26 research outputs found
Liveness in Timed and Untimed Systems
AbstractWhen proving the correctness of algorithms in distributed systems, one generally considerssafetyconditions andlivenessconditions. The Input/Output (I/O) automaton model and its timed version have been used successfully, but have focused on safety conditions and on a restricted form of liveness called fairness. In this paper we develop a new I/O automaton model, and a new timed I/O automaton model, that permit the verification of general liveness properties on the basis of existing verification techniques. Our models include a notion ofreceptivenesswhich extends the idea ofreceptivenessof other existing formalisms, and enables the use of compositional verification techniques. The presentation includes anembeddingof the untimed model into the timed model which preserves all the interesting attributes of the untimed model. Thus, our models constitute acoordinated frameworkfor the description of concurrent and distributed systems satisfying general liveness properties
Hybrid I/O automata
We propose a new hybrid I/O automaton model that is capable of describing both continuous and discrete behavior. The model, which extends the timed I/O automaton model of Lynch et al and the phase transition system models of Manna et al, allows communication among components using both shared variables and shared actions. The main contributions of this paper are: (1) the definition of hybrid I/O automata and of an implementation relation based on hybrid traces, (2) the definition of a simulation between hybrid I/O automata and a proof that existence of a simulation implies the implementation relation, (3) a definition of composition of hybrid I/O automata and a proof that it respects the implementation relation, and (4) a definition of receptiveness for hybrid I/O automata and a proof that, assuming certain compatibility conditions, receptiveness is preserved by composition
A theory of normed simulations
In existing simulation proof techniques, a single step in a lower-level
specification may be simulated by an extended execution fragment in a
higher-level one. As a result, it is cumbersome to mechanize these techniques
using general purpose theorem provers. Moreover, it is undecidable whether a
given relation is a simulation, even if tautology checking is decidable for the
underlying specification logic. This paper introduces various types of normed
simulations. In a normed simulation, each step in a lower-level specification
can be simulated by at most one step in the higher-level one, for any related
pair of states. In earlier work we demonstrated that normed simulations are
quite useful as a vehicle for the formalization of refinement proofs via
theorem provers. Here we show that normed simulations also have pleasant
theoretical properties: (1) under some reasonable assumptions, it is decidable
whether a given relation is a normed forward simulation, provided tautology
checking is decidable for the underlying logic; (2) at the semantic level,
normed forward and backward simulations together form a complete proof method
for establishing behavior inclusion, provided that the higher-level
specification has finite invisible nondeterminism.Comment: 31 pages, 10figure
Correctness of vehicle control systems a case study
Thesis (M.S.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1996.Includes bibliographical references (p. 97-100).by Henri B. Weinberg.M.S
Safety-Liveness Exclusion in Distributed Computing
The history of distributed computing is full of trade-offs between safety and liveness. For instance, one of the most celebrated results in the field, namely the impossibility of consensus in an asynchronous system basically says that we cannot devise an algorithm that deterministically ensures consensus agreement and validity (i.e., safety) on the one hand, and consensus wait-freedom (i.e., liveness) on the other hand. The motivation of this work is to study the extent to which safety and liveness properties inherently exclude each other. More specifically, we ask, given any safety property S, whether we can determine the strongest (resp. weakest) liveness property that can (resp. cannot) be achieved with S. We show that, maybe surprisingly, the answers to these safety-liveness exclusion questions are in general negative. This has several ramifications in various distributed computing contexts. In the context of consensus for example, this means that it is impossible to determine the strongest (resp. the weakest) liveness property that can (resp. cannot) be ensured with linearizability. However, we present a way to circumvent these impossibilities and answer positively the safety-liveness question by considering a restricted form of liveness. We consider a definition that gathers generalized forms of obstruction-freedom and lock-freedom while enabling to determine the strongest (resp. weakest) liveness property that can (resp. cannot) be implemented in the context of consensus and transactional memory
Timed Parity Games: Complexity and Robustness
We consider two-player games played in real time on game structures with
clocks where the objectives of players are described using parity conditions.
The games are \emph{concurrent} in that at each turn, both players
independently propose a time delay and an action, and the action with the
shorter delay is chosen. To prevent a player from winning by blocking time, we
restrict each player to play strategies that ensure that the player cannot be
responsible for causing a zeno run. First, we present an efficient reduction of
these games to \emph{turn-based} (i.e., not concurrent) \emph{finite-state}
(i.e., untimed) parity games. Our reduction improves the best known complexity
for solving timed parity games. Moreover, the rich class of algorithms for
classical parity games can now be applied to timed parity games. The states of
the resulting game are based on clock regions of the original game, and the
state space of the finite game is linear in the size of the region graph.
Second, we consider two restricted classes of strategies for the player that
represents the controller in a real-time synthesis problem, namely,
\emph{limit-robust} and \emph{bounded-robust} winning strategies. Using a
limit-robust winning strategy, the controller cannot choose an exact
real-valued time delay but must allow for some nonzero jitter in each of its
actions. If there is a given lower bound on the jitter, then the strategy is
bounded-robust winning. We show that exact strategies are more powerful than
limit-robust strategies, which are more powerful than bounded-robust winning
strategies for any bound. For both kinds of robust strategies, we present
efficient reductions to standard timed automaton games. These reductions
provide algorithms for the synthesis of robust real-time controllers