Verification and Synthesis of Symmetric Uni-Rings for Leads-To - - PowerPoint PPT Presentation

Verification and Synthesis of Symmetric Uni-Rings for Leads-To Properties

Ali Ebnenasir

aebnenas@mtu.edu Department of Computer Science College of Computing Michigan Technological University Houghton MI 49931 http://asd.cs.mtu.edu/

Parameterized Distributed Systems (PDS)

x1 xN-1 x0

Process/Node Read from Legend:

Dijkstra’s Token Ring for mutual exclusion: Family 2: just one process 𝛒2: Template process 2 Action0 : x0 = xN-1 à x0 := xN-1 + 1 𝛒1: Template process 1 Actioni : xi ≠ xi-1 à xi := xi-1

• Process Pi has xi ∈ ℤN = {0, 1, …, N-1}
• N denotes the total number of processes
• Addition and subtraction are done in modulo N

Family 1: N-1 symmetric processes

. . .

Read/Write P0 P1 PN-1

Q =∀i ∈ ℤN : ((xi-1 = xi)∨ (xi-1 = xi+1))

Significance

From System on Chip, to multithreaded programs and large scale network protocols.

Example: Agreement on Parity

• Parity on a fully symmetric unidirectional ring (uni-ring);

i.e., k =1

• Ring size: N>2, arbitrary but finite; i.e., 𝛒1 = {P0, …, PN-1}
• Process Pi : has a variable xi capturing set of writeable variables
• xi ∈ ℤ4 = {0, 1, 2, 3}
• Topology: uni-ring (read/write restrictions)
• read xi-1 and xi ; write xi
• Conjunctive state predicate Q =∀i ∈ ℤN : ((|xi-1 - xi | mod 2) = 0)
• Template Process:

Ai: (|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2

x0 x1 x2 xN-1

P0 P1 P2

Proposed Method

Most existing methods for verification and synthesis: Correctness of a finite abstract model ⇒ Correctness of PDS We propose a method based on characterization of global failures in local state spaces of template processes in a topology-specific fashion. Absence of local characterizations ⇒ Correctness of PDS

Topology and Property-Specific Synthesis

• f R ↝ Q

Synthesize Algorithm for Uni-Ring

Parameterized Actions Satisfies R ↝ Q for an arbitrary (but finite) # of processes Variable xi and its domain

R =∀i ∈ ℤN : r(xi-1 - xi ) Q =∀i ∈ ℤN : q(xi-1 - xi )

Note: From any global state in R, the entire ring eventually reaches a global state in Q; i.e., global liveness.

• Specifications: Linear Temporal Logic
• Leads-To: ☐(R ⇒ ◇Q) ≣ (R ↝ Q )
• E.g., (true ↝ Q )

Failures of Leads-To in PDS

• Reaching global deadlocks and/or global livelocksfrom R
• Verification of deadlock-freedom is decidable. [ICDCS 2012]

[ICDCS 2012] A. Farahat and A. Ebnenasir, “Local reasoning for global convergence of parameterized rings,” in IEEE International Conference on Distributed Computing Systems (ICDCS), 2012, pp. 496–505.

Livelock-Freedom in Uni-Rings

• Theorem 1: Verifying livelock-freedom in symmetric uni-rings is

undecidable, even for deterministic, constant-space and self-disabling processes. [SSS’13, ACM TOCL’19]

• Self-disabling process: once it executes an action, it disables itself until

enabled again by its predecessor.

• Corollary: Verifying R ↝ Q in symmetric uni-rings is
• undecidable. (Proof in the paper)

[SSS’13] Alex Klinkhamer and Ali Ebnenasir, Verfiying Livelock Freedom of Parameterized Rings and Chains, 15th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS 2013). [ACM TOCL’19] A. Klinkhamer and A. Ebnenasir, “On the verification of livelock-freedom and self-stabilization on parameterized rings,” ACM Transactions on Computational Logic, vol. 20, no. 3, pp. 1–36, 2019.

Local Characterization of Global Livelocks in Uni-Rings: Can we detect and construct global livelocks just by analyzing the local state transition system of the template process?

