1 / 30

Defining Programs, Specifications, fault-tolerance, etc.

Defining Programs, Specifications, fault-tolerance, etc. Recall. Program State space Program computation Of the form <s 0 , s 1 , s 2 , …> Specification consists of a set of infinite sequences of states.

mavis
Download Presentation

Defining Programs, Specifications, fault-tolerance, etc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Defining Programs, Specifications, fault-tolerance, etc.

  2. Recall • Program • State space • Program computation • Of the form <s0, s1, s2, …> • Specification consists of a set of infinite sequences of states

  3. It turns out that the specification considered here are general. Often specifications in practice have some additional characteristics

  4. Fusion closure • A spec is fusion closed for any finite sequences ,  and infinite sequences ,  and state x, the following condition is satisfied • if xspec  xspec • Then xspec  xspec

  5. Suffix Closure • A spec is suffix closed for any finite sequence  and infinite sequence  • if spec • Then spec • For subsequent discussion, we will assume that specification is suffix closed & fusion closed

  6. Safety Specification •  : SafetySpec : ( :  is a prefix of    ::  SafetySpec) • Safety specification can be modeled in terms of the set of `bad prefixes’ • Intuition: Consider a computation  that violates safety. Identify the prefix . • Do this for each computation that violates safety • Collection of these prefixes can be used to model safety

  7. Safety Specification • While the safety specification we considered is general, often more concise specifications suffice • Example 1: safety modeled as a set of bad states • E.g., the value of x should never be greater than 3 • How can such a safety specification be modeled as a set of bad prefixes?

  8. Safety Specification • Example 2: • Safety is modeled as a set of bad transitions • E,g., the value of x should never increase • We will use this representation for subsequent work • More compact • General enough for many applications • If specification is fusion closed and suffix closed then safety can always be represented as a set of bad transitions

  9. State Predicate • State Space Sp identifies the set of all states of a program • A state predicate is a subset of the state space • For example, consider a program with one variable x, say with domain 0..10 • x > 5 is an example of state predicate • Corresponds to {6, 7, 8, 9, 10}

  10. More concise program representation • A program is modeled in terms of a set of variables and a set of guarded commands • The domain of variables can be used to determine state space • Each guarded command is of the form • guard  statement • guard is a Boolean variable over program variables • I.e., guard is a state predicate • Statement updates program variables

  11. Example • Consider Peterson’s mutual exclusion example • Variables • st1, st2 : {n, t, c} • turn : {0, 1}

  12. Example • Climate control system • Variables • dt, pt : {60 .. 90} • sync : {0, 1} • Action (example) • dt > 60  sync = 0  dt = dt – 1;

  13. Program Computation • A sequence <s0, s1, … > is a computation of program p iff for each si, i > 0, • si is obtained by executing some action of p that is enabled in si –1 • An action is enabled in a state iff its guard evaluates to true in that state

  14. Fairness • Sometimes, we also introduce a fairness condition • A sequence <s0, s1, … > is a computation of program p iff for each si, i > 0, • si is obtained by executing some action of p that is enabled in si –1 • If an action of p is continuously enabled in this sequence then it will be eventually executed

  15. Closure • We say that a predicate S is closed in program p iff • Starting from any state where S is true execution of any enabled action results in a state in S • Note that S is closed in p iff (p satisfies closed(S) from all states)

  16. Program Correctness • Typically, • A program is correct if all its computations starting from initial state are in the specification • What if we want to talk about correctness of programs when we start observing it in the middle?

  17. Invariant • We say that state predicate S is an invariant of p iff the following condition is satisfied • S is closed in p • Every computation of p that starts from a state in p is in the specification • (Alternatively, every computation of p that starts from a state in p satisfies its specification) • If the specification is suffix closed and fusion closed and the program is correct from some initial states, then the set of reachable states from initial states is an invariant of the program

  18. p Invariant

  19. Example of Invariant • For climate control system, • sync = 1  dt = pt is an invariant

  20. Faults • Also modeled as a set of transitions • (or guarded commands) • Recall the example from first class of going from one location to another • Effect of faults

  21. Fault Span • Let T be a state predicate • T is a f-span of p from S iff the following conditions are satisfied • S  T (same as S  T) • T is closed in p [] f

  22. p/f p Fault-Span f Fault span is the boundary upto which faults can perturb the program

  23. Computation in the presence of faults • A computation of p • In every step, execute a transition of p • A computation of p[]f • In every step, execute a transition of p or a transition of f • Number of fault transitions in any computation is finite • Fairness??

  24. Levels of Fault-Tolerance • Irrespective of level of fault-tolerance, the program satisfies its specification from its invariant • Levels are determined based on behavior in fault span

  25. Failsafe Fault-tolerance • p is failsafe f-tolerant to spec from S iff • p satisfies spec from S • There exists T such that • T is a f-span of p from S • Every computation of p[]f that starts from T satisfies the safety of spec • Recall spec can be expressed as an intersection of safety and liveness. In the presence of faults, the failsafe program satisfies the safety part of it.

  26. Computations here meet safety specification p/f p Failsafe Fault-Tolerance f

  27. Nonmasking Fault-Tolerance • p is nonmasking f-tolerant to spec from S iff • p satisfies spec from S • There exists T such that • T is a f-span of p from S • Every computation of p[]f that starts from T eventually reaches a state in S • Thus, a computation of p has a suffix that satisfies its specification

  28. Computations here eventually reach S, safety may be violated before reaching S p/f p Nonmasking Fault-Tolerance S f

  29. Masking Fault-Tolerance • p is masking f-tolerant to spec from S iff • p satisfies spec from S • There exists T such that • T is a f-span of p from S • Every computation of p[]f that starts from T satisfies the safety of spec • Every computation of p[]f that starts from T eventually reaches a state in S

  30. Computations here meet safety specification and eventually reach S p/f p Masking Fault-Tolerance S f

More Related