Lecture 8: Safety and Liveness Properties



Similar documents
Lecture 6: Introduction to Monitors and Semaphores

Monitors & Condition Synchronization

CS11 Java. Fall Lecture 7

Parallel Programming

3C03 Concurrency: Condition Synchronisation

Outline of this lecture G52CON: Concepts of Concurrency

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Chapter 8 Implementing FSP Models in Java

Last Class: Semaphores

Mutual Exclusion using Monitors

Deadlock Victim. dimanche 6 mai 12

Lecture 9 verifying temporal logic

Monitors, Java, Threads and Processes

Concurrent programming in Java

Fundamentals of Software Engineering

Monitors and Semaphores

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

! Past few lectures: Ø Locks: provide mutual exclusion Ø Condition variables: provide conditional synchronization

Formal Verification by Model Checking

Advanced Multiprocessor Programming

Concurrent Programming

Lecture 6: Semaphores and Monitors

Semaphores and Monitors: High-level Synchronization Constructs

Software Engineering using Formal Methods

TESTING JAVA MONITORS BY STATE SPACE EXPLORATION MONICA HERNANDEZ. Presented to the Faculty of the Graduate School of

Massachusetts Institute of Technology 6.005: Elements of Software Construction Fall 2011 Quiz 2 November 21, 2011 SOLUTIONS.

Java Memory Model: Content

Shared Address Space Computing: Programming

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

OBJECT ORIENTED PROGRAMMING LANGUAGE

Threads 1. When writing games you need to do more than one thing at once.

SYSTEM ecos Embedded Configurable Operating System

4. Monitors. Monitors support data encapsulation and information hiding and are easily adapted to an object-oriented environment.

Threads & Tasks: Executor Framework

MonitorExplorer: A State Exploration-Based Approach to Testing Java Monitors

Resurrecting Ada s Rendez-Vous in Java

JAVA - MULTITHREADING

Priority Inversion Problem and Deadlock Situations

Integrated Error-Detection Techniques: Find More Bugs in Java Applications

Chapter 6 Concurrent Programming

Tasks Schedule Analysis in RTAI/Linux-GPL

SSC - Concurrency and Multi-threading Java multithreading programming - Synchronisation (I)

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Compiler Construction

Programming by Contract. Programming by Contract: Motivation. Programming by Contract: Preconditions and Postconditions

Design Patterns in C++

CS 2112 Spring Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

Java Concurrency Framework. Sidartha Gracias

Specification and Analysis of Contracts Lecture 1 Introduction

OVERVIEW OF THE PROJECT...

Approach of Unit testing with the help of JUnit

First Java Programs. V. Paúl Pauca. CSC 111D Fall, Department of Computer Science Wake Forest University. Introduction to Computer Science

Comp 204: Computer Systems and Their Implementation. Lecture 12: Scheduling Algorithms cont d

6. Control Structures

Temporal Logics. Computation Tree Logic

Replication on Virtual Machines

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

Operating Systems 4 th Class

Integration, testing and debugging of C code together with UML-generated sources

Paper 3F6: Software Engineering and Systems Distributed Systems Design Solutions to Examples Paper 3

Informatica e Sistemi in Tempo Reale

Monitor Object. An Object Behavioral Pattern for Concurrent Programming. Douglas C. Schmidt

Border Gateway Protocol BGP4 (2)

CSI 402 Lecture 13 (Unix Process Related System Calls) 13 1 / 17

Creating a Simple, Multithreaded Chat System with Java

6 Synchronization with Semaphores

Thread Synchronization and the Java Monitor

Built-in Concurrency Primitives in Java Programming Language. by Yourii Martiak and Mahir Atmis

ECE 122. Engineering Problem Solving with Java

Real Time Programming: Concepts

OPERATING SYSTEMS PROCESS SYNCHRONIZATION

3 - Lift with Monitors

CPS122 Lecture: State and Activity Diagrams in UML

EE627 Lecture 22. Multihoming Route Control Devices

How To Understand Bg

UNIVERSITY OF CALIFORNIA Department of Electrical Engineering and Computer Sciences Computer Science Division. P. N. Hilfinger

A Framework for the Semantics of Behavioral Contracts

[Refer Slide Time: 05:10]

Rigorous Software Development CSCI-GA

Linux Driver Devices. Why, When, Which, How?