Action Graphs

• Protocols can be represented as labeled directed multi-graphs

in the local state space of the template process

• Vertices: values in the domain of xi ∈ {0, 1, 2, 3}
• Arcs: each arc (a, b, c) represents a local update of xi to c if xi-1=a and xi = b
• E.g., (0, 1, 2) means if xi-1=0 and xi = 1 then update xi to 2

(|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2 1 3 0|2 0|2 2 1|3 1|3

Action Graphs

• Protocols can be represented as labeled directed multi-graphs

in the local state space of the template process

• Vertices: values in the domain of xi ∈ {0, 1, 2, 3}
• Arcs: each arc (a, b, c) represents a local update of xi to c if xi-1=a and xi = b
• E.g., (0, 1, 2) means if xi-1=0 and xi = 1 then update xi to 2

(|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2 (0, 1, 2) 1 3 0|2 0|2 2 1|3 1|3

Action Graphs

• Protocols can be represented as labeled directed multi-graphs

in the local state space of the template process

• Vertices: values in the domain of xi ∈ {0, 1, 2, 3}
• Arcs: each arc (a, b, c) represents a local update of xi to c if xi-1=a and xi = b
• E.g., (0, 1, 2) means if xi-1=0 and xi = 1 then update xi to 2

(|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2 (0, 1, 2) 1 3 0|2 0|2 xi-1 2 1|3 1|3

Action Graphs

• Protocols can be represented as labeled directed multi-graphs

in the local state space of the template process

• Vertices: values in the domain of xi ∈ {0, 1, 2, 3}
• Arcs: each arc (a, b, c) represents a local update of xi to c if xi-1=a and xi = b
• E.g., (0, 1, 2) means if xi-1=0 and xi = 1 then update xi to 2

(|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2 (0, 1, 2) 1 3 0|2 0|2 xi-1 2 1|3 1|3 xi

Action Graphs

• Protocols can be represented as labeled directed multi-graphs

in the local state space of the template process

• Vertices: values in the domain of xi ∈ {0, 1, 2, 3}
• Arcs: each arc (a, b, c) represents a local update of xi to c if xi-1=a and xi = b
• E.g., (0, 1, 2) means if xi-1=0 and xi = 1 then update xi to 2

(|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2 (0, 1, 2) 1 3 0|2 0|2 xi-1 set xi to 2 1|3 1|3 xi

Enabling Actions

1 3 0|2 0|2 2 1|3 1|3 (1, 2, 3), (3, 0, 1) (0, 3, 2), (2, 1, 0)

• An action of a process Pi may potentially enable another

action of Pi

Closed Walks in Action Graphs

• Propagation of enablement as closed walk: sequence of

consecutive actions A0 : (|xi-1 - xi | mod 2) ≠ 0 à xi := xi-1 ⊕4 2 1 3 0|2 0|2 2 1|3 1|3 Closed Walks 1 Closed Walks 2 (1, 2, 3), (3, 0, 1) (0, 3, 2), (2, 1, 0)

Enabling Closed Walks

• A closed walk enabling another closed walk.

1 3 0|2 2 Closed walk 1: (1, 2, 3), Closed walk 2:

Enabling Closed Walks

• A closed walk enabling another closed walk.

1 3 0|2 2 1|3 Closed walk 1: (1, 2, 3), Closed walk 2: (0, 3, 2),

Enabling Closed Walks

• A closed walk enabling another closed walk.

1 3 0|2 2 1|3 0|2 Closed walk 1: (1, 2, 3), (3, 0, 1) Closed walk 2: (0, 3, 2),

Enabling Closed Walks

• A closed walk enabling another closed walk.

1 3 0|2 2 1|3 0|2 1|3 Closed walk 1: (1, 2, 3), (3, 0, 1) Closed walk 2: (0, 3, 2), (2, 1, 0)

Enabling Closed Walks

• A closed walk enabling another closed walk.

1 3 0|2 2 1|3 0|2 1|3 Closed walk 1: (1, 2, 3), (3, 0, 1) Closed walk 2: (0, 3, 2), (2, 1, 0) Closed walk 1 enables closed walk 2.

