safety liveness properties
play

Safety & Liveness Properties DM519 Concurrent Programming 1 - PowerPoint PPT Presentation

Aug 18, 2023 •242 likes •1.02k views

Chapter 7 Safety & Liveness Properties DM519 Concurrent Programming 1 Chapter 6 Repetition: Deadlock DM519 Concurrent Programming 2 Concepts, Models, And Practice u Concepts l deadlock (no further progress) l 4x necessary

  1. Chapter 7 Safety & Liveness Properties DM519 Concurrent Programming � 1

  2. Chapter 6 Repetition: Deadlock DM519 Concurrent Programming � 2

  3. Concepts, Models, And Practice u Concepts l deadlock (no further progress) l 4x necessary & sufficient conditions � u Models l no eligible actions (analysis gives shortest path trace) Aim - deadlock avoidance: � “Break at least one of 
 u Practice the deadlock conditions”. l blocked threads DM519 Concurrent Programming � 3

  4. Deadlock: 4 Necessary And Sufficient Conditions 1. Mutual exclusion cond. (aka. “Serially reusable resources”): the processes involved share resources which they use under mutual 
 exclusion. 2. Hold-and-wait condition (aka. “Incremental acquisition”): processes hold on to resources already allocated to them while waiting 
 to acquire additional resources. 3. No pre-emption condition: once acquired by a process, resources cannot be “pre-empted” (forcibly 
 withdrawn) but are only released voluntarily. 4. Circular-wait condition (aka. “Wait-for cycle”): a circular chain (or cycle) of processes exists such that each process 
 holds a resource which its successor in the cycle is waiting to acquire. DM519 Concurrent Programming � 4

  5. Dining Philosophers (Concepts, Models And Practice) u Concepts u Models 3 2 2 1 3 4 1 4 0 u Practice 0 DM519 Concurrent Programming � 5

  6. Chapter 7 Safety & Liveness Properties DM519 Concurrent Programming � 6

  7. Safety & Liveness Properties Concepts : Properties: true for every possible execution Safety: nothing bad ever happens Liveness: something good eventually happens � Models : Safety: no reachable ERROR/STOP state Progress: an action is eventually executed (fair choice and action priority) � Aim : property satisfaction. Practice : Threads and monitors DM519 Concurrent Programming � 7

  8. Agenda Part I / III – Safety � Part II / III – Liveness � Part III / III – Example: Reader/Writer DM519 Concurrent Programming � 8

  9. Safety Part I / III DM519 Concurrent Programming � 9

  10. 7.1 Safety A safety property asserts that nothing bad happens. ♦ STOP or deadlocked state (no outgoing transitions) ♦ ERROR process (-1) to detect erroneous behaviour RESOURCE =(acquire -> ACQUIRED), ACQUIRED =(release -> RESOURCE |acquire -> ERROR). ♦ Analysis using LTSA: Trace to property violation in RESOURCE: (shortest trace) acquire acquire DM519 Concurrent Programming � 10

  11. Stop Vs. Error Trace: p q P = (p->P | stop->STOP). STOP: p Q = (q->Q). stop � � q ||SYSv1 = (P || Q). � q … � LTSA:> No deadlocks detected � Trace: p � q P = (p->P | error->ERROR). � p Q = (q->Q). error ERROR: � ||SYSv2 = (P || Q). SYSTEM DEADLOCKED LTSA:> Trace to property violation 
 in P: error DM519 Concurrent Programming � 11

  12. Safety - Property Specification ♦ ERROR conditions state what is not required (~ exceptions). ♦ In complex systems, it is usually better to specify 
 safety properties by stating directly what is required. property SAFE_RESOURCE = (acquire -> release -> SAFE_RESOURCE). RESOURCE = (acquire -> (release -> RESOURCE |acquire -> ERROR) |release -> ERROR). DM519 Concurrent Programming � 12

  13. Safety Properties Property that it is polite to knock before entering a room. Traces: knock->enter J enter L knock->knock L property POLITE = (knock -> enter -> POLITE). Note: In all states, all the actions in the alphabet of a property are eligible choices. DM519 Concurrent Programming � 13

