Lec9 - safety liveness properties Safety and Liveness...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Safety and Liveness Abhik Roychoudhury CS 3211 National University of Singapore From Kramer and Magee’s lecture notes. Reading material: Chapter 7 of Textbook. 1 safety & liveness properties Concepts : properties : true for every possible execution safety : nothing bad happens liveness : something good eventually happens Models safety hb l ERROR/STOP st t : : no reachable state progress : an action is executed fair choice and action priority Practice : threads and monitors Aim : property satisfaction. STOP or deadlocked state (no outgoing transitions) ERROR process (-1) to detect erroneous behaviour 7.1 Safety ACTUATOR A safety property asserts that nothing bad happens. command =(command->ACTION), ACTION =(respond->ACTUATOR |command-> ERROR ). Trace to ERROR: command command command respond -1 0 1 Safety - property specification ERROR conditions state what is not required (cf. exceptions). in complex systems, it is usually better to specify safety properties by stating directly what is required. property SAFE_ACTUATOR command = (command -> respond -> SAFE_ACTUATOR ). respond command respond -1 0 1 Safety properties property POLITE Property that it is polite to knock before entering a room. Traces: knock Æ enter enter knock Æ knock knock = (knock >enter >POLITE). In all states, the actions in the alphabet of a property are eligible choices. enter knock enter -1 0 1 Safety properties Safety property P defines a deterministic process that asserts that any trace including actions in the alphabet of P, is accepted by P . Thus, if P is composed with S , then traces of actions in the alphabet of S alphabet of P actions in the alphabet of alphabet of must also be valid traces of P , otherwise ERROR is reachable. Transparency of safety properties : Since all actions in the alphabet of a property are eligible choices, composing a property with a set of processes does not affect their correct behavior. However, if a behavior can occur which violates the safety property, then ERROR is reachable. Properties must be deterministic to be transparent.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 Safety properties How can we specify that some action, disaster , never occurs ? disaster -1 0 property CALM = STOP + { disaster }. A safety property must be specified so as to include all the acceptable, valid behaviors in its alphabet . Safety - mutual exclusion LOOP = (mutex.down -> enter -> exit -> mutex.up -> LOOP). ||SEMADEMO = (p[1. .3]:LOOP ||{p[1. .3]}::mutex:SEMAPHORE(1)). How do we property MUTEX =(p :1 3] enter check that this does indeed ensure mutual exclusion in the critical section ? MUTEX =(p[ i :1. .3]. -> p[ i ]. exit -> MUTEX ). ||CHECK = (SEMADEMO || MUTEX). Check safety using LTSA . What happens if semaphore is initialized to 2 ? 7.2 Single Lane Bridge problem A bridge over a river is only wide enough to permit a single lane of traffic. Consequently, cars can only move concurrently if they are moving in the same direction . A safety violation occurs if two cars moving in different directions enter the bridge at the same time.
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 10

Lec9 - safety liveness properties Safety and Liveness...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online