Proving Probabilistic Proving Probabilistic Properties of the I tai - - PowerPoint PPT Presentation

Proving Probabilistic Proving Probabilistic Properties of the Properties of the I tai I tai Rodeh Rodeh leader election protocol for leader election protocol for any Number of Processes any Number of Processes

Douglas Graham Douglas Graham

Department of Computing Science Department of Computing Science University of Glasgow University of Glasgow

30/06/2006 30/06/2006 2 2

Overview Overview

• Parameterised

Parameterised model checking model checking

– – Classical Classical parameterised parameterised model checking model checking problem problem – – Proof by induction: Proof by induction: Firewire Firewire example example – – Extending Extending Firewire Firewire & proof probabilistically & proof probabilistically

• Itai

Itai Rodeh Rodeh leader election protocol leader election protocol

– – Application of induction proof to Application of induction proof to Itai Itai Rodeh Rodeh

30/06/2006 30/06/2006 3 3

Parameterised Parameterised Model Model Checking Checking

• For system

For system M(N)=p(1) || p(2) || M(N)=p(1) || p(2) || … … || || p(N p(N) ) can only model check property can only model check property P P for fixed for fixed N N

• What if we want to verify for any

What if we want to verify for any N N? ?

• Undecidable

Undecidable in general but techniques in general but techniques apply for subclasses of system apply for subclasses of system

• E.g. proof by induction [Miller & Calder]

E.g. proof by induction [Miller & Calder]

– – Firewire Firewire leader election protocol leader election protocol

30/06/2006 30/06/2006 4 4

Parameterised Parameterised Model Model Checking Checking

2 1

30/06/2006 30/06/2006 5 5

Parameterised Parameterised Model Model Checking Checking

2 1 P

30/06/2006 30/06/2006 6 6

Parameterised Parameterised Model Model Checking Checking

2 1 C P

30/06/2006 30/06/2006 7 7

Parameterised Parameterised Model Model Checking Checking

2 1 A P

30/06/2006 30/06/2006 8 8

Parameterised Parameterised Model Model Checking Checking

1 P

30/06/2006 30/06/2006 9 9

Parameterised Parameterised Model Model Checking Checking

1 C

30/06/2006 30/06/2006 10 10

Parameterised Parameterised Model Model Checking Checking

1 A

30/06/2006 30/06/2006 11 11

Parameterised Parameterised Model Model Checking Checking

30/06/2006 30/06/2006 12 12

Parameterised Parameterised Model Model Checking Checking

• Notice that once child node has sent

Notice that once child node has sent ack ack it it no longer takes part no longer takes part

• System is described as

System is described as degenerative degenerative

• Can exploit this

Can exploit this behaviour behaviour

• Prove by induction that certain types of

Prove by induction that certain types of property hold for any number of nodes property hold for any number of nodes [Miller & Calder] [Miller & Calder]

30/06/2006 30/06/2006 13 13

Parameterised Parameterised Model Model Checking Checking

• Show property holds for `base

Show property holds for `base’ ’ system system – – star topology e.g. star topology e.g. “ “leader will always be leader will always be elected elected” ”

• For any configuration and size of system

For any configuration and size of system every execution of model is related ( every execution of model is related (stutter stutter equivalent) equivalent) to execution in model of to execution in model of smaller system smaller system

30/06/2006 30/06/2006 14 14

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Can we apply degenerative approach to

Can we apply degenerative approach to probabilistic systems? probabilistic systems?

• Extend

Extend Firewire Firewire probabilistically probabilistically

– – Resolve Resolve “ “contention contention” ” situations with coin flip situations with coin flip – – Model as MDP in PRISM Model as MDP in PRISM

• Extend induction proof

Extend induction proof

– – “ “Executions Executions” ” are are DTMCs DTMCs not paths not paths – – Weak Weak bisimulation bisimulation instead of stutter instead of stutter equivalence equivalence

30/06/2006 30/06/2006 15 15

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Can we apply induction approach to any

Can we apply induction approach to any

• ther degenerative probabilistic systems?
• ther degenerative probabilistic systems?
• Itai

Itai Rodeh Rodeh leader election protocol for leader election protocol for rings? rings?

30/06/2006 30/06/2006 16 16

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Unidirectional ring of processes:

Unidirectional ring of processes:

30/06/2006 30/06/2006 17 17

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

1

• Each process flips coin and chooses 0 or 1 with

Each process flips coin and chooses 0 or 1 with equal probability equal probability

30/06/2006 30/06/2006 18 18

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

A A A P

• Each process then passes choice to

Each process then passes choice to neighbour neighbour; if ; if chosen 0 and receive 1 become passive chosen 0 and receive 1 become passive

30/06/2006 30/06/2006 19 19

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

A A A P

• Counter is then passed around ring by each

Counter is then passed around ring by each active process; counter is incremented by any active process; counter is incremented by any passive process passive process

30/06/2006 30/06/2006 20 20

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

A A A P

• Counter is then passed around ring by each

Counter is then passed around ring by each active process; counter is incremented by any active process; counter is incremented by any passive process passive process

1

30/06/2006 30/06/2006 21 21

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

1 1 P

• If any process receives counter of value N

If any process receives counter of value N-

• 1 then

1 then he becomes leader, else active processes choose he becomes leader, else active processes choose again again

30/06/2006 30/06/2006 22 22

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Itai

Itai Rodeh Rodeh is partially degenerative is partially degenerative

– – When process becomes passive it only passes on When process becomes passive it only passes on messages messages… … – – … …but it can increment counter, whose max value is but it can increment counter, whose max value is dependent on N dependent on N

• Modelled

Modelled in PRISM as an MDP [ in PRISM as an MDP [Kwiatkowska Kwiatkowska et et al., al., Fokkink Fokkink et al.] et al.]

