Synth` ese de syst` emes distribu es ouverts Nathalie Sznajder - - PowerPoint PPT Presentation

Synth` ese de syst` emes distribu´ es ouverts

Nathalie Sznajder

LSV, ENS Cachan & CNRS & INRIA Saclay IdF

12 Novembre 2009

Nathalie Sznajder PhD defense - November 12th, 2009 , p.1

Introduction

Need for formal methods

Nathalie Sznajder PhD defense - November 12th, 2009 , p.2

Introduction

Need for formal methods

Need for formal tools to check behaviors of critical programs:

◮ Test ◮ Computer-aided proofs ◮ Model-checking

Nathalie Sznajder PhD defense - November 12th, 2009 , p.2

Introduction

Principles of Model-checking

a system a specification

Nathalie Sznajder PhD defense - November 12th, 2009 , p.3

Introduction

Principles of Model-checking

Does a system satisfy a specification ?

Nathalie Sznajder PhD defense - November 12th, 2009 , p.3

Introduction

Principles of Model-checking

Does a system satisfy a specification ?

Nathalie Sznajder PhD defense - November 12th, 2009 , p.3

Introduction

Principles of Model-checking

Does a system satisfy a specification ? model

Nathalie Sznajder PhD defense - November 12th, 2009 , p.3

Introduction

Principles of Model-checking

Does a system satisfy a specification ? φ formula model

Nathalie Sznajder PhD defense - November 12th, 2009 , p.3

Introduction

Principles of Model-checking

Does a system satisfy a specification ? φ | =

Model-checking algorithm

formula model

Nathalie Sznajder PhD defense - November 12th, 2009 , p.3

Introduction

Synthesis

a specification

Nathalie Sznajder PhD defense - November 12th, 2009 , p.4

Introduction

Synthesis

Find a system satisfying a specification

Nathalie Sznajder PhD defense - November 12th, 2009 , p.4

Introduction

Synthesis

Find a system satisfying a specification

Nathalie Sznajder PhD defense - November 12th, 2009 , p.4

Introduction

Synthesis

Find a system satisfying a specification φ formula

Nathalie Sznajder PhD defense - November 12th, 2009 , p.4

Introduction

Synthesis

Find a system satisfying a specification φ | = formula model

Nathalie Sznajder PhD defense - November 12th, 2009 , p.4

Introduction

Synthesis of open and reactive systems

inputs from E

• utputs to E

Open system S

Nathalie Sznajder PhD defense - November 12th, 2009 , p.5

Introduction

Synthesis of open and reactive systems

inputs from E

• utputs to E

Open system S Specification ϕ

◮ Decide whether there exists a program st. P||E |

= ϕ, ∀E.

◮ Synthesis: If so, compute such a program.

For reasonable systems and specifications, the problems are decid- able.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.5

Introduction

Synthesis of open reactive systems different from satisfiability

Open system Eventually u = 1 u x

Nathalie Sznajder PhD defense - November 12th, 2009 , p.6

Introduction

Synthesis of open reactive systems different from satisfiability

Open system Eventually u = 1 u not controllable! u x

Nathalie Sznajder PhD defense - November 12th, 2009 , p.6

Introduction

Synthesis of open reactive systems different from satisfiability

Open system Eventually u = 1 u not controllable! x = 1 if and only if eventually u = 1 u x

Nathalie Sznajder PhD defense - November 12th, 2009 , p.6

Introduction

Synthesis of open reactive systems different from satisfiability

Open system Eventually u = 1 u not controllable! x = 1 if and only if eventually u = 1 the system cannot foresee what will happen! u x

Nathalie Sznajder PhD defense - November 12th, 2009 , p.6

Introduction

Synthesis of distributed open systems

input of E

• utput to E

Open distributed system S S1 S2 S3 S4 Specification ϕ

Nathalie Sznajder PhD defense - November 12th, 2009 , p.7

Introduction

Synthesis of distributed open systems

input of E

• utput to E

Open distributed system S S1 S2 S3 S4 Specification ϕ P1 P2 P3 P4

Two problems

◮ Decide the existence of a distributed program such that the

joint behavior P1||P2||P3||P4||E satisfies ϕ, for all E.