Enabling Closed Walks

• A closed walk enabling another closed walk.

1 3 0|2 2 1|3 0|2 1|3 Closed walk 1: (1, 2, 3), (3, 0, 1) Closed walk 2: (0, 3, 2), (2, 1, 0) A closed walk of length n enables another closed walk of length n iff j-th action of the first walk enables the j-th action of the second walk, for 1≤ j ≤ n

Circularly Enabling Closed Walks

• Closed walk 2 also enables closed walk 1.

1 3 2 1|3 Closed walk 1: Closed walk 2: (0, 3, 2),

Circularly Enabling Closed Walks

• Closed walk 2 also enables closed walk 1.

1 3 0|2 2 1|3 Closed walk 1: (1, 2, 3), Closed walk 2: (0, 3, 2),

Circularly Enabling Closed Walks

• Closed walk 2 also enables closed walk 1.

1 3 0|2 2 1|3 1|3 Closed walk 1: (1, 2, 3), Closed walk 2: (0, 3, 2), (2, 1, 0)

Circularly Enabling Closed Walks

• Closed walk 2 also enables closed walk 1.

1 3 0|2 2 1|3 0|2 1|3 Closed walk 1: (1, 2, 3), (3, 0, 1) Closed walk 2: (0, 3, 2), (2, 1, 0)

Circularly Enabling Closed Walks

1 3 0|2 2 1|3 0|2 1|3 Closed walk 1: (1, 2, 3), (3, 0, 1) Closed walk 2: (0, 3, 2), (2, 1, 0) 2 circularly enabling closed walks, each of length 2.

Local Characterization of Global Livelocks

Theorem 2: There are m closed walks, each of length n, in the action graph that enable each other circularly (m > 1 and n ≥1) if and only if A uni-ring of symmetric, constant-space, deterministic and self-disabling processes has a livelock for a ring size (m × n)

[SSS’13] Alex Klinkhamer and Ali Ebnenasir, Verfiying Livelock Freedom of Parameterized Rings and Chains, 15th International Symposium

• n Stabilization, Safety, and Security of Distributed Systems (SSS 2013).

[ACM TOCL’19] A. Klinkhamer and A. Ebnenasir, “On the verification of livelock-freedom and self-stabilization on parameterized rings,” ACM Transactions on Computational Logic, vol. 20, no. 3, pp. 1–36, 2019.

Synthesize a PDS using just locality and action graphs?

Locality Graphs

• Local condition L(xi-1 , xi) can be represented as a directed

graph in the local state space of the template process

• Vertices: values in the domain of xi
• Arcs: for any pair of values a and b in domain of xi ,

include arc (a, b) if and only if L(a,b) is true

Locality Graphs Example

• Example: Sum-Not-2 in uni-ring

R =∀i ∈ ℤN : r(xi-1 - xi ) , where r(xi-1 , xi) = ((xi-1 = 2 ∧ xi =0) ∨ (xi-1 = 0 ∧ xi =2)), Q =∀i ∈ ℤN : q(xi-1 - xi ), where q(xi-1 , xi) = ((xi-1 +4 xi) ≠ 2) xi ∈ ℤ4 ={0, 1, 2, 3}

1 3 2 GR= (VR, AR) 1 3 2 GQ = (VQ, AQ)

q(0, 1) q(1, 3) r(0, 2)

Local Characterization of Global States in Uni-Rings

• Any cycle of length L in a locality graph captures a set of

global states in uni-rings of sizes (L × k) for k ≥1. [ICDCS 2012]

[ICDCS 2012] A. Farahat and A. Ebnenasir, “Local reasoning for global convergence of parameterized rings,” in IEEE International Conference on Distributed Computing Systems (ICDCS), 2012, pp. 496–505.

