the bakery algorithm in 2015 - inriavideos.rennes.inria.fr/workshop-michelraynal/... · including...
TRANSCRIPT
![Page 1: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/1.jpg)
The Bakery Algorithm in 2015
Leslie LamportMicrosoft Research
0
![Page 2: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/2.jpg)
The Algorithm in 1974
A mutual exclusion algorithm for processes named 1, . . . , N .
Here’s the algorithm for process i . . .
0
![Page 3: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/3.jpg)
The Algorithm in 1974
A mutual exclusion algorithm for processes named 1, . . . , N .
Here’s the algorithm for process i . . .
0
![Page 4: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/4.jpg)
The Algorithm in 1974
A mutual exclusion algorithm for processes named 1, . . . , N .
Here’s the algorithm for process i . . .
0
![Page 5: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/5.jpg)
The Algorithm in 1974
L1: choosing[i] := 1;number[i] := 1 + maximum(number[1],...,number[N]);choosing[i] := 0;for j = 1 step l until N dobeginL2: if choosing[j] /= 0 then goto L2;L3: if number[j] /= 0 and
(number[j], j) < (number[i], i)then goto L3;
end;critical section;number[i] := O;noncritical section;goto L1;
0
![Page 6: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/6.jpg)
The Algorithm in 1974
L1: choosing[i] := 1;number[i] := 1 + maximum(number[1],...,number[N]);choosing[i] := 0;for j = 1 step l until N dobeginL2: if choosing[j] /= 0 then goto L2;L3: if number[j] /= 0 and
(number[j], j) < (number[i], i)then goto L3;
end;critical section;number[i] := O;noncritical section;goto L1;
Don’t try to read it now.
0
![Page 7: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/7.jpg)
The Algorithm in 1974
L1: choosing[i] := 1;number[i] := 1 + maximum(number[1],...,number[N]);choosing[i] := 0;for j = 1 step l until N dobeginL2: if choosing[j] /= 0 then goto L2;L3: if number[j] /= 0 and
(number[j], j) < (number[i], i)then goto L3;
end;critical section;number[i] := O;noncritical section;goto L1;
This pseudocode is old-fashioned,so I’ll update it.
0
![Page 8: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/8.jpg)
The Algorithm in 1974
L1: choosing[i] := 1;number[i] := 1 + maximum(number[1],...,number[N]);choosing[i] := 0;for j = 1 step l until N dobegin
L2: if choosing[j] /= 0 then goto L2;L3: if number[j] /= 0 and
(number[j], j) < (number[i], i)then goto L3;
end;critical section;number[i] := O;noncritical section;goto L1;
For example, gotos wereold-fashioned in 1974.
0
![Page 9: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/9.jpg)
The Algorithm in 1974
while true dobegin
choosing[i] := 1;number[i] := 1 + maximum(number[1],...,number[N]);choosing[i] := 0;for j = 1 step l until N dobeginL2: if choosing[j] /= 0 then goto L2;L3: if number[j] /= 0 and
(number[j], j) < (number[i], i)then goto L3;
end;critical section;number[i] := O;noncritical section;
end
0
![Page 10: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/10.jpg)
The Algorithm in 1974
while true dobeginchoosing[i] := 1;number[i] := 1 + maximum(number[1],...,number[N]);choosing[i] := 0;for j = 1 step l until N dobeginL2: if choosing[j] /= 0 then goto L2;L3: if number[j] /= 0 and
(number[j], j) < (number[i], i)then goto L3;
end;critical section;number[i] := O;noncritical section;
end
A number of such changes yield. . .
0
![Page 11: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/11.jpg)
The Algorithm I Might Have Written in 1979
while true dobeginnoncritical section;flag[i] := true;num[i] := any nat > maximum(num[1],...,num[N]);flag[i] := false;for all j in {1,...,N} except j=i dobeginwait for not flag[j];wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
critical section;num[i] := O;
end
1
![Page 12: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/12.jpg)
The Algorithm I Might Have Written in 1979
while true dobeginnoncritical section;flag[i] := true;num[i] := any nat > maximum(num[1],...,num[N]);flag[i] := false;for all j in {1,...,N} except j=i dobeginwait for not flag[j];wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
critical section;num[i] := O;
end
None of these changesneeded for what follows.
1
![Page 13: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/13.jpg)
In the 1980s
People realized that the only reliable general methodfor reasoning about concurrent algorithms was with aninductive invariant.
