search

saeaadl / emv2

AADL Error Model V2 annex language
0 stars 0 forks source link

Simple transition condition with noerror #82

Open joeseibel opened 2 years ago

joeseibel commented 2 years ago

Should we permit noerror to be used for a propagation in a condition if that propagation is the only element of that condition? Should the following model be legal:

package StandardIssue
public
  system s
    features
      f1: in feature;
    annex EMV2 {**
      use types ErrorLibrary;
      use behavior StandardIssue::machine1;

      error propagations
        f1: in propagation {CommonErrors};
      end propagations;

      component error behavior
        transitions
          transition1: state1 -[f1 {noerror}]-> state2;
      end component;
    **};
  end s;

  annex EMV2 {**
    error behavior machine1
      states
        state1: initial state;
        state2: state;
    end behavior;
  **};
end StandardIssue;

If we do allow the above example, what does it really mean?

It seems like noerror would make more sense in an expression such as this: f1 {ServiceError} and f2 {noerror} and f3 {noerror}.

brlarson commented 1 year ago

Suppose three consecutive errors would cause activation of a hot/cold spare. Then a {NoError} transition would be useful.

jjhugues commented 1 year ago

Discussion on 2/16/23

In the original example, one can imagine the following scenario: a system may tolerate 1 invalid values every 2 samples (for simplification). If two invalid values are detected in a row, the system reports an error .

One would use a transition with f1{noerror} to mark that the current sample was without error, therefore decrementing the counter.