Detecting Temporal Logic Predicates on Distributed Computations

Slides:



Advertisements
Similar presentations
Model Checking Lecture 1.
Advertisements

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.
1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Lecture 24 MAS 714 Hartmut Klauck
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Ordering and Consistent Cuts Presented By Biswanath Panda.
Distributed Systems Fall 2009 Logical time, global states, and debugging.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
NP Complexity By Mussie Araya. What is NP Complexity? Formal Definition: NP is the set of decision problems solvable in polynomial time by a non- deterministic.
CS6133 Software Specification and Verification
Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
1 Bisimulations as a Technique for State Space Reductions.
“Virtual Time and Global States of Distributed Systems”
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
CS 267: Automated Verification Lecture 3: Fixpoints and Temporal Properties Instructor: Tevfik Bultan.
Distributed Systems Fall 2010 Logical time, global states, and debugging.
Defining Liveness by Bowen Alpern and Fred B. Schneider Presented by Joe Melnyk.
Case Studies of POTA Hong, Shin / 38
Parallel and Distributed Systems Laboratory Paradise: A Toolkit for Building Reliable Concurrent Systems Trace Verification for Parallel Systems Vijay.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
ICDCS 2006 Efficient Incremental Optimal Chain Partition of Distributed Program Traces Selma Ikiz Vijay K. Garg Parallel and Distributed Systems Laboratory.
Parallel and Distributed Systems Laboratory Paradise: A Toolkit for Building Reliable Concurrent Systems On Building Reliable Concurrent Systems Vijay.
Theory of Computational Complexity Probability and Computing Chapter Hikaru Inada Iwama and Ito lab M1.
ICS 353: Design and Analysis of Algorithms NP-Complete Problems King Fahd University of Petroleum & Minerals Information & Computer Science Department.
The NP class. NP-completeness
Chapter 10 NP-Complete Problems.
Basic concepts of Model Checking
Formal methods: Lecture
Hybrid BDD and All-SAT Method for Model Checking
Richard Anderson Lecture 26 NP-Completeness
Richard Anderson Lecture 26 NP-Completeness
Distributed Snapshot.
NP-Completeness Yin Tat Lee
Intro to Theory of Computation
Intro to Theory of Computation
Propositional Calculus: Boolean Algebra and Simplification
ICS 353: Design and Analysis of Algorithms
A Fusion-based Approach for Tolerating Faults in Finite State Machines
Exploiting Predicate Structure for Efficient Reachability Detection
Generating Optimal Linear Temporal Logic Monitors by Coinduction
Chapter 8 NP and Computational Intractability
Efficient Incremental Optimal Chain Partition of Distributed Program Traces Selma Ikiz Vijay K. Garg Parallel and Distributed Systems Laboratory.
Producing short counterexamples using “crucial events”
Abstraction.
NP-Completeness Yin Tat Lee
CSE 6408 Advanced Algorithms.
Linear Time Properties
Introduction to verification
Dichotomies in CSP Karl Lieberherr inspired by the paper:
Runtime Safety Analysis of Multithreaded Programs
Distributed Snapshot.
Hints for Building Self-. Systems Vijay K
Instructor: Aaron Roth
Distributed Snapshot.
Presentation transcript:

Detecting Temporal Logic Predicates on Distributed Computations Vinit Ogale (ogale@ece.utexas.edu) and Vijay K. Garg (garg@ece.utexas.edu) Parallel and Distributed Systems Lab

Predicate Detection Predicate: A property expressed using variables on processes. e.g., more than one process is in critical section Predicate detection: Determining if an execution trace satisfies the predicate Program trace Yes Predicate detection predicate No

Trace Model: Total Order Total order: interleaving of events in a trace Temporal Rover [Drusinsky 03], Java-MaC [Kim, Kannan, Lee, Sokolsky, and Viswanathan 04], JPaX [Havelund and Rosu 04] PET [Gunter, Kurshan, Peled 00] Low computational complexity

Trace Model: Partial Order Partial order: Lamport’s happened-before model [Lamport 78] suitable for concurrent and distributed programs encodes exponential number of total orders ) captures bugs that may not be found with a total order