Anonymous Call Rejection

Outline. Review. Inter process communication Signals Fork Pipes FIFO. Spotlights

Tutorial: Getting Started

Office Voice User Guide. User Guide

Modeling Guidelines Manual

COS 318: Operating Systems. Semaphores, Monitors and Condition Variables

Software Quality Exercise 1

CS506 Web Design and Development Solved Online Quiz No. 01

Transactional Support for SDN Control Planes "

Transcription:

Concurrent Programming 19530-V (WS01) 1 Lecture 8: Safety and Liveness Properties Dr. Richard S. Hall rickhall@inf.fu-berlin.de Concurrent programming December 11, 2001 Safety Properties 2 A safety property asserts that nothing bad happens. What bad things can happen? STOP process or deadlocked states (i.e., no out-going arcs) ERROR process (-1) used to detect erroneous behavior ACTUATOR =(command->action), ACTION =(respond->actuator command->error). Safety analysis using LTSA Trace to property violation in ACTUATOR: command command

Safety Property Specification 3 Explicit ERROR conditions in a process specify behavior that should not occur In complex systems, it is often better to specify safety properties by stating the behavior that should occur property SAFE_ACTUATOR = (command -> respond -> SAFE_ACTUATOR ). Can also use LTSA to analyze safety properties Safety Property Specification 4 Consider a safety property POLITE, which asserts that is it polite to knock before entering a room Traces: knock->enter enter knock->knock property POLITE = (knock->enter->polite). In all states, all the actions in the alphabet of a property are eligible choices.

Safety Properties 5 Safety property P defines a deterministic process that asserts that any trace including actions in the alphabet of P, is accepted by P. This means that if P is composed with process S, then valid traces of actions in the alphabet of S that intersect the alphabet of P must also be valid traces of P, otherwise ERROR is reachable. Transparency of Safety Properties 6 Since all actions in the alphabet of a property are eligible choices, composing a property with a set of processes does not affect their correct behavior. However, if a behavior can occur which violates the safety property, then ERROR is reachable. Properties must be deterministic to be transparent.

Mutual Exclusion Safety Example 7 How do we check that a process ensures mutual exclusion? LOOP = (mutex.down->enter->exit->mutex.up->loop). SEMADEMO = (p[1..3]:loop {p[1..3]::mutex:semaphore(1)). We construct a safety property to verify mutual exclusion... property MUTEX = (p[i:1..3].enter-> ->p[i].exit->mutex). CHECK = (SEMADEMO MUTEX). We can use LTSA to analyze this for correctness; what happens if semaphore is initialized to 2? Single-lane Bridge Problem 8 A bridge over a river is only wide enough to permit a single lane of traffic. Consequently, cars can only move concurrently if they are moving in the same direction. A safety violation occurs if two cars moving in different directions enter the bridge at the same time.

Modeling Single-lane Bridge 9 Events or actions of interest enter and exit Identify processes CAR and BRIDGE Identify properties ONEWAY Define each process and property Interactions and structure Car Model 10 const N = 3 range T = 0..N range ID= 1..N // number of each type of car // type of car count // car identities CAR = (enter->exit->car). To model the fact that cars cannot pass eadch other on the bridge, we model a CONVOY of cars in the same direction. We will have a red and a blue convoy of up to N cars for each direction: CARS = (red:convoy blue:convoy).

Convoy Model (No Passing Constraint) 11 NOPASS1 = C[1], // preserve entry order C[i:ID] = ([i].enter-> C[i%N+1]). NOPASS2 = C[1], // preserve exit order C[i:ID] = ([i].exit-> C[i%N+1]). CONVOY = ([ID]:CAR NOPASS1 NOPASS2). Permitted: Not permitted: 1.enter->2.enter->1.exit->2.exit 1.enter->2.enter->2.exit->1.exit (i.e., no passing) Bridge Model 12 Cars can move concurrently on the bridge only if they are going in the same direction. The bridge counts the number of blue and red cars on the bridge. Red cars are only allowed to enter when the blue count is zero and vice-versa. // bridge is initially empty, // nr is red count, nb is blue count BRIDGE = BRIDGE[0][0], BRIDGE[nr:T][nb:T] = (when (nb==0) red[id].enter->bridge[nr+1][nb] red[id].exit->bridge[nr-1][nb] when (nr==0) blue[id].enter->bridge[nr][nb+1] blue[id].exit->bridge[nr][nb-1]). Even when counters are 0, the exit can decrement counters. LTSA maps these undefined states to ERROR.

One-way Safety Property 13 Cars can move concurrently on the bridge only if they are going in the same direction. The bridge counts the number of blue and red cars on the bridge. Red cars are only allowed to enter when the blue count is zero and vice-versa. property ONEWAY =(red[id].enter->red[1] blue.[id].enter->blue[1]), RED[i:ID] = (red[id].enter->red[i+1] when (i==1) red[id].exit->oneway when (i>1) red[id].exit->red[i-1] ), // i is a count of red cars on the bridge BLUE[i:ID]= (blue[id].enter->blue[i+1] when (i==1) blue[id].exit->oneway when ( i>1) blue[id].exit->blue[i-1] ). // i is a count of blue cars on the bridge Single-lane Bridge Composition 14 SingleLangeBridge = (CARS BRIDGE ONEWAY). CARS property ONEWAY Single Lane Bridge red[id]. {enter,exit BRIDGE blue[id]. {enter,exit