An inductive invariant must refer to the control state.
Adding labels makes it easy to describe the control state.
1
![Page 14: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/14.jpg)
In the 1980s
People realized that the only reliable general methodfor reasoning about concurrent algorithms was with aninductive invariant.
An inductive invariant must refer to the control state.
Adding labels makes it easy to describe the control state.
1
![Page 15: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/15.jpg)
In the 1980s
People realized that the only reliable general methodfor reasoning about concurrent algorithms was with aninductive invariant.
There are tricks that work for particular algorithms,including the bakery algorithm.
An inductive invariant must refer to the control state.
Adding labels makes it easy to describe the control state.
1
![Page 16: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/16.jpg)
In the 1980s
People realized that the only reliable general methodfor reasoning about concurrent algorithms was with aninductive invariant.
A state function that cannot be made false byany program step.
An inductive invariant must refer to the control state.
Adding labels makes it easy to describe the control state.
1
![Page 17: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/17.jpg)
In the 1980s
People realized that the only reliable general methodfor reasoning about concurrent algorithms was with aninductive invariant.
An inductive invariant must refer to the control state.
Adding labels makes it easy to describe the control state.
1
![Page 18: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/18.jpg)
In the 1980s
People realized that the only reliable general methodfor reasoning about concurrent algorithms was with aninductive invariant.
An inductive invariant must refer to the control state.
Adding labels makes it easy to describe the control state.
1
![Page 19: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/19.jpg)
The Algorithm in 1979
while true dobeginnoncritical section;flag[i] := true;num[i] := any nat > maximum(num[1],...,num[N]);flag[i] := false;for all j in {1,...,N} except j=i dobeginwait for not flag[j];wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
critical section;num[i] := O;
end
2
![Page 20: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/20.jpg)
The Algorithm in 1979
while true dobeginnoncritical section;flag[i] := true;num[i] := any nat > maximum(num[1],...,num[N]);flag[i] := false;for all j in {1,...,N} except j=i dobeginwait for not flag[j];wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
critical section;num[i] := O;
end
Adding labels yields. . .
2
![Page 21: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/21.jpg)
The Algorithm in the 1980s
while true dobegin
ncs: noncritical section;e1: flag[i] := true;e3: num[i] :=
e2: any nat > maximum(num[1],...,num[N]);e4: flag[i] := false;
for all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
cs: critical section;exit: num[i] := O;
end
2
![Page 22: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/22.jpg)
The Algorithm in 2015
In 2015 I wrote a PlusCal specification anda correctness proof of the algorithm.
I’ll explain why later.
2
![Page 23: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/23.jpg)
The Algorithm in 2015
In 2015 I wrote a PlusCal specification anda correctness proof of the algorithm.
I’ll explain why later.
2
![Page 24: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/24.jpg)
I typed it in ASCII in the TLA+ Toolbox
2
![Page 25: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/25.jpg)
Automatically Pretty Printed
2
![Page 26: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/26.jpg)
Automatically Pretty Printed
I’ll show the pretty-printed version.
2
![Page 27: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/27.jpg)
The Algorithm In PlusCal
4
![Page 28: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/28.jpg)
The Algorithm In PlusCal
The PlusCal algorithm appears in a TLA+ module.
4
![Page 29: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/29.jpg)
The Algorithm In PlusCal
Imports standard modules.
4
![Page 30: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/30.jpg)
The Algorithm In PlusCal
Declares N (the number of processes) andwhat we assume about it.
4
![Page 31: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/31.jpg)
The Algorithm In PlusCal
Defines Procs to be the set of process names.
4
![Page 32: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/32.jpg)
The Algorithm In PlusCal
In 1979, I used < to mean lexicographical ordering of pairs.
4
![Page 33: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/33.jpg)
The Algorithm In PlusCal
In PlusCal / TLA+, < means inequality of numbers.
4
![Page 34: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/34.jpg)
The Algorithm In PlusCal
Defines ≺ to be mean lexicographical ordering of pairs.(In PlusCal / TLA+, an ordered pair p has components p[1] and p[2].)
4
![Page 35: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/35.jpg)
The algorithm appears inside a comment.
5
![Page 36: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/36.jpg)
I called the algorithmn Bakery .
5
![Page 37: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/37.jpg)
Declared the global variables.