  14. Safety Properties Safety property P defines a deterministic process that asserts that any trace including actions in the alphabet of P , is accepted by P . Thus, if S is composed with P , then traces of actions in the alphabet α (S) ∩ α (P) must also be valid traces of P , otherwise ERROR is reachable. Transparency of safety properties: Since all actions in the alphabet of a property are eligible choices 
 => composition with S does not affect its correct behaviour. However, if a bad behaviour can occur (violating the safety property), then ERROR is reachable. …and hence detectable through verification (using LTSA)! DM519 Concurrent Programming � 14

  15. Safety Properties ♦ How can we specify that some action, disaster , never occurs? NO_DISASTER = (disaster->ERROR). ...or... property CALM = STOP + {disaster}. A safety property must be specified so as to include all the acceptable, valid behaviours in its alphabet. DM519 Concurrent Programming � 15

  16. Models Vs. Properties: Implementation Vs. Specification The model is for the implementation The property is for the specification • ”The implementation is required to meet the specification” Often: • Operational model ( M ) ~ implementation • Declarative formula ( φ ) ~ specification � ∀ t,t”: acquire(t) ∧ acquire(t”) ∧ t<t” => ∃ t’: t<t’<t” ∧ release(t’) However, in FSP(/LTSA) both models and properties are described using the same language (namely FSP): • Operational model: FSP process property P = (acquire -> release -> P). • Operational property: FSP property (process) They will be similar (because they are using the same language), but they do not represent the same thing! DM519 Concurrent Programming � 16

  17. Safety - Mutual Exclusion LOOP = (mutex.down->read->mod->write-> mutex.up->LOOP). � ||SEMADEMO = (p[1..3]:LOOP || {p[1..3]}::mutex:SEMAPHORE(1)). How do we check that this does indeed ensure mutual exclusion in the critical section ( read/mod/write )? property MUTEX = (p[i:1..3].read -> p[i].write -> MUTEX). � ||CHECK = (SEMADEMO || MUTEX). Is this safe with SEMAPHORE(2) ? Check safety using LTSA ! ∀ t,t’’: read(t) ∧ read(t’’) ∧ t<t’’ => ∃ t’: t<t’<t’’ ∧ write(t’) DM519 Concurrent Programming � 17

  18. 7.2 Example: Single Lane Bridge Problem A bridge over a river is only wide enough to permit a single lane of traffic. Consequently, cars can only move concurrently if they are moving in the same direction. A safety violation occurs if two cars moving in different directions enter the bridge at the same time. DM519 Concurrent Programming � 18

  19. Single Lane Bridge - Model Using an appropriate level of abstraction ! ♦ Events or actions of interest? Structure diagram: enter and exit ~ Verbs � ♦ Identify processes? property CARS car and bridge ONEWAY ~ Nouns � ♦ Identify properties? Single blue[ID]. red[ID]. “ oneway ” ~ Adjectives {enter,exit} {enter,exit} Lane Bridge BRIDGE DM519 Concurrent Programming � 19

  20. Single Lane Bridge - Cars Model const N = 3 // #cars (of each colour) range ID = 1..N // car identities � CAR = (enter->exit->CAR). // car process ||N_CARS = ([ID]:CAR). // N cars DM519 Concurrent Programming � 20

  21. Single Lane Bridge - Convoy Model NOPASS_ENTER = SEQ[1], // preserves entry order SEQ[i:ID] = ([i].enter -> SEQ[i%N+1]). � NOPASS_EXIT = SEQ[1], // preserves exit order SEQ[i:ID] = ([i].exit -> SEQ[i%N+1]). � ||CONVOY = ([ID]:CAR || NOPASS_ENTER || NOPASS_EXIT). Permits: 1.enter ; 1.exit ; 2.enter ; 2.exit 1.enter ; 2.enter ; 1.exit ; 2.exit but not: 1.enter ; 2.enter ; 2.exit ; 1.exit i.e. “no overtaking” DM519 Concurrent Programming � 21