◮ Synthesis: If it exists, compute such a distributed program.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.7

Introduction

Synthesis of distributed systems

Main parameters

◮ Which semantics?

synchronous, asynchronous

◮ What kind of specification? ◮ What kind of memory for the programs?

local memory bounded or unbounded memory

Nathalie Sznajder PhD defense - November 12th, 2009 , p.8

Introduction

Outline

Introduction Synthesis of synchronous distributed systems Model and motivations Uncomparable information Uniformly well connected architectures Well connected architectures Synthesis of asynchronous distributed systems Model Specifications Decidability Results Conclusion

Nathalie Sznajder PhD defense - November 12th, 2009 , p.9

Synthesis of synchronous distributed systems

Outline

Introduction Synthesis of synchronous distributed systems Model and motivations Uncomparable information Uniformly well connected architectures Well connected architectures Synthesis of asynchronous distributed systems Model Specifications Decidability Results Conclusion

Nathalie Sznajder PhD defense - November 12th, 2009 , p.10

Synthesis of synchronous distributed systems

Distributed systems with shared variables

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4

Architecture

◮ (Proc ⊎ V , E) bipartite graph, where

E ⊆ (Proc × V ) ∪ (V × Proc).

◮ VI ⊆ V input values from the environment, and VO ⊆ V

• utput values from the system, read by the environment.

◮ Sv (finite) domain for each variable v ∈ V . ◮ s0 ∈ SV initial state

where SI =

v∈I Sv for I ⊆ V .

Nathalie Sznajder PhD defense - November 12th, 2009 , p.11

Synthesis of synchronous distributed systems

Distributed systems with shared variables

x0 x0 x1 x2 x3 x4 x5 x4 x5 a1 a2 a3 a4

Architecture

◮ (Proc ⊎ V , E) bipartite graph, where

E ⊆ (Proc × V ) ∪ (V × Proc).

◮ VI ⊆ V input values from the environment, and VO ⊆ V

• utput values from the system, read by the environment.

◮ Sv (finite) domain for each variable v ∈ V . ◮ s0 ∈ SV initial state

where SI =

v∈I Sv for I ⊆ V .

Nathalie Sznajder PhD defense - November 12th, 2009 , p.11

Synthesis of synchronous distributed systems

Synthesis of synchronous distributed systems

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4

Parameters

◮ Which semantics?

synchronous behaviors

Nathalie Sznajder PhD defense - November 12th, 2009 , p.12

Synthesis of synchronous distributed systems

Synthesis of synchronous distributed systems

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4

Parameters

◮ Which semantics?

synchronous behaviors s0s1s2 · · · where sn ∈ SV are global states.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.12

Synthesis of synchronous distributed systems

Synthesis of synchronous distributed systems

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4

Parameters

◮ Which semantics?

synchronous behaviors s0s1s2 · · · where sn ∈ SV are global states.

◮ With or without delays?

Nathalie Sznajder PhD defense - November 12th, 2009 , p.12

Synthesis of synchronous distributed systems

Synthesis of synchronous distributed systems

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4 x1 x2 x3 x5 a3

Parameters

◮ Which semantics?

synchronous behaviors s0s1s2 · · · where sn ∈ SV are global states.

◮ With or without delays? ◮ What kind of memory for the program?

local memory f p : (SE −1(p))∗ → SE(p) for all p ∈ P.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.12

Synthesis of synchronous distributed systems

Synthesis of synchronous distributed systems

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4 x0 x4 x5 x1 x2 x3

Parameters

◮ Which semantics?

synchronous behaviors s0s1s2 · · · where sn ∈ SV are global states.

◮ With or without delays? ◮ What kind of memory for the program?

local memory f p : (SE −1(p))∗ → SE(p) for all p ∈ P.

◮ What kind of specification? Temporal logic formulae, total or

external over words/trees over alphabet SV .

Nathalie Sznajder PhD defense - November 12th, 2009 , p.12

Synthesis of synchronous distributed systems

Synthesis of synchronous distributed systems

x0 x1 x2 x3 x4 x5 a1 a2 a3 a4 x0 x4 x5 x1 x2 x3

Parameters

◮ Which semantics?

synchronous behaviors s0s1s2 · · · where sn ∈ SV are global states.

◮ With or without delays? ◮ What kind of memory for the program?

local memory f p : (SE −1(p))∗ → SE(p) for all p ∈ P.

◮ What kind of specification? Temporal logic formulae, total or

external over words/trees over alphabet SV .

Nathalie Sznajder PhD defense - November 12th, 2009 , p.12

Synthesis of synchronous distributed systems

Synchronous runs

u t v x a1 a2 u1 u2 u3 . . . v1 v2 v3 . . . t1 t2 t3 . . . x1 x2 x3 . . .