5
![Page 38: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/38.jpg)
Declaration of num
5
![Page 39: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/39.jpg)
Declaration of num and its initial value.
5
![Page 40: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/40.jpg)
The arrayfunction
A with index setdomain
Procs
and A[i ] = 0 for all i ∈ Procs .
5
![Page 41: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/41.jpg)
The arrayfunction
A with index setdomain
Procs
and A[i ] = 0 for all i ∈ Procs .
5
![Page 42: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/42.jpg)
The declaration and initial value of �ag .
5
![Page 43: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/43.jpg)
Begins the specification of a set of processes,with one process for every element of Procs .
5
![Page 44: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/44.jpg)
Declares the variables local to each process.
5
![Page 45: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/45.jpg)
Variable unchecked initially equal to the empty setand max and nxt .
5
![Page 46: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/46.jpg)
Variable unchecked initially equal to the empty setand max and nxt .
5
![Page 47: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/47.jpg)
Variable unchecked initially equal to the empty setand max and nxt .
5
![Page 48: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/48.jpg)
Next comes the body of the processes.
5
![Page 49: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/49.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 50: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/50.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
represented by
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 51: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/51.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
represented by
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 52: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/52.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
represented by
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 53: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/53.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
represented by
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 54: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/54.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
represented by
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 55: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/55.jpg)
This part of the pseudocode
while true dobegin
ncs: noncritical section;e1:
represented by
In PlusCal, an atomic action is execution fromone label to the next.
The noncritical section is represented bythe while test.
5
![Page 56: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/56.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
6
![Page 57: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/57.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
The bakery algorithm assumes only safe registers.
A safe register allows a read that overlaps a writeto obtain any legal value.
6
![Page 58: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/58.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
The bakery algorithm assumes only safe registers.
A safe register allows a read that overlaps a writeto obtain any legal value.
6
![Page 59: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/59.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
We model a safe register r as follows:
To write v to r :
– Perform a sequence of atomic writes ofarbitrary legal values to r .
– Atomically write v to r .
Read r atomically.
This model captures the semantics of a safe register.
6
![Page 60: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/60.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
We model a safe register r as follows:
To write v to r :
– Perform a sequence of atomic writes ofarbitrary legal values to r .
– Atomically write v to r .
Read r atomically.
This model captures the semantics of a safe register.
6
![Page 61: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/61.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
We model a safe register r as follows:
To write v to r :
– Perform a sequence of atomic writes ofarbitrary legal values to r .
– Atomically write v to r .
Read r atomically.
This model captures the semantics of a safe register.
6
![Page 62: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/62.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
We model a safe register r as follows:
To write v to r :
– Perform a sequence of atomic writes ofarbitrary legal values to r .
– Atomically write v to r .
Read r atomically.
This model captures the semantics of a safe register.
6
![Page 63: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/63.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
We model a safe register r as follows:
To write v to r :
– Perform a sequence of atomic writes ofarbitrary legal values to r .
– Atomically write v to r .
Read r atomically.
This model captures the semantics of a safe register.
6
![Page 64: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/64.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
We model a safe register r as follows:
To write v to r :
– Perform a sequence of atomic writes ofarbitrary legal values to r .
– Atomically write v to r .
Read r atomically.
This model captures the semantics of a safe register.
6
![Page 65: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/65.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
8
![Page 66: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/66.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
8
![Page 67: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/67.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
Yes, we’ll see soon that this is right.
8
![Page 68: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/68.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
Nondeterministically choose which clause to execute.
8
![Page 69: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/69.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
self is the name of the current process.
8
![Page 70: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/70.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
Complement �ag and repeat.(The only legal values of �ag [self ] are TRUE and FALSE .)
8
![Page 71: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/71.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
Complement �ag and repeat.(The only legal values of �ag [self ] are TRUE and FALSE .)
8
![Page 72: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/72.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
Complement �ag and repeat.(The only legal values of �ag [self ] are TRUE and FALSE .)
8
![Page 73: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/73.jpg)
This part of the pseudocode
e1: flag[i] := true;e3:
represented by
or set �ag [self ] to the value being writtenand continue to the next statement.
8
![Page 74: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/74.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
9
![Page 75: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/75.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
The process first evaluates this expression.
9
![Page 76: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/76.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
9
![Page 77: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/77.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
9
![Page 78: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/78.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
The set of processes whose numbershaven’t yet been read.
