Presentation is loading. Please wait.

Presentation is loading. Please wait.

CP — Concurrent Programming 5. Safety and Liveness Properties Prof. O. Nierstrasz Wintersemester 2005 / 2006.

Published byMadeline Harrington Modified over 10 years ago

Similar presentations

Presentation on theme: "CP — Concurrent Programming 5. Safety and Liveness Properties Prof. O. Nierstrasz Wintersemester 2005 / 2006."— Presentation transcript:

1 CP — Concurrent Programming 5. Safety and Liveness Properties Prof. O. Nierstrasz Wintersemester 2005 / 2006

2 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.2 Safety and Liveness Properties Overview  Safety revisited —Safety properties and ERROR conditions  Liveness —Progress Properties  Deadlock —The Dining Philosophers problem —Detecting and avoiding deadlock Selected material © Magee and Kramer

3 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.3 Safety revisited A safety property asserts that nothing bad happens Use ERROR process (-1) to detect erroneous behaviour Trace to property violation in ACTUATOR: command Trace to property violation in ACTUATOR: command ACTUATOR =( command->ACTION), ACTION=( respond->ACTUATOR | command->ERROR). ACTUATOR =( command->ACTION), ACTION=( respond->ACTUATOR | command->ERROR). 01

4 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.4 Safety — property specification ERROR conditions state what is not required In complex systems, it is usually better to specify directly what is required. Trace to property violation in SAFE_ACTUATOR: respond Trace to property violation in SAFE_ACTUATOR: respond property SAFE_ACTUATOR = ( command -> respond -> SAFE_ACTUATOR ). property SAFE_ACTUATOR = ( command -> respond -> SAFE_ACTUATOR ). 01

5 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.5 Checking Busy-Wait (revisited) Ok is a deterministic process that specifies which traces are safe — everything else is in ERROR. Contrast: property Ok=( a -> b -> Ok | c -> d -> Ok ). property Ok=( a -> b -> Ok | c -> d -> Ok ). Ok= ( a -> ( c -> ERROR | b -> Ok ) | c -> ( a -> ERROR | d -> Ok )). Ok= ( a -> ( c -> ERROR | b -> Ok ) | c -> ( a -> ERROR | d -> Ok )). 01

6 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.6 Safety properties A safety property P defines a deterministic process that asserts that any trace including actions in the alphabet of P is accepted by P. Transparency of safety properties:  Since all actions in the alphabet of a property are eligible choices, composing a property with a set of processes does not affect their correct behaviour.  If a behaviour can occur which violates the safety property, then ERROR is reachable.

7 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.7 Transparency Why must properties be deterministic to be transparent? Consider: Is a->b allowed or not? property P = (a->b->P|a->c->P). 01

8 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.8 Safety properties How can we specify that some action, disaster, never occurs? A safety property must be specified so as to include all the acceptable, valid behaviours in its alphabet. property CALM = STOP + {disaster}.

9 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.9 Liveness A liveness property asserts that something good eventually happens. A progress property asserts that it is always the case that an action is eventually executed. Progress is the opposite of starvation, the name given to a concurrent programming situation in which an action is never executed.

10 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.10 Liveness Problems A program may be “safe”, yet suffer from various kinds of liveness problems: Starvation: (AKA “indefinite postponement”)  The system as a whole makes progress, but some individual processes don’t Dormancy:  A waiting process fails to be woken up Premature termination:  A process is killed before it should be Deadlock:  Two or more processes are blocked, each waiting for resources held by another

11 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.11 Progress properties — fair choice If a coin were tossed an infinite number of times, we would expect that both heads and tails would each be chosen infinitely often. This assumes fair choice ! Fair Choice: If a choice over a set of transitions is executed infinitely often, then every transition in the set will be executed infinitely often. COIN =( toss -> heads -> COIN | toss -> tails -> COIN ). COIN =( toss -> heads -> COIN | toss -> tails -> COIN ).

12 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.12 Safety vs. Liveness Consider: The safety properties of COIN are not very interesting. How do we express what must happen? The safety properties of COIN are not very interesting. How do we express what must happen? property SAFE = ( heads -> SAFE | tails -> SAFE ). property SAFE = ( heads -> SAFE | tails -> SAFE ).

13 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.13 01 progress P = {a1,a2..an} progress HEADS = {heads} progress TAILS = {tails} progress HEADS = {heads} progress TAILS = {tails} No progress violations detected. Progress properties asserts that in an infinite execution of a target system, at least one of the actions a1,a2...an will be executed infinitely often.