◮ 0-delay:

ti = ft(u1 · · · ui) xi = fx((t1, v1) · · · (ti, vi))

◮ 1-delay:

ti = ft(u1 · · · ui−1) xi = fx((t1, v1) · · · (ti−1, vi−1))

Nathalie Sznajder PhD defense - November 12th, 2009 , p.13

Synthesis of synchronous distributed systems

Undecidable and decidable architectures

Pnueli-Rosner (FOCS’90)

Synthesis problem for synchronous distributed systems is undecid- able for LTL or CTL external or total specifications. u y v z a b

Nathalie Sznajder PhD defense - November 12th, 2009 , p.14

Synthesis of synchronous distributed systems

Undecidable and decidable architectures

Pnueli-Rosner (FOCS’90)

Synthesis problem for synchronous distributed systems is undecid- able for LTL or CTL external or total specifications.

Pnueli-Rosner (FOCS’90), Kupferman-Vardi (LICS’01)

Synthesis problem for pipeline architectures is decidable for CTL∗ total specifications. u y v z a b x y1 y2 z1 z2 z3 a1 a2 a3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.14

Synthesis of synchronous distributed systems

Undecidable and decidable architectures

Pnueli-Rosner (FOCS’90)

Synthesis problem for synchronous distributed systems is undecid- able for LTL or CTL external or total specifications.

Pnueli-Rosner (FOCS’90), Kupferman-Vardi (LICS’01)

Synthesis problem for pipeline architectures is decidable for CTL∗ total specifications. u y v z a b x y1 y2 z1 z2 z3 a1 a2 a3

?

Nathalie Sznajder PhD defense - November 12th, 2009 , p.14

Synthesis of synchronous distributed systems

Total specifications: Information fork criterion

Finkbeiner-Schewe (LICS’05)

Synthesis problem is decidable for a given architecture if and only if there is no information fork. u v p x0 x1 a b y0 y1 q w

Nathalie Sznajder PhD defense - November 12th, 2009 , p.15

Synthesis of synchronous distributed systems

Total specifications: Information fork criterion

Finkbeiner-Schewe (LICS’05)

Synthesis problem is decidable for a given architecture if and only if there is no information fork. u v p x0 x1 a b y0 y1 q w

Nathalie Sznajder PhD defense - November 12th, 2009 , p.15

Synthesis of synchronous distributed systems

Back to external specifications

u v y z b c x a

Nathalie Sznajder PhD defense - November 12th, 2009 , p.16

Synthesis of synchronous distributed systems

Back to external specifications

u v y z b c x a

Nathalie Sznajder PhD defense - November 12th, 2009 , p.16

Synthesis of synchronous distributed systems

Back to external specifications

u v y z b c x a

Finkbeiner-Schewe (LICS’05)

Synthesis problem is undecidable over this architecture with LTL total specifications.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.16

Synthesis of synchronous distributed systems

Back to external specifications

u v y z b c x a

Finkbeiner-Schewe (LICS’05)

Synthesis problem is undecidable over this architecture with LTL total specifications.

Pnueli-Rosner (FOCS’90)

Synthesis problem is decidable over this architecture with LTL ex- ternal specifications.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.16

Synthesis of synchronous distributed systems

What if we consider external specifications?

u y v z a b x y1 y2 y3 z1 z2 z3 a1 a2 a3

?

Nathalie Sznajder PhD defense - November 12th, 2009 , p.17

Synthesis of synchronous distributed systems

Architectures with uncomparable information

View of a variable

For an output variable x, View(x) is the set of input variables u such that x is accessible from u.

Uncomparable information (FSTTCS’06)

An architecture has uncomparable information if there exist x,y out- put variables such that View(x) \ View(y) = ∅ and View(y) \ View(x) = ∅. u v x y

Nathalie Sznajder PhD defense - November 12th, 2009 , p.18

Synthesis of synchronous distributed systems

Architectures with uncomparable information

View of a variable

For an output variable x, View(x) is the set of input variables u such that x is accessible from u.

Uncomparable information (FSTTCS’06)

An architecture has uncomparable information if there exist x,y out- put variables such that View(x) \ View(y) = ∅ and View(y) \ View(x) = ∅. Otherwise it is said to have linearly preordered information. u v x y u1 x1 u2 x2 u3 x3 u4 x4

Nathalie Sznajder PhD defense - November 12th, 2009 , p.18

Synthesis of synchronous distributed systems

Architectures with uncomparable information

View of a variable

For an output variable x, View(x) is the set of input variables u such that x is accessible from u.

