Go backward to Client Model Go up to Top Go forward to Refining the Invariant |
Introduce variable counter and maintain invariant:
implies
and
InitC,R(pc, counter ...)
always ActionC,R(pc, counter, ...)
always InvariantC,R(pc, counter, ...)
System.
Stronger specification.
Chosen appropriately, invariant implies safety property:
InvariantC,R(pc, counter, ...) :<=>
and
counter >= 0
R =
counter +
number i in [1,C]: pci = resource
Counter is non-negative.
Counter complements number of processes operating on resource.
Must check whether clients maintains invariant.