14 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.14 Progress properties Suppose we have both a normal coin and a trick coin TWOCOIN= ( pick->COIN | pick->TRICK ), TRICK= ( toss->heads->TRICK ), COIN= ( toss->heads->COIN | toss->tails->COIN ). TWOCOIN= ( pick->COIN | pick->TRICK ), TRICK= ( toss->heads->TRICK ), COIN= ( toss->heads->COIN | toss->tails->COIN ). Terminal sets

15 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.15 Progress analysis A terminal set of states is one in which every state is mutually reachable but no transitions leads out of the set. The terminal set {1, 2} violates progress property TAILS 01 progress HEADS = {heads} progress TAILS = {tails} progress HEADSorTAILS = {heads,tails} progress HEADS = {heads} progress TAILS = {tails} progress HEADSorTAILS = {heads,tails} Progress violation: TAILS Trace to terminal set of states: pick Actions in terminal set: {toss, heads} Progress violation: TAILS Trace to terminal set of states: pick Actions in terminal set: {toss, heads}

16 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.16 Safety vs. Liveness Consider: How does this safety property expose the flaw in the system? How would you fix the TWOCOIN to have this property pass? How does this safety property expose the flaw in the system? How would you fix the TWOCOIN to have this property pass? property REPICK = ( pick -> toss -> REPICK ). Trace to property violation in REPICK: pick toss heads toss Trace to property violation in REPICK: pick toss heads toss 01

17 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.17 Deadlock Four necessary and sufficient conditions: 1. Serially reusable resources: —the deadlocked processes share resources under mutual exclusion. 2. Incremental acquisition: —processes hold on to acquired resources while waiting to obtain additional ones. 3. No pre-emption: —once acquired by a process, resources cannot be pre-empted but only released voluntarily. 4. Wait-for cycle: —a cycle of processes exists in which each process holds a resource which its successor in the cycle is waiting to acquire.

18 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.18 Waits-for cycle A B CD E Has A awaits B Has B awaits C Has C awaits DHas D awaits E Has E awaits A

19 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.19 Deadlock analysis - primitive processes A deadlocked state is one with no outgoing transitions In FSP: STOP process Progress violation for actions: {north, south} Trace to terminal set of states: north north Actions in terminal set: {} Progress violation for actions: {north, south} Trace to terminal set of states: north north Actions in terminal set: {} MOVE = ( north -> ( south -> MOVE | north -> STOP ) ). MOVE = ( north -> ( south -> MOVE | north -> STOP ) ). 01

20 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.20 The Dining Philosophers Problem  Philosophers alternate between thinking and eating.  A philosopher needs two forks to eat.  No two philosophers may hold the same fork simultaneously.  There must be no deadlock and no starvation.  Want efficient behaviour under absence of contention.

21 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.21 Deadlocked diners  A deadlock occurs if a waits- for cycle arises in which each philosopher grabs one fork and waits for the other.

22 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.22 Dining Philosophers, Safety and Liveness Dining Philosophers illustrate many classical safety and liveness issues: Mutual ExclusionEach fork can be used by one philosopher at a time Condition synchronizationA philosopher needs two forks to eat Shared variable communication Philosophers share forks... Message-based communication... or they can pass forks to each other Busy-waitingA philosopher can poll for forks... Blocked waiting... or can sleep till woken by a neighbour Livelock All philosophers can grab the left fork and busy-wait for the right... Deadlock... or grab the left one and wait (sleep) for the right Starvation A philosopher may starve if the left and right neighbours are always faster at grabbing the forks Race conditionsAnomalous behaviour depends on timing

23 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.23 Modeling Dining Philosophers PHIL=(sitdown ->right.get -> left.get ->eat -> left.put -> right.put ->arise -> PHIL ). FORK =(get -> put -> FORK). ||DINERS(N=5)= forall [i:0..N-1] ( phil[i]:PHIL || {phil[i].left,phil[((i-1)+N)%N].right}::FORK ). PHIL=(sitdown ->right.get -> left.get ->eat -> left.put -> right.put ->arise -> PHIL ). FORK =(get -> put -> FORK). ||DINERS(N=5)= forall [i:0..N-1] ( phil[i]:PHIL || {phil[i].left,phil[((i-1)+N)%N].right}::FORK ). Is this system safe? Is it live? 01

24 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.24 Dining Philosophers Analysis Trace to terminal set of states: phil.0.sitdown phil.0.right.get phil.1.sitdown phil.1.right.get phil.2.sitdown phil.2.right.get phil.3.sitdown phil.3.right.get phil.4.sitdown phil.4.right.get Actions in terminal set: {} Trace to terminal set of states: phil.0.sitdown phil.0.right.get phil.1.sitdown phil.1.right.get phil.2.sitdown phil.2.right.get phil.3.sitdown phil.3.right.get phil.4.sitdown phil.4.right.get Actions in terminal set: {} No further progress is possible due to the waits-for cycle

25 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.25 Eliminating Deadlock There are two fundamentally different approaches to eliminating deadlock. Deadlock detection:  Repeatedly check for waits-for cycles. When detected, choose a victim and force it to release its resources. —Common in transactional systems; the victim should “roll-back” and try again Deadlock avoidance:  Design the system so that a waits-for cycle cannot possibly arise.