9
![Page 79: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/79.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
num[self ] = 0, so it doesn’thave to be read.
9
![Page 80: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/80.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
9
![Page 81: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/81.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
The largest number read so far.
9
![Page 82: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/82.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
unchecked and max are localvariables, so they can beaccessed in any atomic action.
9
![Page 83: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/83.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
Loop until unchecked empty.
9
![Page 84: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/84.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
Locally sets i to a nondeterministicallychosen element of unchecked .
9
![Page 85: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/85.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
Remove process i from unchecked .
9
![Page 86: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/86.jpg)
This part of the pseudocode
e3: num[i] :=e2: any nat > maximum(num[1],...,num[N]);
represented by
9
![Page 87: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/87.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
11
![Page 88: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/88.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
11
![Page 89: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/89.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
Another safe register assignment.
11
![Page 90: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/90.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
either set num[self ] to any element of Nat , and repeat.
or set num[self ] to a nondeterministically chosen i inthe set of all numbers in Nat greater than max .
11
![Page 91: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/91.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
either set num[self ] to any element of Nat , and repeat.
or set num[self ] to a nondeterministically chosen i inthe set of all numbers in Nat greater than max .
11
![Page 92: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/92.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
either set num[self ] to any element of Nat , and repeat.
or set num[self ] to a nondeterministically chosen i inthe set of all numbers in Nat greater than max .
11
![Page 93: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/93.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
either set num[self ] to any element of Nat , and repeat.
or set num[self ] to a nondeterministically chosen i inthe set of all numbers in Nat greater than max .
11
![Page 94: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/94.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
either set num[self ] to any element of Nat , and repeat.
or set num[self ] to a nondeterministically chosen i inthe set of all numbers in Nat greater than max .
11
![Page 95: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/95.jpg)
This part of the pseudocode
e3: num[i] :=e2: any Nat > maximum(num[1],...,num[N]);
represented by
max equals
either set num[self ] to any element of Nat , and repeat.
or set num[self ] to a nondeterministically chosen i inthe set of all numbers in Nat greater than max .
11
![Page 96: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/96.jpg)
This part of the pseudocode
e4: flag[i] := false;
11
![Page 97: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/97.jpg)
This part of the pseudocode
e1: flag[i] := true;
Just like previous assignment to �ag [i ]
11
![Page 98: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/98.jpg)
This part of the pseudocode
e4: flag[i] := false;
represented by
11
![Page 99: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/99.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
12
![Page 100: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/100.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
12
![Page 101: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/101.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
Set unchecked to the set ofall processes except self .
12
![Page 102: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/102.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
While unchecked is not the empty set
12
![Page 103: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/103.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
Set nxt to a nondeterministicallychosen i in unchecked .
12
![Page 104: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/104.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
Remove nxt from unchecked .
12
![Page 105: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/105.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
12
![Page 106: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/106.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
12
![Page 107: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/107.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
12
![Page 108: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/108.jpg)
This part of the pseudocodefor all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
represented by
12
![Page 109: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/109.jpg)
The rest of the pseudocode
cs: critical section;exit: num[i] := O;
end
13
![Page 110: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/110.jpg)
The rest of the pseudocode
cs: critical section;exit: num[i] := O;
end
represented by
13
![Page 111: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/111.jpg)
The rest of the pseudocode
cs: critical section;exit: num[i] := O;
end
represented by
13
![Page 112: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/112.jpg)
The rest of the pseudocode
cs: critical section;exit: num[i] := O;
end
represented by
Another safe register assignment.
13
![Page 113: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/113.jpg)
The “Complete” Pseudocode
13
![Page 114: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/114.jpg)
The “Complete” Pseudocode
Omits:
– the initialization of variables
– the declarations of N , i , and the set of processes
– the definition of < on pairs
– the semantics of read/write for safe registers
They’re written in prose.
13
![Page 115: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/115.jpg)
The “Complete” Pseudocode
Omits:
– the initialization of variables
– the declarations of N , i , and the set of processes
– the definition of < on pairs
– the semantics of read/write for safe registers
They’re written in prose.