• Our model is variation of these using buffers of

Our model is variation of these using buffers of size N size N

30/06/2006 30/06/2006 23 23

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Apply same approach as for

Apply same approach as for Firewire Firewire: :

– – Base system is ring of size 3, say (could be Base system is ring of size 3, say (could be anything that we can model check) anything that we can model check)

1 2 3

30/06/2006 30/06/2006 24 24

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• For N>2 show that

For N>2 show that M_N M_N ~ ~ M_N+1 M_N+1 where: where:

– – ~ is some ~ is some relationship between executions of relationship between executions of MDPs MDPs – – M_N M_N is model of system of size N is model of system of size N N 2 1 N+1 2 1

~ ~

30/06/2006 30/06/2006 25 25

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Introduce series of

Introduce series of “ “intermediate intermediate” ” models models

• Define model

Define model Mc_N Mc_N as for as for M_N M_N but with but with buffer length N+1 buffer length N+1

• For system of size N, never more than N

For system of size N, never more than N messages in buffers [ messages in buffers [Fokkink Fokkink et al] et al]

• Mc_N

Mc_N isomorphic to isomorphic to M_N M_N M_N M_N = = Mc_N Mc_N

30/06/2006 30/06/2006 26 26

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Define model

Define model Mp_N Mp_N

• As for

As for M_N+1 M_N+1 except initial except initial nondeterministic choice over processes nondeterministic choice over processes with one selected as passive with one selected as passive

• Passive process does not increment

Passive process does not increment counter counter

30/06/2006 30/06/2006 27 27

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

30/06/2006 30/06/2006 28 28

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

P

30/06/2006 30/06/2006 29 29

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

P

1

30/06/2006 30/06/2006 30 30

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

P

1

30/06/2006 30/06/2006 31 31

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• In

In Mp_N Mp_N buffers never contain>N messages buffers never contain>N messages

• If

If p p initial passive, number of messages initial passive, number of messages between between p p-

• 1

1 and and p+1 p+1 never > N never > N

– – NB count NB count p p as a as a “ “buffer buffer” ”

• Assume process

Assume process N+1 N+1 initial passive initial passive

• For

For Mp_N Mp_N relate buffers relate buffers between between N N and 1 to and 1 to buffer between buffer between N N and 1 in and 1 in Mc_N Mc_N

30/06/2006 30/06/2006 32 32

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

1 2 3

Mc_3 [ , , , ] [ , , , ] [0,0,2, ]

P(0) 2 1 3

[0, , , ] [ , , , ] [ , , , ] [2, , , ] Mp_3

30/06/2006 30/06/2006 33 33

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• For each execution of

For each execution of Mp_N Mp_N there exists there exists execution of execution of Mc_N Mc_N that is weakly that is weakly bisimilar bisimilar (under relation) and vice versa (under relation) and vice versa M_N M_N = = Mc_N Mc_N ≈ ≈ Mp_N Mp_N

30/06/2006 30/06/2006 34 34

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Define

Define Mp_N Mp_N’ ’ as for as for Mp_N Mp_N but initial passive but initial passive increments counter increments counter

• Assume process

Assume process p p initial passive initial passive

• If counter has passed through

If counter has passed through p p then then relate relate state in state in Mp_N Mp_N’ ’ to state in to state in Mp_N Mp_N with with counter counter-

• 1

1

30/06/2006 30/06/2006 35 35

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

P A P(3) P

Mp_3’

P A P(2) P

Mp_3

30/06/2006 30/06/2006 36 36

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

P A P P(1)

Mp_3’

P A P P(1)

Mp_3

30/06/2006 30/06/2006 37 37

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Again relation gives weak

Again relation gives weak bisimulation bisimulation between executions of models between executions of models M_N M_N = = Mc_N Mc_N ≈ ≈ Mp_N Mp_N ≈ ≈ Mp_N Mp_N’ ’

30/06/2006 30/06/2006 38 38

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Finally want to show that

Finally want to show that Mp_N Mp_N’ ’ and and M_N+1 M_N+1 are related are related

• But choice of

But choice of inital inital passive probabilistic in passive probabilistic in M_N+1 M_N+1 and nondeterministic in and nondeterministic in Mp_N Mp_N’ ’

• Definition of relation between states is more

Definition of relation between states is more complex and remains to be resolved complex and remains to be resolved

30/06/2006 30/06/2006 39 39

Probabilistic Probabilistic Parameterised Parameterised Model Checking Model Checking

• Hence we have:

Hence we have:

M_N M_N = = Mc_N Mc_N ≈ ≈ Mp_N Mp_N ≈ ≈ Mp_N Mp_N’ ’ ?≈? M_N+1 M_N+1

• So assuming

So assuming Mp_N Mp_N’ ’ ≈ ≈ M_N+1 M_N+1 then by induction, then by induction, M_3 M_3 |= |= Φ Φ => for all N, => for all N, M_N M_N |= |= Φ Φ where where Φ Φ is a PCTL property that is a PCTL property that

– – does not index any process id does not index any process id – – does not contain next time or time bounded until does not contain next time or time bounded until

• perators
• perators
• E.g.

E.g. “ “with probability 1, a leader is elected with probability 1, a leader is elected” ”

30/06/2006 30/06/2006 40 40

Further Work Further Work

• Complete proof for

Complete proof for Itai Itai Rodeh Rodeh leader leader election election

• Apply to other degenerative systems

Apply to other degenerative systems

– – Randomised Randomised consensus weak shared coin consensus weak shared coin protocol ( protocol (Aspnes Aspnes & & Herlihy Herlihy) )