safety liveness properties
play

Safety & Liveness Properties DM519 Concurrent Programming 1 - PowerPoint PPT Presentation

Aug 18, 2023 •242 likes •1.02k views

Chapter 7 Safety & Liveness Properties DM519 Concurrent Programming 1 Chapter 6 Repetition: Deadlock DM519 Concurrent Programming 2 Concepts, Models, And Practice u Concepts l deadlock (no further progress) l 4x necessary

  1. Chapter 7 Safety & Liveness Properties DM519 Concurrent Programming � 1

  2. Chapter 6 Repetition: Deadlock DM519 Concurrent Programming � 2

  3. Concepts, Models, And Practice u Concepts l deadlock (no further progress) l 4x necessary & sufficient conditions � u Models l no eligible actions (analysis gives shortest path trace) Aim - deadlock avoidance: � “Break at least one of 
 u Practice the deadlock conditions”. l blocked threads DM519 Concurrent Programming � 3

  4. Deadlock: 4 Necessary And Sufficient Conditions 1. Mutual exclusion cond. (aka. “Serially reusable resources”): the processes involved share resources which they use under mutual 
 exclusion. 2. Hold-and-wait condition (aka. “Incremental acquisition”): processes hold on to resources already allocated to them while waiting 
 to acquire additional resources. 3. No pre-emption condition: once acquired by a process, resources cannot be “pre-empted” (forcibly 
 withdrawn) but are only released voluntarily. 4. Circular-wait condition (aka. “Wait-for cycle”): a circular chain (or cycle) of processes exists such that each process 
 holds a resource which its successor in the cycle is waiting to acquire. DM519 Concurrent Programming � 4

  5. Dining Philosophers (Concepts, Models And Practice) u Concepts u Models 3 2 2 1 3 4 1 4 0 u Practice 0 DM519 Concurrent Programming � 5

  6. Chapter 7 Safety & Liveness Properties DM519 Concurrent Programming � 6

  7. Safety & Liveness Properties Concepts : Properties: true for every possible execution Safety: nothing bad ever happens Liveness: something good eventually happens � Models : Safety: no reachable ERROR/STOP state Progress: an action is eventually executed (fair choice and action priority) � Aim : property satisfaction. Practice : Threads and monitors DM519 Concurrent Programming � 7

  8. Agenda Part I / III – Safety � Part II / III – Liveness � Part III / III – Example: Reader/Writer DM519 Concurrent Programming � 8

  9. Safety Part I / III DM519 Concurrent Programming � 9

  10. 7.1 Safety A safety property asserts that nothing bad happens. ♦ STOP or deadlocked state (no outgoing transitions) ♦ ERROR process (-1) to detect erroneous behaviour RESOURCE =(acquire -> ACQUIRED), ACQUIRED =(release -> RESOURCE |acquire -> ERROR). ♦ Analysis using LTSA: Trace to property violation in RESOURCE: (shortest trace) acquire acquire DM519 Concurrent Programming � 10

  11. Stop Vs. Error Trace: p q P = (p->P | stop->STOP). STOP: p Q = (q->Q). stop � � q ||SYSv1 = (P || Q). � q … � LTSA:> No deadlocks detected � Trace: p � q P = (p->P | error->ERROR). � p Q = (q->Q). error ERROR: � ||SYSv2 = (P || Q). SYSTEM DEADLOCKED LTSA:> Trace to property violation 
 in P: error DM519 Concurrent Programming � 11

  12. Safety - Property Specification ♦ ERROR conditions state what is not required (~ exceptions). ♦ In complex systems, it is usually better to specify 
 safety properties by stating directly what is required. property SAFE_RESOURCE = (acquire -> release -> SAFE_RESOURCE). RESOURCE = (acquire -> (release -> RESOURCE |acquire -> ERROR) |release -> ERROR). DM519 Concurrent Programming � 12

  13. Safety Properties Property that it is polite to knock before entering a room. Traces: knock->enter J enter L knock->knock L property POLITE = (knock -> enter -> POLITE). Note: In all states, all the actions in the alphabet of a property are eligible choices. DM519 Concurrent Programming � 13