1 3 2 GQ = (VQ, AQ)

q(0, 1) q(1, 3)

q(xi-1 , xi) = ((xi-1 +4 xi) ≠ 2)

Synthesis Algorithm

– INPUT:

• xi and its domain
• R =∀i ∈ ℤN : r(xi-1 - xi )
• Q =∀i ∈ ℤN : q(xi-1 - xi )
• R ∩ Q = ∅
• OUTPUT: Parameterized actions of the template process of

uni-ring

Synthesis Algorithm: Step 1

• 1. Create the locality graphs of

R =∀i ∈ ℤN : r(xi-1 - xi ) , where r(xi-1 , xi) = ((xi-1 = 2 ∧ xi =0) ∨ (xi-1 = 0 ∧ xi =2)), Q =∀i ∈ ℤN : q(xi-1 - xi ), where q(xi-1 , xi) = ((xi-1 +4 xi) ≠ 2) xi ∈ ℤ4 ={0, 1, 2, 3}

1 3 2 GR 1 3 2 GQ

q(0, 1) q(1, 3) r(0, 2)

Synthesis Algorithm: Step 2

• 2. Find a value 𝛿 such that q(𝛿, 𝛿) holds in GQ

E.g., 𝛿 =2

1 3 2 GR 1 3 2 GQ

q(0, 1) q(1, 3) r(0, 2)

Synthesis Algorithm: Step 3

• 3. Induce a subgraph G’Q = (V’Q, A’Q) of GQ that includes only

the simple cycles containing 𝛿 1 3 2 GR 1 3 2 GQ

q(0, 1) q(1, 3) r(0, 2)

Synthesis Algorithm: Step 4

• 4. Compute a bottom-up spanning tree 𝜐 of G’Q rooted at 𝛿.

Rationale: compute any acyclic path towards 𝛿.

1 3 2 GR 1 3 2 GQ

r(0, 2) Spanning tree 𝜐

Synthesis Algorithm: Step 5

• 5. Compute the subset V’R of VR that do not participate in any

cycle

• e.g., V’R = {1, 3}

1 3 2 GR 1 3 2 GQ

r(0, 2)

Synthesis Algorithm: Step 6

• 6. Compute the set V’Rleaf of vertices in V’R that are leaves in 𝜐
• Remove the outgoing arcs of such vertices in 𝜐 , creating a tree 𝜐’.
• E.g., V’Rleaf = {1}

Rationale: exclude states in ¬R from where there is some path to q(𝛿, 𝛿).

1 3 2 GR 1 3 2 GQ

r(0, 2)

Synthesis Algorithm: Step 6

• 6. Compute the set V’Rleaf of vertices in V’R that are leaves in 𝜐

Remove the outgoing arcs of such vertices in 𝜐 , creating a tree 𝜐’. E.g., V’Rleaf = {1} Rationale: exclude states in ¬R from where there is some path to q(𝛿, 𝛿).

1 3 2 GR 1 3 2 GQ

r(0, 2)

Synthesis Algorithm: Step 7

• 7. R ∩ Q = ∅ implies that cycles of GR and GQ are arc disjoint.
• i.e., any correct protocol cannot include an arc (v, 𝛿) where r(v, 𝛿)
• holds. Include any other arc (v, 𝛿) for any v outside (V’Q ∪ V’Rleaf ).
• Example: no change in this case.

1 3 2 GR 1 3 2 GQ

r(0, 2)

Synthesis Algorithm: Step 8

• 8. If the resulting tree has no leaves in common with cycles of

GR then go to Step 2 and pick a different 𝛿. 1 3 2 GR 1 3 2 GQ

r(0, 2) Tree 𝜐’

Synthesis Algorithm: Step 8

• 8. Otherwise, include the self-loop (𝛿, 𝛿).

1 3 2 GR 1 3 2 GQ

r(0, 2)

Synthesis Algorithm: Step 9

• 9. Labelling: transforming the tree to an action graph.

for each leaf a, label its outgoing arc (a,c) with value b iff b ≠ c ∧ r(a,b) ∧ ¬q(a,b) 1 3 2 GR 1 3 2 GQ

r(0, 2)

Synthesis Algorithm: Step 9

• 9. Labelling:

for each leaf a, label its outgoing arc (a,c) with value b iff b ≠ c ∧ r(a,b) ∧ ¬q(a,b) 1 3 2 GQ

r(xi-1 , xi) = ((xi-1 = 2 ∧ xi =0) ∨ (xi-1 = 0 ∧ xi =2)) q(xi-1 , xi) = (xi-1 +4 xi ≠ 2) a = 0 and b =0 and c=3 ⇒ r(0, 0) is false; unacceptable! a = 0 and b =1 and c=3 ⇒ r(0, 1) is false; unacceptable! a = 0 and b =2 and c=3 ⇒ r(0, 2) holds and q(0, 2) is false; acceptable!