Partial Order Traces Predicate Detection Computation {e2, e1, f2, f1} P1 {e2, e1, f1} {e1, f2, f1} P2 {e2,e1} {e1, f1} f1 f2 {e1} {f1} Computation {} Let’s look at the partial order traces a little closer. To detect predicates on partial orders, we need to enumerate all the possible global states from the computation poset. f1 and f2 is not a possible global state, since for f2 to be present in the global state, e1 should also be included. these enumerated global states forms a distributive lattice which we call computation lattice. As seen from the example, the number global states might be exponential. hence, using partial order model also comes with its own difficulty – state explosion. Cooper and Marzullo gave an algorithm for general predicates in 91, later Mittal and Garg showed the NP-completeness of the problem. To overcome the state explosion problem, we follow two methods; Restricting predicate structures, and Using computation slicing method. From now on, to represent computation lattices, instead of using full global states, we’ll just keep a frontier from each process, So for this computation, frontier lattice representation looks like this. symbolic methods [McMillan 93, Stoller and Liu 98] partial order methods [Godefroid 90, Valmari 90, Peled 93, Esparza 94, Stoller et al. 00] : exploits the structure of the predicate by imposing restrictions on it stable [Chandy and Lamport 85] conjunctive [Garg and Waldecker 94 96, Hurfin et al. 96] observer-independent [Charron-Bost et. al. 95] linear [Chase and Garg 95] relational [Tomlinson and Garg 94] slicing method: concise representation of all states satisfying the predicate Slice for an arbitrary predicate NP-hard, in general. Efficient algorithms for linear predicates and Ç, Æ operators. [Mittal and Garg 01] Corresponding computation lattice Predicate Detection Exponential time algorithm for general predicate [Cooper and Marzullo 91] NP-complete for simple boolean expressions (2-CNF) [Mittal and Garg 01]

Structure of the Computation Lattice Frontier notation for cuts {e2,f3} instead of {e1,e2,f1,f2,f3} Meet/join of two cuts is their intersection/union Join irreducible cut: cannot be expressed as the join of two other cuts Ideal is a set of cuts: with a unique maximum contains all cuts less than the maximum e3, f3 e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 The bottom element is not generally considered to be a JIRR but for ease of notation we consider it to be a JIRR in this presentation f1 {}

Special Classes of Predicates e3, f3 Stable predicate: once it becomes true, it stays true, e.g., deadlock [Chandy and Lamport 85] Meet/join closed: global states are closed under meet/join (intersection/union) Regular: meet and join closed [Garg and Mittal 01] e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 f1 {}

Specification: Temporal Logic EG (p) AG (p) C C C EF (p) /  p subset of CTL [Clarke and Emerson 81] Examples: violation of mutual exclusion: EF(critical1 Æ critical2) starvation freedom : : EF(request Æ EG( : granted)) resettability, AG(EF(restart)) p is true safety and liveness properties specification detection: whether the initial state satisfies specification. path: a sequence of states st the next state is obtained from the current state by adding a single state. F: future, finally, eventually non-temporal

Previous Work: Temporal Predicates e3, f3 POTA [A. Sen and V.K. Garg 03] Efficient detection of RCTL predicates EF(), AG, EG, Æ JMPax (exponential time) [K. Sen, G. Rosu, G. Agha 05] e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 f1 {}

BTL (Basis Temporal Logic) A predicate l in BTL is defined recursively as follows:  l  AP (AP is the set of atomic propositions, consists of local predicates) If P and Q are BTL predicates then the following are BTL predicates P  Q , P  Q , P P (also called EF(P)) AG(P) can be represented in BTL as   ( P) Sematics

Basis of a Computation Compact representation of the set of cuts which satisfy the given predicate Efficient detection of membership Computation lattice Predicate Basis

Simple Example of Basis Predicate class : Any ideal in the computational lattice The basis consists of the maximal element that satisfies the predicate e3, f3 e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 f1 {}

Regular Predicates Slice: [Mittal, Garg 01] All join irreducible cuts of the smallest sublattice satisfying the predicate For regular predicates the slice is a basis e3, f3 e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 Backup Slides of a predicate and the slice for that f1 {} A join irreducible element can not be expressed as the join of any other elements

Representing Stable Predicates P : set of ideals I ´ {C1, C2} Cut C ² P iff 8 C’ 2 I: : (C < C’) Note: This representation is not necessarily a basis Stable Predicate P c1 c2 Ideal with max c1 Ideal with max c2

Semiregular Predicates Can be expressed as: regular predicate Æ stable predicate Generalizes regular and stable predicates E.g. There is no token and all processes are red Semiregular Structure Tuple h slice, I i e3, f3 e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 f1 {} Regular Predicate Stable Predicate Predicate is true

Main Idea of Algorithm A BTL predicate can be represented as a disjunction of semiregular predicates Basis for BTL predicates consists of a set of semiregular structures BTL predicate Semiregular predicates with efficient representation