Uncomparable information (FSTTCS’06)

An architecture has uncomparable information if there exist x,y out- put variables such that View(x) \ View(y) = ∅ and View(y) \ View(x) = ∅. Otherwise it is said to have linearly preordered information. u v x y u1 x1 u2 x2 u3 x3 u4 x4

Nathalie Sznajder PhD defense - November 12th, 2009 , p.18

Synthesis of synchronous distributed systems

Architectures with uncomparable information

View of a variable

For an output variable x, View(x) is the set of input variables u such that x is accessible from u.

Uncomparable information (FSTTCS’06)

An architecture has uncomparable information if there exist x,y out- put variables such that View(x) \ View(y) = ∅ and View(y) \ View(x) = ∅. Otherwise it is said to have linearly preordered information. u v x y u1 x1 u2 x2 u3 x3 u4 x4

Nathalie Sznajder PhD defense - November 12th, 2009 , p.18

Synthesis of synchronous distributed systems

Architectures with uncomparable information

View of a variable

For an output variable x, View(x) is the set of input variables u such that x is accessible from u.

Uncomparable information (FSTTCS’06)

An architecture has uncomparable information if there exist x,y out- put variables such that View(x) \ View(y) = ∅ and View(y) \ View(x) = ∅. Otherwise it is said to have linearly preordered information. u v x y u1 x1 u2 x2 u3 x3 u4 x4

Nathalie Sznajder PhD defense - November 12th, 2009 , p.18

Synthesis of synchronous distributed systems

Architectures with uncomparable information

View of a variable

For an output variable x, View(x) is the set of input variables u such that x is accessible from u.

Uncomparable information (FSTTCS’06)

An architecture has uncomparable information if there exist x,y out- put variables such that View(x) \ View(y) = ∅ and View(y) \ View(x) = ∅. Otherwise it is said to have linearly preordered information. u v x y u1 x1 u2 x2 u3 x3 u4 x4

Nathalie Sznajder PhD defense - November 12th, 2009 , p.18

Synthesis of synchronous distributed systems

Uncomparable information yields undecidability

Theorem (FSTTCS’06,FMSD’09)

Synthesis problem is undecidable for architectures with uncompara- ble information and LTL or CTL external specifications. u v x y

Nathalie Sznajder PhD defense - November 12th, 2009 , p.19

Synthesis of synchronous distributed systems

Uniformly well connected architectures

Definition

An architecture is uniformly well connected (UWC) if there is a unique routing which, for each output variable x, sends variables in View(x) to x. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.20

Synthesis of synchronous distributed systems

Uniformly well connected architectures

Definition

An architecture is uniformly well connected (UWC) if there is a unique routing which, for each output variable x, sends variables in View(x) to x. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.20

Synthesis of synchronous distributed systems

Uniformly well connected architectures

Definition

An architecture is uniformly well connected (UWC) if there is a unique routing which, for each output variable x, sends variables in View(x) to x. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.20

Synthesis of synchronous distributed systems

Uniformly well connected architectures

Definition

An architecture is uniformly well connected (UWC) if there is a unique routing which, for each output variable x, sends variables in View(x) to x. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.20

Synthesis of synchronous distributed systems

Uniformly well connected architectures

Definition

An architecture is uniformly well connected (UWC) if there is a unique routing which, for each output variable x, sends variables in View(x) to x. w u v p1 p2 s t u ⊕ v v ⊕ w p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.20

Synthesis of synchronous distributed systems

Decidability results

Proposition

Checking if an architecture is UWC is decidable, in 2-NEXPTIME and NP-hard.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.21

Synthesis of synchronous distributed systems

Decidability results

Proposition

Checking if an architecture is UWC is decidable, in 2-NEXPTIME and NP-hard.

Theorem (FSTTCS’06, FMSD’09)

Synthesis problem is decidable for UWC architectures with linearly preordered information and external specifications (branching or lin- ear time).