2

Synthesis Algorithm: Step 10

• 10. Labelling:

for any other arc (a,c), label it with value b iff b ≠ c ∧ ¬q(a,b) 1 3 2 GQ

r(xi-1 , xi) = ((xi-1 = 2 ∧ xi =0) ∨ (xi-1 = 0 ∧ xi =2)) q(xi-1 , xi) = (xi-1 +4 xi ≠ 2) a = 3 and b =0 and c=2 ⇒ q(3, 0) holds; unacceptable! a = 3 and b =1 and c=2 ⇒ q(3, 1) holds; unacceptable! a = 3 and b =3 and c=2 ⇒ q(3, 3) is false; acceptable!

2 3

Synthesis Algorithm: Step 10

• 10. Labelling:

for any other arc (a,c), label it with value b iff b ≠ c ∧ ¬q(a,b) 1 3 2 GQ

r(xi-1 , xi) = ((xi-1 = 2 ∧ xi =0) ∨ (xi-1 = 0 ∧ xi =2)) q(xi-1 , xi) = (xi-1 +4 xi ≠ 2) Similarly …

2 3

Synthesis Algorithm: Step 11

• 11. Generate parameterized actions

1 3 2 GQ 2 3 (xi-1 = 0 ∧ xi =2) → xi :=3; (xi-1 = 3 ∧ xi =3) → xi :=2; (xi-1 = 2 ∧ xi =0) → xi :=2;

Synthesis Algorithm

• Soundness:
• Starting in R, the synthesized protocol is deadlock-free because the

labelling method ensures that actions are enabled in R.

• The synthesized protocol is livelock-free because it has no closed walks

that circularly enable each other.

• Every process would eventually satisfy q(𝛿, 𝛿); i.e., Q is eventually

satisfied.

• Completeness:
• Theorem: No solution exists by reaching states where Q holds through

cyclic satisfaction q(c0, c1), q(c1, c2), … , q(c l-1, c0), for l> 1.

Conclusions

• Verifying fully symmetric uni-rings for R ↝ Q is undecidable, but

synthesizing symmetric uni-ring PDS that satisfy R ↝ Q is decidable!

• Local reasoning about global failures such as livelocksand deadlocks.
• Highly efficient verifiers and synthesizers with several hundred

degrees of magnitude improvement in time/space efficiency.

• Our model checker Prop [ACM TOCL’19] searches for closed walks instead of

backward/forward reachability analysis in over-approximated model.

• Finds and constructs global livelocks in rings in a few microsecond on a regular laptop.

[ACM TOCL’19] A. Klinkhamer and A. Ebnenasir, “On the verification of livelock-freedom and self-stabilization on parameterized rings,” ACM Transactions on Computational Logic, vol. 20, no. 3, pp. 1–36, 2019.

Long-Term Research Objective

Repository of Topology and Property-Specific Verification and Synthesis Algorithms/Tools Property 𝜒 Topology Verifier/ Synthesizer for 𝜒 and Topology Tm

. . .

DFTP p1 that satisfies 𝜒 on T1 DFTP pm that satisfies 𝜒 on Tm Compositionality Theorems/Rules DFTP p that satisfies 𝜒 on a compositional topology Verifier/ Synthesizer for 𝜒 and Topology T1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Agreement on Mesh

Variable-Space Processes

Scalable composition of resilient ring and chain generating a scalable tube that can grow in depth and diameter.

x0 x1 x2 xn-1 x0 x1 x2 xn-1 x0 x1 x2 xn-1

HyperRing

HypeTree

Top-Down Tree Bottom-Up Tree

Thank you!