13
![Page 116: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/116.jpg)
The “Complete” Pseudocode
while true dobegin
ncs: noncritical section;e1: flag[i] := true;e3: num[i] :=
e2: any nat > maximum(num[1],...,num[N]);e4: flag[i] := false;
for all j in {1,...,N} except j=i dobegin
w1: wait for not flag[j];w2: wait for num[j] = 0 or
(num[i], i) < (num[j], j);end;
cs: critical section;exit: num[i] := O;
end
13
![Page 117: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/117.jpg)
The “Complete” PlusCal Code
14
![Page 118: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/118.jpg)
The “Complete” PlusCal Code
Omits:
– the declaration of N
– the definitions of Procs and ≺– a little boilerplate
They’re in the TLA+ module.
14
![Page 119: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/119.jpg)
The “Complete” PlusCal Code
Omits:
– the declaration of N
– the definitions of Procs and ≺– a little boilerplate
They’re in the TLA+ module.
14
![Page 120: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/120.jpg)
The “Complete” PlusCal Code
14
![Page 121: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/121.jpg)
The TLA+ Translation
The translator puts the TLA+ version of the algorithmin the module.
This version is the mathematical semantics of the algorithm,and it’s easy to understand.
The translation introduces a variable pc to describethe control state.
Most of the translation consists of:for each label, a formula describing the atomic stepthat starts at the label.
15
![Page 122: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/122.jpg)
The TLA+ Translation
The translator puts the TLA+ version of the algorithmin the module.
This version is the mathematical semantics of the algorithm,and it’s easy to understand.
The translation introduces a variable pc to describethe control state.
Most of the translation consists of:for each label, a formula describing the atomic stepthat starts at the label.
15
![Page 123: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/123.jpg)
The TLA+ Translation
The translator puts the TLA+ version of the algorithmin the module.
This version is the mathematical semantics of the algorithm,and it’s easy to understand.
The translation introduces a variable pc to describethe control state.
Most of the translation consists of:for each label, a formula describing the atomic stepthat starts at the label.
15
![Page 124: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/124.jpg)
The TLA+ Translation
The translator puts the TLA+ version of the algorithmin the module.
This version is the mathematical semantics of the algorithm,and it’s easy to understand.
The translation introduces a variable pc to describethe control state.
Most of the translation consists of:for each label, a formula describing the atomic stepthat starts at the label.
15
![Page 125: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/125.jpg)
The TLA+ Translation
The translator puts the TLA+ version of the algorithmin the module.
This version is the mathematical semantics of the algorithm,and it’s easy to understand.
The translation introduces a variable pc to describethe control state.
Most of the translation consists of:for each label, a formula describing the atomic stepthat starts at the label.
15
![Page 126: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/126.jpg)
The TLA+ Translation
The translator puts the TLA+ version of the algorithmin the module.
This version is the mathematical semantics of the algorithm,and it’s easy to understand.
The translation introduces a variable pc to describethe control state.
Most of the translation consists of:for each label, a formula describing the atomic stepthat starts at the label.
15
![Page 127: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/127.jpg)
A Trivial Example
PlusCal:
16
![Page 128: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/128.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
16
![Page 129: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/129.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
Defines the formula describing the execution ofthis atomic step by a process named self .
16
![Page 130: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/130.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
The conjunction of three formulas.
16
![Page 131: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/131.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
This bulleted list notation uses indentation to eliminateparentheses, which is great for large formulas.
16
![Page 132: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/132.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
True iff control in process self is at cs .
A condition on the first state of the step (a precondition).
16
![Page 133: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/133.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
True iff control in process self is at cs .
A condition on the first state of the step (a precondition).
16
![Page 134: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/134.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
Describes the value of pc after the step.
16
![Page 135: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/135.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
TLA+ notation for the value of the function / array pc
after executing pc[self ] := “exit” .
16
![Page 136: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/136.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
Asserts that values of the variables num , . . . , nxt
are not changed.
16
![Page 137: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/137.jpg)
A Trivial Example
PlusCal:
TLA+ Translation:
You have now seen about all the TLA+ notationneeded to understand the translation.
16
![Page 138: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/138.jpg)
A Typical ExamplePlusCal:
17
![Page 139: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/139.jpg)
A Typical ExamplePlusCal:
TLA+ Translation:
17
![Page 140: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/140.jpg)
A Typical ExamplePlusCal:
TLA+ Translation: Don’t try to read it.
17
![Page 141: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/141.jpg)
A Typical ExamplePlusCal:
TLA+ Translation: Don’t try to read it.I’ll just point out one thing.