Single-lane Bridge Analysis 15 SingleLangeBridge = (CARS BRIDGE ONEWAY). Is safety property ONEWAY violated? No deadlocks/errors SingleLangeBridge = (CARS ONEWAY). Without the BRIDGE constraints, is safety property ONEWAY violated? Trace to property violation in ONEWAY: red.1.enter blue.1.enter Single-lane Bridge Implementation 16 Applet Thread Runnable Single Lane Bridge blue, red display display RedCar BlueCar control control Bridge Active entities (cars) are implemented as threads. Passive entity (bridge) is implemented as a monitor. BridgeCanvas enforces no overtaking. Safe Bridge BridgeCanvas

Single-lane Bridge Implementation 17 An instance of BridgeCanvas class is created by SingleLaneBridge applet reference is passed to RedCar and BlueCar objects. class BridgeCanvas extends Canvas { public void init(int ncars) { // set number of cars // move red car with the identity i one step; // returns true for the period from just before, // until just after car on bridge public boolean movered(int i) throws InterruptedException{ // move blue car with the identity i one step; // returns true for the period from just before, // until just after car on bridge public boolean moveblue(int i) throws InterruptedException{ public synchronized void freeze(){ // freeze display public synchronized void thaw(){ // unfreeze display Single-lane Bridge Implementation 18 class RedCar implements Runnable { BridgeCanvas display; Bridge control; int id; RedCar(Bridge b, BridgeCanvas d, int id) { display = d; this.id = id; control = b; public void run() { try { while(true) { while (!display.movered(id)); // not on bridge control.redenter(); // request access to bridge while (display.movered(id)); // move over bridge control.redexit(); // release access to bridge catch (InterruptedException e) { Similarly for BlueCar

Single-lane Bridge Implementation 19 class Bridge { synchronized void redenter() throws InterruptedException { synchronized void redexit() { synchronized void blueenter() throws InterruptedException { synchronized void blueexit() { Class Bridge provides a null implementation of the access methods, i.e., no constraints on the access to the bridge. What is the result? Single-lane Bridge Implementation 20 How can we make the bridge safe?

Single-lane Bridge Implementation 21 class SafeBridge extends Bridge { private int nred = 0; // number of red cars on bridge private int nblue = 0; // number of blue cars on bridge // Monitor Invariant: (nred >= 0) and (nblue >=0) and // not ((nred > 0) and (nblue > 0)) synchronized void redenter() throws InterruptedException { while (nblue>0) wait(); ++nred; synchronized void redexit(){ --nred; if (nred==0) notifyall(); // continued on next slide... This is a direct translation from the BRIDGE model. Single-lane Bridge Implementation 22 // continued from previous slide... synchronized void blueenter() throws InterruptedException { while (nred>0) wait(); ++nblue; synchronized void blueexit(){ --nblue; if (nblue==0) notifyall(); To avoid unnecessary thread switches, we use conditional notification to wake up waiting threads only when the number of cars on the bridge is zero, i.e., when the last car leaves the bridge. But does every car eventually get an opportunity to cross?

Liveness 23 A safety property asserts that nothing bad happens. A liveness property, on the other hand, asserts that something good eventually happens. Single-lane bridge: Does every car eventually get an opportunity to cross the bridge (i.e., make progress)? A progress property is a restricted class of liveness properties; progress properties assert that an action will eventually be executed. Progress is the opposite of starvation, the name given to a concurrent programming situation in which an action is never executed. Progress and Fair Choice 24 Fair Choice: If a choice over a set of transitions is executed infinitely often, then every transition in the set will be executed infinitely often. If a coin were tossed an infinite number of times, we would expect that heads would be chosen infinitely often and that tails would be chosen infinitely often. COIN =(toss->heads->coin toss->tails->coin). This requires fair choice!

Specifying Progress Properties 25 progress P = {a1,a2..an defines a progress property P which asserts that in an infinite execution of a target system, at least one of the actions a1, a2..an will be executed infinitely often. COIN process: progress HEADS = {heads progress TAILS = {tails LTSA check of COIN process with above progress properties No progress violations detected. Progress Properties 26 Suppose we choose from two coins, a regular coin and a trick coin... TWOCOINS = (choose->coin choose->trick), TRICK = (toss->heads->trick), COIN = (toss->heads->coin toss->tails->coin). choose choose toss toss toss 0 1 2 3 4 5 heads tails heads TWOCOIN process: progress HEADS = {heads progress TAILS = {tails

Progress Properties 27 choose choose toss toss toss 0 1 2 3 4 5 LTSA finds progress violation: heads tails heads Progress violation: TAILS Path to terminal set of states: pick Actions in terminal set: {toss, heads This property is satisfied progress HEADSorTAILS = {heads,tails

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information