Algorithm Inputs: Predicate Pin, Computation C

Predicate: pa Ç pb S[pa Ç pb] = S[pa]  S[pb] e3, f3 S[pa ] = { h slice1 , { [e3,f1], [f2]} i } e2, f3 e3, f2 S[pb ] = { h slice2 , { [f3 ], [e1, f1]} i } e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 f2 e1,f1 pb pa f1 {} S[pa Ç pb] = S[pa]  S[pb] = { h slice1 , { [e3,f1], [f2]} i , h slice2 , { [f3 ], [e1, f1]} i }

Predicate: pa Æ pb e3, f3 S[pa ] = { h slice1 , { [e3,f1], [f2]} i } e2, f3 e3, f2 S[pb ] = { h slice2 , { [f3 ], [e1, f1 ]} i } e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 pa f2 e1,f1 pb f1 {} S[pa Æ pb] = { h slice1 Å slice2 , { [e3, f1] ,[ f2 ], [f3], [ e1, f1 ] } i }

Algorithm to compute slice[pa] by Sen and Garg 03 Predicate: }(pa Ç pb ) e3, f3 e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 pa f2 e1,f1 pb } pa f1 } pb {} S[}(pa Æ pb)] = { h slice (}pa),{} i , h slice (}pb),{}i } Algorithm to compute slice[pa] by Sen and Garg 03

Predicate: :(pc Ç pd) max(slice[pc]) max(slice[pd]) S[pc  pd] ={ e3, f3 S[pc  pd] ={ slice[pc], {} ,  slice[pd], {}  } e2, f3 e3, f2 e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 S[(pc  pd )] ={ slice[original computation], { max(slice[pc], max(slice[pd] }  } \not \dia is stable predicate f2 e1,f1 f1 slice[pc] slice[pd] {}

Important Results Theorem 1: The basis for a BTL predicate has at most 2k semiregular structures Theorem 2: The total number of ideals in the basis is at most 2k Time Space Complexity: O(2k |E|n) |E| is the total number of events n is the number of processes (NP-Hard) w.r.t k Typically, fo rmost predicates it will be better than 2^k Where k is the size of the predicate

Experimental Results Basis-based Trace Verifier (BTV) Offline trace verifier implemented in Java POTA (with SPIN) BTV (Basis based trace verifier) Dining Philosophers Time (in seconds) (eat_0 \and eat_1) \or (eat1 \and eat2) \and (\Diamond ( (eat_2 \and eat_3) \or (eat_3 \and eat_4))) Violation of mutex now on some processes and violation of mutex on others processes any time in the future Number of processes

Conclusion Polynomial time predicate detection on partially ordered traces Properties composed of the following (nested) operators: Æ , Ç , : ,  . Implemented and tested on Java programs and hardware system level designs (SystemC)

Extra Slides

Properties of Semiregular Predicates All regular and stable predicates are semiregular Join-closed Closed under conjunction Closed under } and 

Basis of a Computation Given a computational lattice C, corresponding to a computation E, and a predicate P, a subset S[P] of C is a basis of P is (Compactness) The size of S[P] is polynomial in the size of the computation (Efficient membership) Given any cut C  C, there exists a polynomial time algorithm that takes S[P], E and C as inputs and determines if (C,E) ² P

Riv73 , Riv74 Any co-regular predicate can be expressed as an union of intervals, each interval defined by a join-irreducible element and a meet-irreducible element

Predicate: pb Ç pc e1 e2 e3 pb pc f1 f2 f3 Process 1 Process 2 e3, f2 e3, f3 e3,f1 e2, f2 e2, f3 e2,f1 e1, f2 e1, f3 e1,f1 f2 f3 f1 {} e1 e2 e3 pb pc Process 1 f1 f2 f3 Process 2 Original Computation Let’s look at disjunction of two semi-regular predicates; Let’s say yellow represents the states that hold pb, purple represents the states that hold pb. Disjunction is trivial. Computation Lattice

Predicate: pb Ç pc S[pb] ={ slice[pb], {} } e3, f3 e2, f3 e3, f2 S[pc] ={ slice[pc], {}  } e1, f3 e2, f2 e3,f1 e1, f2 f3 e2,f1 S[pb  pc] ={ slice[pb], {} ,  slice[pc], {}  } f2 e1,f1 Then, we first find slice for pb , then for pc, Then disjunction is trivial, mainly union of structure pb and pc. f1 slice[pb] slice[pc] {}

Algorithm Inputs: Predicate Pin, Computation C I will not go over the algorithm in detail, But given a computation and a predicate, k-slicing algorithm works recursively. Initially, we push all the negations inside the predicate. But we don’t push further when there’s a diamond. We have different approaches for different cases, such as local predicate , disjunction, conjunction, diamond P and not diamond P. I’ll go over some of them as an example.