Proof idea

Routing is used for memoryless internal strategies.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.21

Synthesis of synchronous distributed systems

Robust specifications

Definition (FSTTCS’06, FMSD’09)

A formula ϕ in CTL∗ is robust if ϕ =

z∈Out ψz where ψz only

depends on View(z) ∪ {z}.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.22

Synthesis of synchronous distributed systems

Robust specifications

Definition (FSTTCS’06, FMSD’09)

A formula ϕ in CTL∗ is robust if ϕ =

z∈Out ψz where ψz only

depends on View(z) ∪ {z}. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.22

Synthesis of synchronous distributed systems

Robust specifications

Definition (FSTTCS’06, FMSD’09)

A formula ϕ in CTL∗ is robust if ϕ =

z∈Out ψz where ψz only

depends on View(z) ∪ {z}. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.22

Synthesis of synchronous distributed systems

Robust specifications

Definition (FSTTCS’06, FMSD’09)

A formula ϕ in CTL∗ is robust if ϕ =

z∈Out ψz where ψz only

depends on View(z) ∪ {z}. w u v p1 p2 s t p3 p4 p5 y x z

Nathalie Sznajder PhD defense - November 12th, 2009 , p.22

Synthesis of synchronous distributed systems

Robust specifications

Definition (FSTTCS’06,FMSD’09)

A formula ϕ ∈ CTL∗ is robust if ϕ =

z∈Out ψz where ψz only

depends on View(z) ∪ {z}.

Theorem (FSTTCS’06, FMSD’09)

Synthesis problem is decidable for uniformly well connected archi- tectures and external, robust CTL∗ specifications.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.23

Synthesis of synchronous distributed systems

Undecidable and decidable architectures - Total specifications

Information fork u y v z a b x y1 y2 z1 z2 z3 a1 a2 a3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.24

Synthesis of synchronous distributed systems

Undecidable and decidable architectures - External specifications

Uncomparable information

?

u y v z a b x y1 y2 z1 z2 z3 a1 a2 a3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.24

Synthesis of synchronous distributed systems

Undecidable and decidable architectures - External specifications

Uncomparable information Uncomparable information UWC architectures

?

u y v z a b x y1 y2 z1 z2 z3 a1 a2 a3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.24

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z1 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z1 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z1 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Well Connected Architectures

Definition

An architecture is well connected if, for each output variable v, the subarchitecture formed by its ‘ancestors’ is UWC.

A well-connected architecture, but not UWC (from Rasala Lehman-Lehman, SODA’04)

u w z1 z2 z3 z4 z2 z3 z4 z12 z13 z14 z23 z24 z34

Nathalie Sznajder PhD defense - November 12th, 2009 , p.25

Synthesis of synchronous distributed systems

Undecidability for well connected architectures with linearly preordered information

w u v x y z0 q0 p6 p z1 z2 z3 z4 p1 p2 p3 p4 p5 u1 w1 u2 w2 u3 w3 u4 w4 u5 w5 u6 w6

Nathalie Sznajder PhD defense - November 12th, 2009 , p.26

Synthesis of synchronous distributed systems

Undecidability for well connected architectures with linearly preordered information

w u v x y z0 q0 p6 p z1 z2 z3 z4 p1 p2 p3 p4 p5 u1 w1 u2 w2 u3 w3 u4 w4 u5 w5 u6 w6

Nathalie Sznajder PhD defense - November 12th, 2009 , p.26

Synthesis of synchronous distributed systems

Undecidability for well connected architectures with linearly preordered information

w u v x y z0 q0 p6 p z1 z2 z3 z4 p1 p2 p3 p4 p5 u1 w1 u2 w2 u3 w3 u4 w4 u5 w5 u6 w6 Process p6 knowing no value of u yields undecidability

Nathalie Sznajder PhD defense - November 12th, 2009 , p.26

Synthesis of synchronous distributed systems

Undecidability for well connected architectures with linearly preordered information

w u v x y z0 q0 p6 p z1 z2 z3 z4 p1 p2 p3 p4 p5 u1 w1 u2 w2 u3 w3 u4 w4 u5 w5 u6 w6 Process p6 knowing all values of u yields decidability

Nathalie Sznajder PhD defense - November 12th, 2009 , p.26

Synthesis of synchronous distributed systems

Undecidability for well connected architectures with linearly preordered information

w u v x y z0 q0 p6 p z1 z2 z3 z4 p1 p2 p3 p4 p5 u1 w1 u2 w2 u3 w3 u4 w4 u5 w5 u6 w6 Process p6 missing one bit of u yields undecidability

Nathalie Sznajder PhD defense - November 12th, 2009 , p.26

Synthesis of synchronous distributed systems

Undecidable and decidable architectures - External specifications

Uncomparable information Uncomparable information UWC architectures WC architectures

?

u y v z a b x y1 y2 z1 z2 z3 a1 a2 a3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.27

Synthesis of synchronous distributed systems

Related work

◮ Total specifications: [Kupferman-Vardi, LICS’01],

[Finkbeiner-Schewe, LICS’05]