17
![Page 142: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/142.jpg)
A Typical ExamplePlusCal:
TLA+ Translation:
Nondeterministic choice
17
![Page 143: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/143.jpg)
A Typical ExamplePlusCal:
TLA+ Translation:
Nondeterministic choice
Is represented mathematically by ∃ .
17
![Page 144: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/144.jpg)
Why Should You Use PlusCal ?
17
![Page 145: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/145.jpg)
1. It’s precise
This publication was widely read:
Paxos Made SimpleACM SIGACT NewsDecember 2001
Not long ago I was told that one sentence in itcan be misinterpreted, and that led to bugs intwo industrial systems.
18
![Page 146: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/146.jpg)
1. It’s precise
This publication was widely read:
Paxos Made SimpleACM SIGACT NewsDecember 2001
Not long ago I was told that one sentence in itcan be misinterpreted, and that led to bugs intwo industrial systems.
18
![Page 147: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/147.jpg)
1. It’s precise
This publication was widely read:
Paxos Made SimpleACM SIGACT NewsDecember 2001
Not long ago I was told that one sentence in itcan be misinterpreted, and that led to bugs intwo industrial systems.
18
![Page 148: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/148.jpg)
1. It’s precise
This publication was widely read:
Paxos Made SimpleACM SIGACT NewsDecember 2001
Not long ago I was told that one sentence in itcan be misinterpreted, and that led to bugs intwo industrial systems.
18
![Page 149: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/149.jpg)
2. You can model check the algorithm.
Example: An algorithm published in
The Mailbox ProblemAguilera, Gafni, and LamportDISC 2008
Our algorithm for finding the algorithm. . .
18
![Page 150: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/150.jpg)
2. You can model check the algorithm.
Example: An algorithm published in
The Mailbox ProblemAguilera, Gafni, and LamportDISC 2008
Our algorithm for finding the algorithm. . .
18
![Page 151: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/151.jpg)
2. You can model check the algorithm.
Example: An algorithm published in
The Mailbox ProblemAguilera, Gafni, and LamportDISC 2008
Our algorithm for finding the algorithm. . .
18
![Page 152: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/152.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 153: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/153.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 154: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/154.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 155: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/155.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 156: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/156.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 157: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/157.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 158: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/158.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proofWe repeated this loop about 6 times.
19
![Page 159: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/159.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 160: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/160.jpg)
begin : Eli sends me an algorithm;
I code it in PlusCal;
I run the model checker;
if it finds an error
then { I send the error trace to Eli;
goto begin }
The three of us start thinking hard;
We write a rigorous proof
19
![Page 161: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/161.jpg)
Thinking is hard.
Why waste time and brainpower thinking about an algorithmif the model checker can tell you it’s wrong.
Model check first, think later.
19
![Page 162: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/162.jpg)
Thinking is hard.
Why waste time and brainpower thinking about an algorithmif the model checker can tell you it’s wrong.
Model check first, think later.
19
![Page 163: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/163.jpg)
Thinking is hard.
Why waste time and brainpower thinking about an algorithmif the model checker can tell you it’s wrong.
Model check first, think later.
19
![Page 164: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/164.jpg)
3. You can write a rigorous, machine-checked proof.
To prove:No two processes ever in critical section at the same time.
Invariance of MutualExclusion , defined by:
MutualExclusion∆=
∀ i , j ∈ Procs : (i 6= j ) ⇒ ¬∧ pc[i ] = “cs”∧ pc[j ] = “cs”
20
![Page 165: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/165.jpg)
3. You can write a rigorous, machine-checked proof.
To prove:No two processes ever in critical section at the same time.
Invariance of MutualExclusion , defined by:
MutualExclusion∆=
∀ i , j ∈ Procs : (i 6= j ) ⇒ ¬∧ pc[i ] = “cs”∧ pc[j ] = “cs”
20
![Page 166: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/166.jpg)
3. You can write a rigorous, machine-checked proof.
To prove:No two processes ever in critical section at the same time.
Invariance of MutualExclusion , defined by:
MutualExclusion∆=
∀ i , j ∈ Procs : (i 6= j ) ⇒ ¬∧ pc[i ] = “cs”∧ pc[j ] = “cs”
20
![Page 167: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/167.jpg)
The Inductive Invariant
20
![Page 168: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/168.jpg)
The Inductive Invariant
A simple formula asserting type correctness:the value of each variable is an element of the right set.