  14. Safety Properties Safety property P defines a deterministic process that asserts that any trace including actions in the alphabet of P , is accepted by P . Thus, if S is composed with P , then traces of actions in the alphabet α (S) ∩ α (P) must also be valid traces of P , otherwise ERROR is reachable. Transparency of safety properties: Since all actions in the alphabet of a property are eligible choices 
 => composition with S does not affect its correct behaviour. However, if a bad behaviour can occur (violating the safety property), then ERROR is reachable. …and hence detectable through verification (using LTSA)! DM519 Concurrent Programming � 14

  15. Safety Properties ♦ How can we specify that some action, disaster , never occurs? NO_DISASTER = (disaster->ERROR). ...or... property CALM = STOP + {disaster}. A safety property must be specified so as to include all the acceptable, valid behaviours in its alphabet. DM519 Concurrent Programming � 15

  16. Models Vs. Properties: Implementation Vs. Specification The model is for the implementation The property is for the specification • ”The implementation is required to meet the specification” Often: • Operational model ( M ) ~ implementation • Declarative formula ( φ ) ~ specification � ∀ t,t”: acquire(t) ∧ acquire(t”) ∧ t<t” => ∃ t’: t<t’<t” ∧ release(t’) However, in FSP(/LTSA) both models and properties are described using the same language (namely FSP): • Operational model: FSP process property P = (acquire -> release -> P). • Operational property: FSP property (process) They will be similar (because they are using the same language), but they do not represent the same thing! DM519 Concurrent Programming � 16

  17. Safety - Mutual Exclusion LOOP = (mutex.down->read->mod->write-> mutex.up->LOOP). � ||SEMADEMO = (p[1..3]:LOOP || {p[1..3]}::mutex:SEMAPHORE(1)). How do we check that this does indeed ensure mutual exclusion in the critical section ( read/mod/write )? property MUTEX = (p[i:1..3].read -> p[i].write -> MUTEX). � ||CHECK = (SEMADEMO || MUTEX). Is this safe with SEMAPHORE(2) ? Check safety using LTSA ! ∀ t,t’’: read(t) ∧ read(t’’) ∧ t<t’’ => ∃ t’: t<t’<t’’ ∧ write(t’) DM519 Concurrent Programming � 17

  18. 7.2 Example: Single Lane Bridge Problem A bridge over a river is only wide enough to permit a single lane of traffic. Consequently, cars can only move concurrently if they are moving in the same direction. A safety violation occurs if two cars moving in different directions enter the bridge at the same time. DM519 Concurrent Programming � 18

  19. Single Lane Bridge - Model Using an appropriate level of abstraction ! ♦ Events or actions of interest? Structure diagram: enter and exit ~ Verbs � ♦ Identify processes? property CARS car and bridge ONEWAY ~ Nouns � ♦ Identify properties? Single blue[ID]. red[ID]. “ oneway ” ~ Adjectives {enter,exit} {enter,exit} Lane Bridge BRIDGE DM519 Concurrent Programming � 19

  20. Single Lane Bridge - Cars Model const N = 3 // #cars (of each colour) range ID = 1..N // car identities � CAR = (enter->exit->CAR). // car process ||N_CARS = ([ID]:CAR). // N cars DM519 Concurrent Programming � 20

  21. Single Lane Bridge - Convoy Model NOPASS_ENTER = SEQ[1], // preserves entry order SEQ[i:ID] = ([i].enter -> SEQ[i%N+1]). � NOPASS_EXIT = SEQ[1], // preserves exit order SEQ[i:ID] = ([i].exit -> SEQ[i%N+1]). � ||CONVOY = ([ID]:CAR || NOPASS_ENTER || NOPASS_EXIT). Permits: 1.enter ; 1.exit ; 2.enter ; 2.exit 1.enter ; 2.enter ; 1.exit ; 2.exit but not: 1.enter ; 2.enter ; 2.exit ; 1.exit i.e. “no overtaking” DM519 Concurrent Programming � 21

  22. Single Lane Bridge - Bridge Model Cars can move concurrently on bridge, but only as a 
 oneway street (=> controller)! How ; ideas? The bridge maintains a count of blue and red cars on it. Red cars are only allowed to enter when the blue count is 0 (and vice-versa). range T = 0..N BRIDGE = BRIDGE[0][0], // initially empty bridge BRIDGE[nr:T][nb:T] = // nr: #red; nb: #blue (when (nb==0) red[ID].enter -> BRIDGE[nr+1][nb] | red[ID].exit -> BRIDGE[nr-1][nb] |when (nr==0) blue[ID].enter-> BRIDGE[nr][nb+1] | blue[ID].exit -> BRIDGE[nr][nb-1] ). DM519 Concurrent Programming � 22