◮ External specifications: [Pnueli-Rosner, FOCS’90], [S.,

PhD’09]

◮ Local specifications: [Madhusudan-Thiagarajan, ICALP’01] ◮ Distributed games framework: [Peterson-Reif, FOCS’79],

[Mohalik-Walukiewicz, FSTTCS’03], [Bernet-Janin, FCT’05]

Nathalie Sznajder PhD defense - November 12th, 2009 , p.28

Synthesis of asynchronous distributed systems

Outline

Introduction Synthesis of synchronous distributed systems Model and motivations Uncomparable information Uniformly well connected architectures Well connected architectures Synthesis of asynchronous distributed systems Model Specifications Decidability Results Conclusion

Nathalie Sznajder PhD defense - November 12th, 2009 , p.29

Synthesis of asynchronous distributed systems

Distributed Synthesis

Parameters

◮ Which semantics?

asynchronous executions are partial orders (Mazurkiewicz traces)

◮ What kind of memory for the programs?

local memory

◮ What kind of specification?

external, over partial orders

Nathalie Sznajder PhD defense - November 12th, 2009 , p.30

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

Drawback: For an action to be played, the two processes have to take the same decision, maybe with different knowledge. 1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Asynchronous semantics : communication through common actions

◮ Rendez-vous: two processes agree on a common action.

Drawback: For an action to be played, the two processes have to take the same decision, maybe with different knowledge.

◮ Signal: asymmetric rendez-vous. A common action is initiated

by only one process. 1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.31

Synthesis of asynchronous distributed systems

Communication by signals

Architectures

◮ Communication graph (Proc, E)

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.32

Synthesis of asynchronous distributed systems

Communication by signals

Architectures

◮ Communication graph (Proc, E) ◮ For each process i, sets Ini and Outi of input and output

signals: Γ =

i∈Proc Ini ∪ i∈Proc Outi

1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.32

Synthesis of asynchronous distributed systems

Communication by signals

Architectures

◮ Communication graph (Proc, E) ◮ For each process i, sets Ini and Outi of input and output

signals: Γ =

i∈Proc Ini ∪ i∈Proc Outi ◮ For each process i,

Σc

i is the set of signals it can send (control),

Σi is the set of signals it can observe. 1 2 3 1 2 3

Nathalie Sznajder PhD defense - November 12th, 2009 , p.32

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory. 1 2 3 f1 : b f2 : c f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 f1 : b f2 : c f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 a f1 : b′ f2 : c f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 a a′ f1 : b′ f2 : c′ f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 a a′ a′ f1 : b′ f2 : c f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 a a′ a′ b′ f1 : g f2 : h f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 a a′ a′ b′ h f1 : g f2 : i f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events.

1 2 3 a a′ a′ b′ h g f1 : j f2 : i f3 : d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events. ◮ A run respects a strategy f = (fi)i∈Proc (is an f -run) if each

event of process i labelled with a controllable action respects the strategy fi. 1 2 3 a a′ a′ b′ h g f1 : j f2 : i f3 : d k

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events. ◮ A run respects a strategy f = (fi)i∈Proc (is an f -run) if each

event of process i labelled with a controllable action respects the strategy fi. 1 2 3 a a′ a′ b′ h g f1 : j f2 : i f3 : d d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Programs

◮ Strategies are partial functions fi : Σ∗ i → Σc i with local

memory.

◮ Signal semantics implies reactivity of processes to events. ◮ A run respects a strategy f = (fi)i∈Proc (is an f -run) if each

event of process i labelled with a controllable action respects the strategy fi. 1 2 3 a a′ a′ b′ h g f1 : j f2 : i f3 : d a′′

Nathalie Sznajder PhD defense - November 12th, 2009 , p.33

Synthesis of asynchronous distributed systems

Fairness conditions

req1 req2 grant1 grant2 1 2

Nathalie Sznajder PhD defense - November 12th, 2009 , p.34

Synthesis of asynchronous distributed systems

Fairness conditions

req1 req2 grant1 grant2 1 2 G(req1 → (F grant1)) ∧ G(req2 → (F grant2))

Nathalie Sznajder PhD defense - November 12th, 2009 , p.34

Synthesis of asynchronous distributed systems

Fairness conditions

req1 req2 grant1 grant2 1 2 G(req1 → (F grant1)) ∧ G(req2 → (F grant2)) 1 2

req1 req1 req1 req1 req1 . . . req2 req2 req2 req2 req2 . . .