20
![Page 169: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/169.jpg)
The Inductive Invariant
A formula implying that process i must enterthe critical section before process j does.
20
![Page 170: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/170.jpg)
20
![Page 171: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/171.jpg)
The correctness theorem
Proofs are seldom this short.
This is a best-case scenario because the proof uses onlysimple properties of integers and sets of integers.
21
![Page 172: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/172.jpg)
The correctness theorem and its machine-checked proof
Proofs are seldom this short.
This is a best-case scenario because the proof uses onlysimple properties of integers and sets of integers.
21
![Page 173: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/173.jpg)
The correctness theorem and its machine-checked proof
Proofs are seldom this short.
This is a best-case scenario because the proof uses onlysimple properties of integers and sets of integers.
21
![Page 174: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/174.jpg)
The correctness theorem and its machine-checked proof
Proofs are seldom this short.
This is a best-case scenario because the proof uses onlysimple properties of integers and sets of integers.
21
![Page 175: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/175.jpg)
A More Recent Algorithm
Adaptive Register Allocation with a Linear Number of RegistersDelporte-Gallet, Fauconnier, Gafni, and Lamport
DISC 2013
22
![Page 176: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/176.jpg)
A More Recent Algorithm
Adaptive Register Allocation with a Linear Number of RegistersDelporte-Gallet, Fauconnier, Gafni, and Lamport
DISC 2013
22
![Page 177: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/177.jpg)
A More Recent Algorithm
Adaptive Register Allocation with a Linear Number of RegistersDelporte-Gallet, Fauconnier, Gafni, and Lamport
DISC 2013
Search the web for adaptive register pluscal to find:
22
![Page 178: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/178.jpg)
The Main Algorithm
22
![Page 179: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/179.jpg)
The machine-checked proof is 1752 lines.
Writing machine-checkable proofs is hard.
Most of you will never write one.
So, why use PlusCal?
22
![Page 180: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/180.jpg)
The machine-checked proof is 1752 lines.
Writing machine-checkable proofs is hard.
Most of you will never write one.
So, why use PlusCal?
22
![Page 181: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/181.jpg)
The machine-checked proof is 1752 lines.
Writing machine-checkable proofs is hard.
Most of you will never write one.
So, why use PlusCal?
22
![Page 182: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/182.jpg)
The machine-checked proof is 1752 lines.
Writing machine-checkable proofs is hard.
Most of you will never write one.
So, why use PlusCal?
22
![Page 183: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/183.jpg)
1. It’s precise
The mathematical representation of the algorithmpermits more rigorous hand proofs.
And more rigorous hand proofs are more likelyto be correct.
22
![Page 184: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/184.jpg)
1. It’s precise
The mathematical representation of the algorithmpermits more rigorous hand proofs.
And more rigorous hand proofs are more likelyto be correct.
22
![Page 185: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/185.jpg)
1. It’s precise
The mathematical representation of the algorithmpermits more rigorous hand proofs.
And more rigorous hand proofs are more likelyto be correct.
22
![Page 186: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/186.jpg)
2. You can model check the algorithm.
Model checking can catch errors in a proof.
The Wikipedia page for Peterson’s algorithmused to state that the algorithm worked because itmaintained the invariance of a certain predicate.
Model checking revealed that the predicatewas not an invariant.
23
![Page 187: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/187.jpg)
2. You can model check the algorithm.
Model checking can catch errors in a proof.
The Wikipedia page for Peterson’s algorithmused to state that the algorithm worked because itmaintained the invariance of a certain predicate.
Model checking revealed that the predicatewas not an invariant.
23
![Page 188: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/188.jpg)
2. You can model check the algorithm.
Model checking can catch errors in a proof.
The Wikipedia page for Peterson’s algorithmused to state that the algorithm worked because itmaintained the invariance of a certain predicate.
Model checking revealed that the predicatewas not an invariant.
23
![Page 189: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/189.jpg)
2. You can model check the algorithm.
Model checking can catch errors in a proof.
The Wikipedia page for Peterson’s algorithmused to state that the algorithm worked because itmaintained the invariance of a certain predicate.
Model checking revealed that the predicatewas not an invariant.
23
![Page 190: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/190.jpg)
What led me back to the bakery algorithm in 2015?
23
![Page 191: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/191.jpg)
What led me back to the bakery algorithm in 2015?