  23. Single Lane Bridge - Bridge Model Warning - BRIDGE.-1.0 defined to be ERROR Warning - BRIDGE.0.-1 defined to be ERROR Warning - BRIDGE.-1.1 defined to be ERROR Warning - BRIDGE.-1.2 defined to be ERROR Warning - BRIDGE.-1.3 defined to be ERROR Warning - BRIDGE.0.4 defined to be ERROR Warning - BRIDGE.1.-1 defined to be ERROR Warning - BRIDGE.2.-1 defined to be ERROR Warning - BRIDGE.4.0 defined to be ERROR Warning - BRIDGE.3.-1 defined to be ERROR Compiled: BRIDGE “Sloppy controller”: 
 Even when 0, exit actions permit the car counts to 
 be decremented (i.e. unguarded exit actions) (similar with enter) Recall that LTSA maps such undefined states to ERROR . No, because cars are well-behaved 
 Is it a problem? (i.e. “they never exit before enter” and there are only three cars of each colour) DM519 Concurrent Programming � 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness property, something good eventually happens. e.g. program termination. A safety property, something bad never happens. e.g.

338 views • 16 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille Artho, Viktor Schuppan http://www.inf.ethz.ch/schuppan/ Safety vs. Liveness 1 Safety Liveness Something bad will not Something good will

480 views • 31 slides
Safety and Liveness; Exceptions Christine Rizkallah CSE, UNSW Term 3; 2020 1 Program

Safety and Liveness; Exceptions Christine Rizkallah CSE, UNSW Term 3; 2020 1 Program

Safety and Liveness; Exceptions Christine Rizkallah CSE, UNSW Term 3; 2020 1 Program Properties Consider a sequence of states, representing the evaluation of a program in a small step semantics (a trace): 1 2 3

350 views • 20 slides
COMP31212: Concurrency Topic 5.3: Liveness and Topic 5.4 Fairness Topic 5.3: Liveness Properties

COMP31212: Concurrency Topic 5.3: Liveness and Topic 5.4 Fairness Topic 5.3: Liveness Properties

Topic 5.3: Liveness Properties Topic 5.4: Fairness and Starvation COMP31212: Concurrency Topic 5.3: Liveness and Topic 5.4 Fairness Topic 5.3: Liveness Properties Topic 5.4: Fairness and Starvation Outline Topic 5.3: Liveness Properties

509 views • 34 slides
Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner Alexander Ivrii Ziv Nevo IBM Outline Generalized counterexamples to liveness and why they are especially interesting How to detect that a

135 views • 12 slides
On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work with Byron Cook, Andreas Podelski, and Andrey Rybalchenko BCTCS06, 6 April 2006 State-of-the-art Systems Model checking Abstraction Properties

484 views • 13 slides
Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018 Department of Computer Science, Johns Hopkins University Characterizing Concurrency Safety (correctness): what are the semantic guarantees

560 views • 8 slides
Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de

Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de

Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de Telecomunica c oes, Instituto Superior T ecnico October 30, 2008 1 Joint work with Ant onio Ravara Motivation TyPiCal Receptiveness,

983 views • 59 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek

Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek

Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek Data61, CSIRO, Sydney, Australia University of New South Wales, Sydney, Australia September 2016 Distributed Systems systems consisting of multiple

878 views • 29 slides
Spatial and Behavioural types: safety, liveness and decidability Lucia Acciai and Michele Boreale

Spatial and Behavioural types: safety, liveness and decidability Lucia Acciai and Michele Boreale

Spatial and Behavioural types: safety, liveness and decidability Lucia Acciai and Michele Boreale Dipartimento di Sistemi e Informatica Universit degli Studi di Firenze Lisbon, April 1921, 2011 1 Outline Introduction 1 Processes, types

1.36k views • 66 slides
Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan

Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan

Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34 Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System:

1.14k views • 89 slides
Heuristics for Checking Liveness Properties with Partial Order Reductions A. Duret-Lutz, F.

Heuristics for Checking Liveness Properties with Partial Order Reductions A. Duret-Lutz, F.

