forked from gsoosk/POS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sleep1.p
134 lines (110 loc) · 1.94 KB
/
sleep1.p
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
/*
This file defines a Promela model for xv6's
acquire, release, sleep, and wakeup, along with
a model of a simple producer/consumer queue.
To run:
spinp sleep1.p
(You may need to install Spin, available at http://spinroot.com/.)
After a successful run spin prints something like:
unreached in proctype consumer
(0 of 37 states)
unreached in proctype producer
(0 of 23 states)
After an unsuccessful run, the spinp script prints
an execution trace that causes a deadlock.
The safe body of producer reads:
acquire(lk);
x = value; value = x + 1; x = 0;
wakeup(0);
release(lk);
i = i + 1;
If this is changed to:
x = value; value = x + 1; x = 0;
acquire(lk);
wakeup(0);
release(lk);
i = i + 1;
then a deadlock can happen, because the non-atomic
increment of value conflicts with the non-atomic
decrement in consumer, causing value to have a bad value.
Try this.
If it is changed to:
acquire(lk);
x = value; value = x + 1; x = 0;
release(lk);
wakeup(0);
i = i + 1;
then nothing bad happens: it is okay to wakeup after release
instead of before, although it seems morally wrong.
*/
#define ITER 4
#define N 2
bit lk;
byte value;
bit sleeping[N];
inline acquire(x)
{
atomic { x == 0; x = 1 }
}
inline release(x)
{
assert x==1;
x = 0
}
inline sleep(cond, lk)
{
assert !sleeping[_pid];
if
:: cond ->
skip
:: else ->
atomic { release(lk); sleeping[_pid] = 1 };
sleeping[_pid] == 0;
acquire(lk)
fi
}
inline wakeup()
{
w = 0;
do
:: w < N ->
sleeping[w] = 0;
w = w + 1
:: else ->
break
od
}
active[N] proctype consumer()
{
byte i, x;
i = 0;
do
:: i < ITER ->
acquire(lk);
sleep(value > 0, lk);
x = value; value = x - 1; x = 0;
release(lk);
i = i + 1;
:: else ->
break
od;
i = 0;
skip
}
active[N] proctype producer()
{
byte i, x, w;
i = 0;
do
:: i < ITER ->
acquire(lk);
x = value; value = x + 1; x = 0;
release(lk);
wakeup();
i = i + 1;
:: else ->
break
od;
i = 0;
skip
}