CS6480: Real-Time and Composition Robbert van Renesse Cornell - - PowerPoint PPT Presentation

cs6480 real time and composition
SMART_READER_LITE
LIVE PREVIEW

CS6480: Real-Time and Composition Robbert van Renesse Cornell - - PowerPoint PPT Presentation

Feb 14, 2024 478 likes •717 views

CS6480: Real-Time and Composition Robbert van Renesse Cornell University Based on Chapters 9 and 10 of Specifying Systems by Leslie Lamport Recall: HourClock Recall: HourClock Can we create an HourClock that ticks (approximately) once

slide-1
SLIDE 1

CS6480: Real-Time and Composition

Robbert van Renesse Cornell University

Based on Chapters 9 and 10 of “Specifying Systems” by Leslie Lamport

slide-2
SLIDE 2

Recall: HourClock

slide-3
SLIDE 3

Recall: HourClock

slide-4
SLIDE 4

Can we create an HourClock that ticks (approximately) once an hour?

slide-5
SLIDE 5

Specifying Real-Time

Note: takes discrete steps

slide-6
SLIDE 6

Specifying Real-Time

Why this?

slide-7
SLIDE 7

Composing HourClock and RealTime

Can we create a spec that extends HourClock to “tick” at (approximately) regular intervals, like a physical clock? Allowed steps in composition:

Clock ticks are instantaneous Time progresses between ticks

slide-8
SLIDE 8

Real-time HourClock

  • Want time between HCnxt steps to be approximately one hour on the

real-time clock

  • Real clocks drift!!
  • If ! is the time in seconds between two steps, then we want
  • 3600 − & ≤ ! ≤ 3600 + &
  • We call & the “drift” of a clock (not to be confused with “skew” ))
slide-9
SLIDE 9

Bounding time between HCnxt steps

slide-10
SLIDE 10

Bounding time between HCnxt steps

We’re going to want to hide t

slide-11
SLIDE 11

Real-Time HourClock

slide-12
SLIDE 12

Real-Time HourClock

Why do we need this?

slide-13
SLIDE 13

Composition of Specifications

  • Given two or more specifications, looking for set of behaviors that

satisfy all specifications èComposition is the conjunction of specifications Let’s compose two instantiations of HourClock and see what happens…

slide-14
SLIDE 14

Rewriting HourClock a bit

slide-15
SLIDE 15

TwoClocks Spec

slide-16
SLIDE 16

TwoClocks Spec

Not in the “standard” form !"#$ ∧ ☐['()$]+,-.

slide-17
SLIDE 17

TwoClocks Spec

slide-18
SLIDE 18

Cont’d

slide-19
SLIDE 19

TwoClocks Spec

“standard” form !"#$ ∧ ☐['()*$],-./

slide-20
SLIDE 20

TwoClocks Spec

Clocks can progress simultaneously!

slide-21
SLIDE 21

TwoClocks Spec

Clocks can progress simultaneously!

If we don’t want this, can write:

slide-22
SLIDE 22

Performance properties

1. Step must complete within ! time: safety property

  • “hard real-time”

2. Step must complete within ! time on average: hyperproperty

  • Implied by 1

3. Step must eventually occur: liveness property

  • Implied by 1 or 2

TLA+ only allows specifying properties

  • A property is a set of behaviors (infinite traces) each satisfying some predicate
  • “response time < !” is a predicate over a single behavior
  • “average response time < !” is a predicate over a set of behaviors
slide-23
SLIDE 23

Tools for checking hyperproperties

  • Some hyperproperties just involve small sets of behaviors
  • 2-Safety: two behaviors provide a counterexample
  • Security example: “Observational Determinism”
  • Behavior of public variables is deterministic
  • Independent of behavior of private variables or scheduler
  • Bad: pair of traces that cause system to look nondeterministic to low observer
  • Can be handled in TLA+ using “self-composition”
  • Like TwoClocks
  • Can be model-checked, TLAPS, …
  • Still can’t handle average response time…
  • Good: average time over all behaviors is low enough
  • Alternative tools: HyperLTL, HyperCTL, Hyper modal μ-calculus