26 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.26 Dining Philosopher Solutions There are countless solutions to the Dining Philosophers problem that use various concurrent programming styles and patterns, and offer varying degrees of liveness guarantees: Break the cycle  Number the forks. Philosophers grab the lowest numbered fork first.  One philosopher grabs forks in the reverse order. Philosophers queue to sit down  allow no more than four at a time to sit Do these solutions avoid deadlock? What about starvation? Are they “fair”? 01

27 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.27 What you should know!  What are safety properties? How are they modelled in FSP?  What kinds of liveness problems can occur in concurrent programs?  Why is progress a liveness rather than a safety issue?  What is fair choice? Why do we need it?  What is a terminal set of states?  What are necessary and sufficient conditions for deadlock?  How can you detect deadlock? How can you avoid it?

28 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.28 Can you answer these questions?  How would you manually check a safety property?  Why must safety properties be deterministic to be transparent?  How would you manually check a progress property?  What is the difference between starvation and deadlock?  How would you manually detect a waits-for cycle?  What is fairness?

29 © Oscar Nierstrasz CP — Safety and Liveness Properties CP 5.29 License > http://creativecommons.org/licenses/by-sa/2.5/ Attribution-ShareAlike 2.5 You are free: to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. Attribution-ShareAlike 2.5 You are free: to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.

Download ppt "CP — Concurrent Programming 5. Safety and Liveness Properties Prof. O. Nierstrasz Wintersemester 2005 / 2006."

Similar presentations

Deadlock Prevention, Avoidance, and Detection

Deadlock Prevention, Avoidance, and Detection
Concurrency: Deadlock and Starvation Chapter 6. Deadlock Permanent blocking of a set of processes that either compete for system resources or communicate.

Concurrency: Deadlock and Starvation Chapter 6. Deadlock Permanent blocking of a set of processes that either compete for system resources or communicate.
Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.

Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.
Deadlock Prevention, Avoidance, and Detection.  The Deadlock problem The Deadlock problem  Conditions for deadlocks Conditions for deadlocks  Graph-theoretic.

Deadlock Prevention, Avoidance, and Detection.  The Deadlock problem The Deadlock problem  Conditions for deadlocks Conditions for deadlocks  Graph-theoretic.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
6. Deadlocks 6.1 Deadlocks with Reusable and Consumable Resources

6. Deadlocks 6.1 Deadlocks with Reusable and Consumable Resources
12. Common Errors, a few Puzzles. © O. Nierstrasz P2 — Common Errors, a few Puzzles 12.2 Common Errors, a few Puzzles Sources  Cay Horstmann, Computing.

12. Common Errors, a few Puzzles. © O. Nierstrasz P2 — Common Errors, a few Puzzles 12.2 Common Errors, a few Puzzles Sources  Cay Horstmann, Computing.
5. Liveness and Guarded Methods Prof. O. Nierstrasz Selected material © Magee and Kramer.

5. Liveness and Guarded Methods Prof. O. Nierstrasz Selected material © Magee and Kramer.
Slide 1 Concurrency, Dining Philosophers Lecture 14 COMP 201.

Slide 1 Concurrency, Dining Philosophers Lecture 14 COMP 201.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.
ESE Einführung in Software Engineering 7. Modeling Behaviour Prof. O. Nierstrasz.

ESE Einführung in Software Engineering 7. Modeling Behaviour Prof. O. Nierstrasz.
Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.

Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.
SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.

SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.
Chapter 6 Concurrency: Deadlock and Starvation

Chapter 6 Concurrency: Deadlock and Starvation
Chapter 6 Concurrency: Deadlock and Starvation

Chapter 6 Concurrency: Deadlock and Starvation
10. Petri Nets Prof. O. Nierstrasz. Roadmap  Definition: —places, transitions, inputs, outputs —firing enabled transitions  Modelling: —concurrency.

10. Petri Nets Prof. O. Nierstrasz. Roadmap  Definition: —places, transitions, inputs, outputs —firing enabled transitions  Modelling: —concurrency.
Object-Oriented Reengineering Patterns and Techniques Prof. O. Nierstrasz Prof. S. Ducasse www.iam.unibe.ch/~scg/Teaching/OORP T.

Object-Oriented Reengineering Patterns and Techniques Prof. O. Nierstrasz Prof. S. Ducasse T.
ESE Einführung in Software Engineering N. XXX Prof. O. Nierstrasz Fall Semester 2009.

ESE Einführung in Software Engineering N. XXX Prof. O. Nierstrasz Fall Semester 2009.
10 Deadlock Example Process 1 Process 2 Resource 1 Resource 2 Process holds the resource Process requests the resource.

10 Deadlock Example Process 1 Process 2 Resource 1 Resource 2 Process holds the resource Process requests the resource.
© Oscar Nierstrasz ST — Smalltalk Basics 2.1 Change sets  Make sure your changes are logged to a new change set.

© Oscar Nierstrasz ST — Smalltalk Basics 2.1 Change sets  Make sure your changes are logged to a new change set.

Similar presentations

Ads by Google