In February 2015, I received this paper from Yoram Moses.
23
![Page 192: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/192.jpg)
What led me back to the bakery algorithm in 2015?
In February 2015, I received this paper from Yoram Moses.
It introduces the boulangerie algorithm, a variant ofthe bakery algorithm.
23
![Page 193: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/193.jpg)
I had already written this spec and proof of the bakery algorithmfor other reasons.
So, I decided to modify them for the boulangerie algorithm.
24
![Page 194: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/194.jpg)
I had already written this spec and proof of the bakery algorithmfor other reasons.
So, I decided to modify them for the boulangerie algorithm.
24
![Page 195: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/195.jpg)
The Results
bakery boulangerie
PlusCal 41 50
TLA+ translation 99 109
invariant 31 42
proof 9 72
25
![Page 196: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/196.jpg)
The Results
bakery boulangerie
PlusCal 41 50 lines of “code”
TLA+ translation 99 109
invariant 31 42
proof 9 72
25
![Page 197: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/197.jpg)
The Results
bakery boulangerie
PlusCal 41 50
TLA+ translation 99 109
invariant 31 42
proof 9 72
I typed only about 20 of those lines of proof.
The rest were generated with the Toolbox’sdecompose proof command.
25
![Page 198: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/198.jpg)
The Results
bakery boulangerie
PlusCal 41 50
TLA+ translation 99 109
invariant 31 42
proof 9 72
I typed only about 20 of those lines of proof.
The rest were generated with the Toolbox’sdecompose proof command.
25
![Page 199: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/199.jpg)
The Results
bakery boulangerie
PlusCal 41 50
TLA+ translation 99 109
invariant 31 42
proof 9 72
Transforming bakery to boulangerie took meless than 4 hours
25
![Page 200: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/200.jpg)
The Results
bakery boulangerie
PlusCal 41 50
TLA+ translation 99 109
invariant 31 42
proof 9 72
Transforming bakery to boulangerie took meless than 4 hours (spread over two days).
25
![Page 201: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/201.jpg)
Find it on the Web
To find it, search the web for boulangerie pluscal .
25
![Page 202: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/202.jpg)
Find it on the Web
The fully commented specs are on this web page:
To find it, search the web for boulangerie pluscal .
25
![Page 203: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/203.jpg)
Find it on the Web
The fully commented specs are on this web page:
To find it, search the web for boulangerie pluscal .
25
![Page 204: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/204.jpg)
Michel:
Your colleagues are too busy teaching and being oncommittees to learn something new.
Most of them are still writing algorithms the way I did in 1979.
Now you’ll have time to venture into the 21st century.
But whatever you decide to do . . .
25
![Page 205: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/205.jpg)
Michel:
Your colleagues are too busy teaching and being oncommittees to learn something new.
Most of them are still writing algorithms the way I did in 1979.
Now you’ll have time to venture into the 21st century.
But whatever you decide to do . . .
25
![Page 206: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/206.jpg)
Michel:
Your colleagues are too busy teaching and being oncommittees to learn something new.
Most of them are still writing algorithms the way I did in 1979.
Now you’ll have time to venture into the 21st century.
But whatever you decide to do . . .
25
![Page 207: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/207.jpg)
Michel:
Your colleagues are too busy teaching and being oncommittees to learn something new.
Most of them are still writing algorithms the way I did in 1979.
Now you’ll have time to venture into the 21st century.
But whatever you decide to do . . .
25
![Page 208: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/208.jpg)
Michel:
Your colleagues are too busy teaching and being oncommittees to learn something new.
Most of them are still writing algorithms the way I did in 1979.
Now you’ll have time to venture into the 21st century.
But whatever you decide to do . . .
25
![Page 209: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/209.jpg)
Michel:
Your colleagues are too busy teaching and being oncommittees to learn something new.
Most of them are still writing algorithms the way I did in 1979.
Now you’ll have time to venture into the 21st century.
But whatever you decide to do . . .
25
![Page 210: The Bakery Algorithm in 2015 - Inriavideos.rennes.inria.fr/workshop-MichelRaynal/... · including the bakery algorithm. An inductive invariant must refer to the control state. Adding](https://reader034.vdocuments.us/reader034/viewer/2022052007/601c1647f27caa3880395d49/html5/thumbnails/210.jpg)
Happy Retirement !
25