  22. Single Lane Bridge - Bridge Model Cars can move concurrently on bridge, but only as a 
 oneway street (=> controller)! How ; ideas? The bridge maintains a count of blue and red cars on it. Red cars are only allowed to enter when the blue count is 0 (and vice-versa). range T = 0..N BRIDGE = BRIDGE[0][0], // initially empty bridge BRIDGE[nr:T][nb:T] = // nr: #red; nb: #blue (when (nb==0) red[ID].enter -> BRIDGE[nr+1][nb] | red[ID].exit -> BRIDGE[nr-1][nb] |when (nr==0) blue[ID].enter-> BRIDGE[nr][nb+1] | blue[ID].exit -> BRIDGE[nr][nb-1] ). DM519 Concurrent Programming � 22

  23. Single Lane Bridge - Bridge Model Warning - BRIDGE.-1.0 defined to be ERROR Warning - BRIDGE.0.-1 defined to be ERROR Warning - BRIDGE.-1.1 defined to be ERROR Warning - BRIDGE.-1.2 defined to be ERROR Warning - BRIDGE.-1.3 defined to be ERROR Warning - BRIDGE.0.4 defined to be ERROR Warning - BRIDGE.1.-1 defined to be ERROR Warning - BRIDGE.2.-1 defined to be ERROR Warning - BRIDGE.4.0 defined to be ERROR Warning - BRIDGE.3.-1 defined to be ERROR Compiled: BRIDGE “Sloppy controller”: 
 Even when 0, exit actions permit the car counts to 
 be decremented (i.e. unguarded exit actions) (similar with enter) Recall that LTSA maps such undefined states to ERROR . No, because cars are well-behaved 
 Is it a problem? (i.e. “they never exit before enter” and there are only three cars of each colour) DM519 Concurrent Programming � 23

Recommend

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness property, something good eventually happens. e.g. program termination. A safety property, something bad never happens. e.g.

338 views • 16 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille Artho, Viktor Schuppan http://www.inf.ethz.ch/schuppan/ Safety vs. Liveness 1 Safety Liveness Something bad will not Something good will

480 views • 31 slides
Safety and Liveness; Exceptions Christine Rizkallah CSE, UNSW Term 3; 2020 1 Program

Safety and Liveness; Exceptions Christine Rizkallah CSE, UNSW Term 3; 2020 1 Program

Safety and Liveness; Exceptions Christine Rizkallah CSE, UNSW Term 3; 2020 1 Program Properties Consider a sequence of states, representing the evaluation of a program in a small step semantics (a trace): 1 2 3

350 views • 20 slides
COMP31212: Concurrency Topic 5.3: Liveness and Topic 5.4 Fairness Topic 5.3: Liveness Properties

COMP31212: Concurrency Topic 5.3: Liveness and Topic 5.4 Fairness Topic 5.3: Liveness Properties

Topic 5.3: Liveness Properties Topic 5.4: Fairness and Starvation COMP31212: Concurrency Topic 5.3: Liveness and Topic 5.4 Fairness Topic 5.3: Liveness Properties Topic 5.4: Fairness and Starvation Outline Topic 5.3: Liveness Properties

509 views • 34 slides
Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner Alexander Ivrii Ziv Nevo IBM Outline Generalized counterexamples to liveness and why they are especially interesting How to detect that a

135 views • 12 slides
On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work with Byron Cook, Andreas Podelski, and Andrey Rybalchenko BCTCS06, 6 April 2006 State-of-the-art Systems Model checking Abstraction Properties

484 views • 13 slides
Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018 Department of Computer Science, Johns Hopkins University Characterizing Concurrency Safety (correctness): what are the semantic guarantees

560 views • 8 slides
Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de

Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de

Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de Telecomunica c oes, Instituto Superior T ecnico October 30, 2008 1 Joint work with Ant onio Ravara Motivation TyPiCal Receptiveness,

983 views • 59 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek

Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek

Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek Data61, CSIRO, Sydney, Australia University of New South Wales, Sydney, Australia September 2016 Distributed Systems systems consisting of multiple