◮ Some runs are unfair for the processes.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.34

Synthesis of asynchronous distributed systems

Fairness conditions

req1 req2 grant1 grant2 1 2 G(req1 → (F grant1)) ∧ G(req2 → (F grant2)) 1 2

req1 req1 grant1 req1 grant1 . . . req2 req2 req2 req2 req2 . . .

◮ Some runs are unfair for the processes. ◮ Fairness has to be distributed.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.34

Synthesis of asynchronous distributed systems

Fairness conditions

req1 req2 grant1 grant2 1 2 G(req1 → (F grant1)) ∧ G(req2 → (F grant2)) 1 2

req1 req1 grant1 req1 grant1 . . . req2 req2 req2 req2 req2 . . .

f1(σ) = grant1 f2(σ) = grant2 UNFAIR

◮ Some runs are unfair for the processes. ◮ Fairness has to be distributed.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.34

Synthesis of asynchronous distributed systems

Models of an external specification

Parameters

◮ Which semantics?

asynchronous executions are partial orders (Mazurkiewicz traces)

◮ What kind of memory for the programs?

local memory

◮ What kind of specification?

external, over partial orders

Nathalie Sznajder PhD defense - November 12th, 2009 , p.35

Synthesis of asynchronous distributed systems

Models of an external specification

Parameters

◮ What kind of specification?

external, over partial orders

Nathalie Sznajder PhD defense - November 12th, 2009 , p.35

Synthesis of asynchronous distributed systems

Models of an external specification

Observable runs

Given a run t = (V , λ, ≤), we define the observable run by πΓ(t) = (Γ, λ|Γ, ≤ ∩ (Γ × Γ)) where Γ is the set of external actions.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.36

Synthesis of asynchronous distributed systems

Models of an external specification

Observable runs

Given a run t = (V , λ, ≤), we define the observable run by πΓ(t) = (Γ, λ|Γ, ≤ ∩ (Γ × Γ)) where Γ is the set of external actions. 1 2 3 a a′ a′ b′ h g c d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.36

Synthesis of asynchronous distributed systems

Models of an external specification

Observable runs

Given a run t = (V , λ, ≤), we define the observable run by πΓ(t) = (Γ, λ|Γ, ≤ ∩ (Γ × Γ)) where Γ is the set of external actions. 1 2 3 a a′ a′ b′ h g c d a a′ a′ h g d

Nathalie Sznajder PhD defense - November 12th, 2009 , p.36

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 b a c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c b a

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c b a

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c b a

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c b a c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c b a c b a c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c a b c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c a b c a b c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c a b c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Communication induces order relation

1 2 3 1 2 3 1 2 3 b a c a b c a b c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.37

Synthesis of asynchronous distributed systems

Acceptable Specifications

Restrictions on specifications

◮ Communication induces order relation: specifications should

not discriminate between a partial order and its order extensions

Nathalie Sznajder PhD defense - November 12th, 2009 , p.38

Synthesis of asynchronous distributed systems

Acceptable Specifications

Restrictions on specifications

◮ Communication induces order relation: specifications should

not discriminate between a partial order and its order extensions 1 2 3 b a c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.38

Synthesis of asynchronous distributed systems

Acceptable Specifications

Restrictions on specifications

◮ Communication induces order relation: specifications should

not discriminate between a partial order and its order extensions 1 2 3 b a c 1 2 3 b a c 1 2 3 b a c 1 2 3 b a c

Nathalie Sznajder PhD defense - November 12th, 2009 , p.38

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3

req grant req’ Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3 1 2 3

req grant req’ req Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3 1 2 3

req grant req’ req Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3 1 2 3

req grant req’ req grant Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3 1 2 3

req grant req’ req grant req’ Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3 1 2 3

req grant req’ req grant req’ grant req req’ Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Input events are not controllable by processes

1 2 3 1 2 3 1 2 3

req grant req’ req grant req’ grant req req’ Nathalie Sznajder PhD defense - November 12th, 2009 , p.39

Synthesis of asynchronous distributed systems

Acceptable Specifications

Restrictions on specifications

◮ Communication induces order relation: specifications should

not discriminate between a partial order and its order extensions

◮ Input events are not controllable: specifications should not

discriminate between a partial order and its “weakenings”