Slicer Module : Big Picture state explosion trace keep all red consistent cuts slicing Given a computation a slice gives a concise representation of a subset of consistent cuts that satisfy a certain predicate Our goal is to spend polynomial-time effort to obtain the slice slice

Slice: Definition slice: a sub-trace such that: it contains all consistent cuts of the trace satisfying the given predicate it contains the least number of consistent cuts [Garg and Mittal 01, Mittal and Garg 01] trace Slicer slice Computation, trace, slice same among all such directed graphs it contains the least number of consistent cuts predicate

Slice: More Edges Less States Trace G C x=1,y=4 x=2 x=1 y=3 y=4 x=0 y=0 > x=1,y=3 x=2,y=4 ? x=1,y=0 x=2,y=3 x=2,y=0 x=0,y=3 x=0,y=0 slicing : ( (x = 1) Æ (y = 0) ) Trace H x=1,y=4 x=2 x=1 y=3 y=4 x=0 y=0 > x=1,y=3 x=2,y=4 :: We will explain the algorithm that adds edges later. it has E^2 complexity Notes: We have an algorithm to compute slice for local predicates and for disjunction. Predicate is not symmetric since y != 1 is satisfied at \bot ? x=2,y=3 x=2,y=0 x=0,y=3 x=0,y=0 Observation: edges in G µ edges in H iff cuts in H µ cuts in G. Idea: To obtain the slice, add edges to the trace.

Slice: Example D > D no message in transit slicing D > x=2 x=1 y=3 y=4 x=0 y=0 > x=1,y=4 x=1,y=3 x=2,y=4 ? D x=1,y=0 x=2,y=3 x=2,y=0 x=0,y=3 no message in transit x=0,y=0 slicing D x=2 x=1 y=3 y=4 x=0 y=0 > x=1,y=4 Two main ideas: 1) add Additional edges to obtain the slice 2) A cut Z that does not belong to the slice is such that for any additional edge (e, f) in the slice, Z includes f but not e. Notes: We have an algorithm to compute slice for local predicates and for disjunction. Predicate is not symmetric since y != 1 is satisfied at \bot x=1,y=3 x=2,y=4 ? x=1,y=0 x=2,y=3 x=2,y=0 x=0,y=3 x=0,y=0

Detect Bugs from Successful Traces : CS1 CS2 : CS2 CS1 : ordering, dependency e1 f1 f2 e2 Partial Order Trace : CS1 CS1 Process 1 Specification: CS1 Æ CS2 e1 e2 CS2 : CS2 Process 2 Consider an example trace as follows: …. Note that the trace does not have to be from a message passing program, it could be from a shared memory program or a hardware program. In fact, later on we will see an example of our technique on a hardware protocol. Let Trace 1 be the actual trace. In fact, there are several other possible traces that we can infer from the observed trace. from one trace to all traces that are consistent with the actual execution trace. Goal: predict bugs from successful traces. Runtime: may not even observe the bug Simulation: may observe the bug with exhaustive simulation, then the complexity is high f1 f2 : CS1 CS2 CS1 : CS2 e1 f1 e2 f2

Trace Model: Partial Order CS1 Process 1 Initially e0, f0 e1 e2 Partial Order Trace CS2 Process 2 f1 f2 e1, f0 e0, f0 e0, f1 e1, f1 e2, f0 e2, f1 e2, f2 e1, f2 State Space 1 Partial Order Trace captures 5 Total Order Traces Total Order Trace ´ Path in the State Space CS1 Æ CS2 1) Preserves concurrency 2) Encodes exponential number of total orders 3) Catches bugs not found using total orders 4) The best model for message passing programs, asynchronous circuits

Characterizing Predicates Predicates are generally characterized in terms of The computation (e.g. local predicates) or The computational lattice (e.g. semiregular predicates)

Characterizing Predicates We aim to relate these two characterizations E.g. Our algorithm for predicate detection can support any atomic proposition that is regular as well as co-regular. This is a more general class than local predicates and precisely characterizing such a class will automatically make the algorithm more general. Focus on locality, co-regularity, co-semiregularity and observer independence