878 views • 29 slides
Spatial and Behavioural types: safety, liveness and decidability Lucia Acciai and Michele Boreale

Spatial and Behavioural types: safety, liveness and decidability Lucia Acciai and Michele Boreale

Spatial and Behavioural types: safety, liveness and decidability Lucia Acciai and Michele Boreale Dipartimento di Sistemi e Informatica Universit degli Studi di Firenze Lisbon, April 1921, 2011 1 Outline Introduction 1 Processes, types

1.36k views • 66 slides
Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan

Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan

Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34 Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System:

1.14k views • 89 slides
Heuristics for Checking Liveness Properties with Partial Order Reductions A. Duret-Lutz, F.

Heuristics for Checking Liveness Properties with Partial Order Reductions A. Duret-Lutz, F.

Heuristics for Checking Liveness Properties with Partial Order Reductions A. Duret-Lutz, F. Kordon, D. Poitrenaud, E. Renault Tuesday, October 18th E. Renault ATVA16 Tuesday, October 18th 1 / 17 State Space Explosion Two concurrent

941 views • 52 slides
Safety and Liveness Defining Programs Variables with respective domain State space of

Safety and Liveness Defining Programs Variables with respective domain State space of

Safety and Liveness Defining Programs Variables with respective domain State space of the program Program actions Guarded commands Program computation &lt;s 0 , s 1 , s 2 , &gt; (s j-1 , s j ) is permitted by

875 views • 45 slides
Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1 Computer Systems Institute, ETH Z urich 2 Institute for Formal Models and Verification, JKU Linz http://www.inf.ethz.ch/schuppan/

1.23k views • 18 slides
3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

&lt;latexit

851 views • 66 slides
3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

&lt;latexit

270 views • 16 slides
Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for

Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for

Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for Theoretical Computer Science Helsinki University of Technology Finland Spin 2003 p.1/16 Introduction Safety properties properties

669 views • 44 slides
An Axiomatic Approach to Liveness for Differential Equations Yong Kiam Tan Andr e Platzer

An Axiomatic Approach to Liveness for Differential Equations Yong Kiam Tan Andr e Platzer

An Axiomatic Approach to Liveness for Differential Equations Yong Kiam Tan Andr e Platzer Computer Science Department, Carnegie Mellon University FM, 10th Oct 2019 1 Outline Motivation 1 Logical Approach to ODE Liveness 2 Concrete

1.09k views • 63 slides
Liveness of Randomised Parameterised Systems under Arbitrary Schedulers Anthony W. Lin and

Liveness of Randomised Parameterised Systems under Arbitrary Schedulers Anthony W. Lin and

Liveness of Randomised Parameterised Systems under Arbitrary Schedulers Anthony W. Lin and Philipp Ruemmer Summary of results Automatic method for proving liveness for randomised parameterised systems, e.g., Randomised Self-Stabilising

484 views • 45 slides
K-periodically routed graphs Julien Boucaron Anthony Coadou EPI Aoste Basics Motivation

K-periodically routed graphs Julien Boucaron Anthony Coadou EPI Aoste Basics Motivation

K-periodically routed graphs Julien Boucaron Anthony Coadou EPI Aoste Basics Motivation Introducing control in data-flow process networks while ensuring strong desirable properties such as determinism , decidable safety and liveness .

331 views • 30 slides
Linear types : A simple way to derive safety properties of programs Software Analysis and

Linear types : A simple way to derive safety properties of programs Software Analysis and

Linear types : A simple way to derive safety properties of programs Software Analysis and Verification 30 avril 2009 Intuition : Using types to represent properties function addition(x, y) { assume( x is integer ); assume( y is

712 views • 38 slides
Residual Monitoring of Safety Properties Prove what you can and monitor the leftovers Matthew

Residual Monitoring of Safety Properties Prove what you can and monitor the leftovers Matthew

Residual Monitoring of Safety Properties Prove what you can and monitor the leftovers Matthew Dwyer joint work with Rahul Purandare, Sebastian Elbaum, Madeline Diep, and Alex Kinneer Department of Computer Science and Engineering Reality Check

1.84k views • 134 slides

More recommend