300 likes | 390 Views
Defining Programs, Specifications, fault-tolerance, etc. Recall. Program State space Program computation Of the form <s 0 , s 1 , s 2 , …> Specification consists of a set of infinite sequences of states.
E N D
Recall • Program • State space • Program computation • Of the form <s0, s1, s2, …> • Specification consists of a set of infinite sequences of states
It turns out that the specification considered here are general. Often specifications in practice have some additional characteristics
Fusion closure • A spec is fusion closed for any finite sequences , and infinite sequences , and state x, the following condition is satisfied • if xspec xspec • Then xspec xspec
Suffix Closure • A spec is suffix closed for any finite sequence and infinite sequence • if spec • Then spec • For subsequent discussion, we will assume that specification is suffix closed & fusion closed
Safety Specification • : SafetySpec : ( : is a prefix of :: SafetySpec) • Safety specification can be modeled in terms of the set of `bad prefixes’ • Intuition: Consider a computation that violates safety. Identify the prefix . • Do this for each computation that violates safety • Collection of these prefixes can be used to model safety
Safety Specification • While the safety specification we considered is general, often more concise specifications suffice • Example 1: safety modeled as a set of bad states • E.g., the value of x should never be greater than 3 • How can such a safety specification be modeled as a set of bad prefixes?
Safety Specification • Example 2: • Safety is modeled as a set of bad transitions • E,g., the value of x should never increase • We will use this representation for subsequent work • More compact • General enough for many applications • If specification is fusion closed and suffix closed then safety can always be represented as a set of bad transitions
State Predicate • State Space Sp identifies the set of all states of a program • A state predicate is a subset of the state space • For example, consider a program with one variable x, say with domain 0..10 • x > 5 is an example of state predicate • Corresponds to {6, 7, 8, 9, 10}
More concise program representation • A program is modeled in terms of a set of variables and a set of guarded commands • The domain of variables can be used to determine state space • Each guarded command is of the form • guard statement • guard is a Boolean variable over program variables • I.e., guard is a state predicate • Statement updates program variables
Example • Consider Peterson’s mutual exclusion example • Variables • st1, st2 : {n, t, c} • turn : {0, 1}
Example • Climate control system • Variables • dt, pt : {60 .. 90} • sync : {0, 1} • Action (example) • dt > 60 sync = 0 dt = dt – 1;
Program Computation • A sequence <s0, s1, … > is a computation of program p iff for each si, i > 0, • si is obtained by executing some action of p that is enabled in si –1 • An action is enabled in a state iff its guard evaluates to true in that state
Fairness • Sometimes, we also introduce a fairness condition • A sequence <s0, s1, … > is a computation of program p iff for each si, i > 0, • si is obtained by executing some action of p that is enabled in si –1 • If an action of p is continuously enabled in this sequence then it will be eventually executed
Closure • We say that a predicate S is closed in program p iff • Starting from any state where S is true execution of any enabled action results in a state in S • Note that S is closed in p iff (p satisfies closed(S) from all states)
Program Correctness • Typically, • A program is correct if all its computations starting from initial state are in the specification • What if we want to talk about correctness of programs when we start observing it in the middle?
Invariant • We say that state predicate S is an invariant of p iff the following condition is satisfied • S is closed in p • Every computation of p that starts from a state in p is in the specification • (Alternatively, every computation of p that starts from a state in p satisfies its specification) • If the specification is suffix closed and fusion closed and the program is correct from some initial states, then the set of reachable states from initial states is an invariant of the program
p Invariant
Example of Invariant • For climate control system, • sync = 1 dt = pt is an invariant
Faults • Also modeled as a set of transitions • (or guarded commands) • Recall the example from first class of going from one location to another • Effect of faults
Fault Span • Let T be a state predicate • T is a f-span of p from S iff the following conditions are satisfied • S T (same as S T) • T is closed in p [] f
p/f p Fault-Span f Fault span is the boundary upto which faults can perturb the program
Computation in the presence of faults • A computation of p • In every step, execute a transition of p • A computation of p[]f • In every step, execute a transition of p or a transition of f • Number of fault transitions in any computation is finite • Fairness??
Levels of Fault-Tolerance • Irrespective of level of fault-tolerance, the program satisfies its specification from its invariant • Levels are determined based on behavior in fault span
Failsafe Fault-tolerance • p is failsafe f-tolerant to spec from S iff • p satisfies spec from S • There exists T such that • T is a f-span of p from S • Every computation of p[]f that starts from T satisfies the safety of spec • Recall spec can be expressed as an intersection of safety and liveness. In the presence of faults, the failsafe program satisfies the safety part of it.
Computations here meet safety specification p/f p Failsafe Fault-Tolerance f
Nonmasking Fault-Tolerance • p is nonmasking f-tolerant to spec from S iff • p satisfies spec from S • There exists T such that • T is a f-span of p from S • Every computation of p[]f that starts from T eventually reaches a state in S • Thus, a computation of p has a suffix that satisfies its specification
Computations here eventually reach S, safety may be violated before reaching S p/f p Nonmasking Fault-Tolerance S f
Masking Fault-Tolerance • p is masking f-tolerant to spec from S iff • p satisfies spec from S • There exists T such that • T is a f-span of p from S • Every computation of p[]f that starts from T satisfies the safety of spec • Every computation of p[]f that starts from T eventually reaches a state in S
Computations here meet safety specification and eventually reach S p/f p Masking Fault-Tolerance S f