 21. Childcare - correct the condition Change the await condition to check new value instead of old 21 Process { a_enter: number_adults = number_adults + 1 a_exit : Await ((number_adults - 1)* 3 >= number_children) number_adults = number_adults - 1 }
  • 23. TLC (model checker) output on success 23
  • 24. Dining Philosophers Problem Each philosopher keeps doing the following 1. Think 2. Take right fork 3. Take left fork 4. Eat 5. Put down both forks 24
  • 25. Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 25 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; }
  • 26. Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 26 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; }
  • 27. Dining Philosophers with PlusCal Define five philosopher instances; Step through three labels (atomic actions) 27 Process (ph in 1..5) { Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
  • 28. Dining Philosophers - complete spec 28
  • 29. Dining Philosophers - deadlock ! 29
  • 30. Dining Philosophers - deadlock ! All five philosophers are waiting for second fork ! 30
  • 31. Dining Philosophers - Introduce asymmetry To resolve deadlock, third philosopher will pick left fork first. 31 Process (ph in 1..5) { Init : if (self = 3) { swap(right, left); }; Wait_first_fork : await (forks[right] = FALSE); forks[right] = TRUE; Wait_second_fork: await (forks[left] = FALSE); forks[left] = TRUE; Done_eating : forks[left] = forks[right] = FALSE; }
  • 32. Dining Philosophers - complete spec 32
  • 33. Dining Philosophers - no deadlock ! 33
  • 34. Alternate bit protocol over lossy channel 34 Sender Receiver Message channel Ack channel Both channels are lossy https://en.wikipedia.org/wiki/Alternating_bit_protocol Discussed in Lamports’ book “Specifying Systems”.
  • 35. Alternate bit protocol - define channel Use “Sequences” module to define the communication channels Declare the channels as a Sequence Variables msgChan = <<>>, ackChan = <<>> Append to channel Append(msgChan, m) Extract using “Head(msgChan)” or “Tail(msgChan)” 35
  • 36. Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Send message OR Receive Ack } 36 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Receive message OR Send Ack }
  • 37. Alternate bit protocol - sender and receiver process Process (Sender = “S”) { Either { Append(<<input>>, msgChan) } or { Recv(ack, ackChan) } } 37 Define one Process each for Sender and Receiver Process (Receiver = “S”) { Either { Append(rbit, ackChan) } or { Recv(msg, msgChan) } }
  • 38. PlusCal - Either Or “Either Or” is an important feature of PlusCal language (TLA+) It allows you to simulate non-determinism TLC (model checker) will test both options at runtime. 38 Either { Do this } Or { Do that }
  • 39. Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 39 Process (LoseMsg = “L”) { randomly delete messages from either channel }
  • 40. Alternate Bit protocol - simulate lossy channel To simulate lossy channel, add another process which randomly deletes messages. 40 Process (LoseMsg = “L”) { While TRUE{ Either with (1 in 1..Len(msgChan)) { msgChan = Remove(i, msgChan) } or with (1 in 1..Len(ackChan)) { ackChan = Remove(i, ackChan); }
  • 41. PlusCal constructs introduced 1. Algorithm : A problem that you want to model. 2. Process : An actor/thread of execution within the algorithm. 3. Labels : All statements inside a label are atomically executed. 4. Await : only execute after condition becomes true 5. Either-Or : non-deterministic execution of alternatives 6. With : Non-deterministically choose one element out of a Set. 41
  • 42. Notable users of TLA+ 1. Intel CPU cache coherence protocol [Brannon Batson] 2. Microsoft CosmosDB 3. Amazon : S3, DynamoDB, EBS, Distributed Lock manager [Chris Newcombe] Newcombe(Amazon) has released two of their TLA+ specs (See my github for a copy) None of the others are publicly available 42
  • 43. Conclusion 1. TLC can find bugs. 2. Complex programs can take hours to run (TLC also has “simulation” mode which does random verification) Learning curve 1. Formulation : Lack of sample programs, but google group is helpful. 2. Debugging : Check the backtrace; add prints ! 3. Mastery over TLA+ requires some Mathematics knowledge (i.e. Set theory). 4. [Newcombe, Experience of Software Engineers using TLA+] http://tla2012.loria.fr/contributed/newcombe-slides.pdf 43
  • 44. Questions Code : https://github.com/sanjosh/tlaplus (README has references) Slides: https://www.slideshare.net/SandeepJoshi55/ 44
  • 45. TLA+ operators 1. <> P : atleast one execution path has P true 2. [] P : P is eventually true 3. Q ~> P : If Q becomes true, P will be true 4. <>[] P : at some point P becomes true and stays true 45
  • 46. Other model checkers besides TLA+ 46 https://en.wikipedia.org/wiki/List_of_model_checking_tools