Heuristics for Checking Liveness Properties with Partial Order Reductions A. Duret-Lutz, F. Kordon, D. Poitrenaud, E. Renault Tuesday, October 18th E. Renault ATVA16 Tuesday, October 18th 1 / 17 State Space Explosion Two concurrent

941 views • 52 slides
Safety and Liveness Defining Programs Variables with respective domain State space of

Safety and Liveness Defining Programs Variables with respective domain State space of

Safety and Liveness Defining Programs Variables with respective domain State space of the program Program actions Guarded commands Program computation &lt;s 0 , s 1 , s 2 , &gt; (s j-1 , s j ) is permitted by

875 views • 45 slides
Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1 Computer Systems Institute, ETH Z urich 2 Institute for Formal Models and Verification, JKU Linz http://www.inf.ethz.ch/schuppan/

1.23k views • 18 slides
Scalable Source Coding With Causal Side Information and a Causal Helper Shraga Bross Faculty of

Scalable Source Coding With Causal Side Information and a Causal Helper Shraga Bross Faculty of

Scalable Source Coding With Causal Side Information and a Causal Helper Shraga Bross Faculty of Engineering, Bar-Ilan University, Israel brosss@biu.ac.il ISIT, June 2020 Transmission model Z k X 1 , 1 , . . . , 1 ( X n ) X 1 ,n

387 views • 16 slides
Findings from NAMIs Coverage for Care Survey 2015 Network Adequacy NAMIs 2015 Coverage for

Findings from NAMIs Coverage for Care Survey 2015 Network Adequacy NAMIs 2015 Coverage for

Findings from NAMIs Coverage for Care Survey 2015 Network Adequacy NAMIs 2015 Coverage for Care Survey NAMI conducted an online survey in the winter of 2015 to answer the question, What do insurance beneficiaries experience when they

256 views • 7 slides
ME: You, Me, and ADHD Your interest in students Chief Academic Advisor for School with ADHD

ME: You, Me, and ADHD Your interest in students Chief Academic Advisor for School with ADHD

Slide 1 Busy, Noisy Minds: Working with the ADHD Student Wendy OConnor M.S. Ed. Slide 2 ME: You, Me, and ADHD Your interest in students Chief Academic Advisor for School with ADHD Biological Sciences 11 years M.S. Ed. in

369 views • 13 slides
52% re-traumatising and stigmatising children. Ensure that staff CEs have the right skills and

52% re-traumatising and stigmatising children. Ensure that staff CEs have the right skills and

WHAT CAN WE DO ABOUT IT? Be p repared Ensure that Senior Leaders and Governors are aware of When you notice, or I tell ACEs and that addressing these is a strategic priority. you that I need help, you Analyse the available data regarding

97 views • 5 slides
Finding Shortest Paths Shortest Path Problem Shortest Path Problem Given a graph G = ( V , E )

Finding Shortest Paths Shortest Path Problem Shortest Path Problem Given a graph G = ( V , E )

Finding Shortest Paths Shortest Path Problem Shortest Path Problem Given a graph G = ( V , E ) and an edge weight function : V R . Length of a Path The length or weight ( P ) of a path P = { v 1 , v 2 , . . . , v l } with at least two

347 views • 24 slides
Darren Hunter Presented by realestate.com.au Who is Darren Hunter? Based in Adelaide SA

Darren Hunter Presented by realestate.com.au Who is Darren Hunter? Based in Adelaide SA

with Darren Hunter Presented by realestate.com.au Who is Darren Hunter? Based in Adelaide SA Started in Property Management in 1989 (Adelaide) 15 years frontline experience as a Property Manager, Property Inspector, Senior

586 views • 35 slides
Introduction to CGC 1 SME Financing/Loan 2 Proposal for MACC 3 4 imSME &amp; MyKNP 2

Introduction to CGC 1 SME Financing/Loan 2 Proposal for MACC 3 4 imSME &amp; MyKNP 2

Introduction to CGC 1 SME Financing/Loan 2 Proposal for MACC 3 4 imSME &amp; MyKNP 2 Established on 1972 5 July 1972 75 RM Billion 340 K 78.6% 21.4% 3 Expanding CGC products and services to support SMEs beyond guarantee and to

438 views • 22 slides
Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts

Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts

Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts Reporting Framework and SoRP Development Your questions and answers Some principles of charity accounting Published online information

984 views • 31 slides

More recommend