Nathalie Sznajder PhD defense - November 12th, 2009 , p.40

Synthesis of asynchronous distributed systems

Acceptable Specifications

Restrictions on specifications

◮ Communication induces order relation: specifications should

not discriminate between a partial order and its order extensions

◮ Input events are not controllable: specifications should not

discriminate between a partial order and its “weakenings” 1 2 3 b a In

Nathalie Sznajder PhD defense - November 12th, 2009 , p.40

Synthesis of asynchronous distributed systems

Acceptable Specifications

Restrictions on specifications

◮ Communication induces order relation: specifications should

not discriminate between a partial order and its order extensions

◮ Input events are not controllable: specifications should not

discriminate between a partial order and its “weakenings” 1 2 3 b a In 1 2 3 b a In

Nathalie Sznajder PhD defense - November 12th, 2009 , p.40

Synthesis of asynchronous distributed systems

Fair synthesis problem

Nathalie Sznajder PhD defense - November 12th, 2009 , p.41

Synthesis of asynchronous distributed systems

Fair synthesis problem

Given an architecture a specification

Nathalie Sznajder PhD defense - November 12th, 2009 , p.41

Synthesis of asynchronous distributed systems

Fair synthesis problem

Given an architecture a specification Decide whether there exists a distributed program such that all its fair runs meet the specification.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.41

Synthesis of asynchronous distributed systems

Fair synthesis problem

Given an architecture a specification Decide whether there exists a distributed program such that all its fair runs meet the specification.

Theorem (SOFSEM’09 + PhD)

The fair synthesis problem over singleton architectures is decidable for regular specifications.

Nathalie Sznajder PhD defense - November 12th, 2009 , p.41

Synthesis of asynchronous distributed systems

Fair synthesis problem

Given an architecture a specification Decide whether there exists a distributed program such that all its fair runs meet the specification.

Theorem (SOFSEM’09 + PhD)

The fair synthesis problem over singleton architectures is decidable for regular specifications.

Theorem (SOFSEM’09 + PhD)

The fair synthesis problem over strongly connected architectures is decidable for acceptable specifications.

Proof idea

By reduction to the singleton

Nathalie Sznajder PhD defense - November 12th, 2009 , p.41

Synthesis of asynchronous distributed systems

Distributing a centralized strategy

Proof

1 2 3 4 1 2 3

◮ We select a cycle. ◮ The processes will use a token to play one at a time and

collect information on what happened in their past

◮ Aim: create a run that will be a weakening of some f -run over

the singleton

Nathalie Sznajder PhD defense - November 12th, 2009 , p.42

Synthesis of asynchronous distributed systems

Token passing

Example

1 2 3 1,2,3

Process 1 has the token at the beginning

1 2 3 t: t′

1:

t′

2:

t′

3: a a c req3 a a (Token,a·a)a c a a c c (Token,a·a·c·c) b a a c c req3 b

Nathalie Sznajder PhD defense - November 12th, 2009 , p.43

Synthesis of asynchronous distributed systems

Examples of strongly connected architectures

Nathalie Sznajder PhD defense - November 12th, 2009 , p.44

Synthesis of asynchronous distributed systems

Related Work

◮ Causal memory: [Gastin-Lerman-Zeitoun, FSTTCS’04],

[Madhusudan-Thiagarajan-Yang, FSTTCS’05]

◮ Local memory: [Madhusudan-Thiagarajan, CONCUR’02], [S.,

PhD’09]

◮ Distributed games framework: [Mohalik-Walukiewicz,

FSTTCS’03]

Nathalie Sznajder PhD defense - November 12th, 2009 , p.45

Conclusion

Outline

Introduction Synthesis of synchronous distributed systems Model and motivations Uncomparable information Uniformly well connected architectures Well connected architectures Synthesis of asynchronous distributed systems Model Specifications Decidability Results Conclusion

Nathalie Sznajder PhD defense - November 12th, 2009 , p.46

Conclusion

Summary

Synthesis of synchronous systems

◮ Necessary condition for decidability for external specifications ◮ Exhibition of a new class of architectures for which it becomes

a sufficient condition

◮ New undecidability proof giving new insights

Synthesis of asynchronous systems

◮ Definition of a realistic model for synthesis of asynchronous

systems

◮ Decidability of a class which is undecidable in the synchronous

case

Nathalie Sznajder PhD defense - November 12th, 2009 , p.47

Conclusion

Open problems

◮ Synchronous case

◮ Definition of a general decidability criterion for external

specifications in the synchronous case

◮ Asynchronous case

◮ Obtain decidability of the problem on all architectures

◮ Fault-tolerant synthesis

Nathalie Sznajder PhD defense - November 12th, 2009 , p.48

Conclusion

Thank you for your attention!

Nathalie Sznajder PhD defense - November 12th, 2009 , p.49