Monitoring Partial Order Snapshots Doron Peled Bar Ilan University, Israel & University of Warwick, UK Joint work with Peter Niebert

Monitoring an interleaving sequence Assume a model of execution with local events and synchronous communication. Concurrent events are monitored according to some (arbitrary) order. What are global states? What global states appear on an execution (an execution sequence)?

Bank Example Two branches, initially $1M each. In one branch: deposit, $2M. In another branch: robbery. How to model the system?

Global state space $1M, $1M $3M, $0M $1M, $0M$3M, $1M deposit robbery

Should we invest in this bank? $1M, $1M $3M, $0M $1M, $0M$3M, $1M deposit robbery Invest! Do not Invest! Invest!

Two interleavings $3M, $0M $1M, $0M$3M, $1M deposit robbery Invest! Do not Invest! $1M, $1M $3M, $0M

Partial Order Semantics Sometimes called “ real concurrency ”. There is no total order between events. More intuitive. Closer to the actual behavior of the system. More difficult to analyze. Less verification results. Natural transformation between models. Partial order: (S, <), where < is Transitive: x<y /\ y<z  x<z. Antisymmetric: for no x, y, x x. Antireflexive: for no x, x<x.

Partial Order Description $1M $3M$0M $1M depositrobbery

Constructing global snapshots $1M $3M$0M $1M depositrobbery We can define global states or snapshots after a history- closed set of events S, i.e., if e  S and f <e in the partial order, then f  S.

Modeling with partial orders m0:x:=x+1 m1:ch!xn1:y:=y+z n0:ch?z P1P2 m0 n0 m0 n1 m0 m1 pc1=m0,x=0 pc1=m0,x=2 pc1=m0,x=1 pc1=m1,x=1 pc1=m1,x=2 pc2=n0,y=0,z=0 pc2=n0,y=1,z=1 pc2=n1,y=0,z=1 pc2=n1,y=1,z=2

Linearizations: containing part of the snapshots as global states m0 n0 m0n1 m0 m1 pc1=m0,x=0 pc1=m0,x=2 pc1=m0,x=1 pc1=m1,x=1 pc1=m1,x=2 pc2=n0,y=0,z=0 pc2=n0,y=1,z=1 pc2=n1,y=0,z=1 pc2=n1,y=1,z=2 pc1=m0,x=0,pc2=n0,y=0,z=0 pc1=m1,x=2,pc2=n0,y=1,z=1 pc1=m1,x=2,pc2=n1,y=0,z=1 pc1=m0,x=1,pc2=n1,y=0,z=1 pc1=m1,x=1,pc2=n0,y=0,z=0 pc1=m0,x=2,pc2=n1,y=1,z=2

Linearizations: containing part of the snapshots as global states m0 n0 m0 n1 m0 m1 pc1=m0,x=0 pc1=m0,x=2 pc1=m0,x=1 pc1=m1,x=1 pc1=m1,x=2 pc2=n0,y=0,z=0 pc2=n0,y=1,z=1 pc2=n1,y=0,z=1 pc2=n1,y=1,z=2 pc1=m0,x=0,pc2=n0,y=0,z=0 pc1=m1,x=2,pc2=n0,y=1,z=1 pc1=m0,x=1,pc2=n0,y=1,z=1 pc1=m0,x=1,pc2=n1,y=0,z=1 pc1=m1,x=1,pc2=n0,y=0,z=0 pc1=m0,x=2,pc2=n1,y=1,z=2 But in some sense we also have pc1=m1,x=2,pc2=n1,y=0,z=1

Nondeterminism is different from concurrency: Bank with one teller $1M $3M $0M $1M deposit robbery deposit $1.1M $3.1M deposit

Partial order execution 1 $1M $3M $0M $1M deposit robbery $3.1M deposit

Partial order execution 2 $1M $0M $1M robbery deposit $1.1M $3.1M deposit

Traces An equivalence relation among sequences. Symmetric and antireflexive independence relation I  × . Example: aIb, aIc (but not bIc). Then we have [abac ]=[baac,abac,aabc,baca,abca,bcaa ]. Snapshots of execution [abac ] are states after [a ], [b ], [ab ], [aa ], [bc ], [aab ], [abc ]. State after trace equivalent sequences, e.g., aab, aba, baa, are the same, so we can talk about the state s [aab ] after a trace [aab ].

In our examples: Bank: deposit I robbery Program: m 0 I n 1 Definitions of global states using history- closed sets of events and using trace semantics are equivalent.

Extended LTL: with snapshots The logic SLTL Basic syntax as LTL. In addition, the “ snapshot ” operator [p], where p is a conjunction of positive and negative atomic propositions. Semantics of new operator: (u,v)|=[p] iff there exists finite sequences u 1, u 2 such that [u]=[u 1 ][u 2 ] and (u 1,u 2 v)|=p.

How to monitor executions and find snapshots? A deterministic automaton that keeps all the global states that are subsumed on the way.

Automaton for prefixes of [aabc].,,,, a a b b,, a,,, a,, c,,,,,, c c a a b

How to construct this automaton? Each node consists of a set of pairs, where s is a (subsumed) state and A is a subset of actions. It denotes that s is a subsumed state, and it takes the actions A (with possible repetitions) in some order to reach the current state.

How to update nodes? If is in node X, then is in Y. If is in node X and b is independent of all of A, then is in Y. …,, ……, ?, … b XY s b(s)b(s)b(t)b(t) t b b A A Size: 2 |S|x2 |  |

We make a restriction: Each process P i will have its own set of propositions, related to the local states of P i. We can write in [ … ] only a conjunction of local properties q 1 /\q 2 /\.../\q n. Freeze set: a subset of processes that satisfy the corresponding part of local properties. (We can also keep the actual local states with the processes.(

Grow up freeze sets Case 1: cannot increase freeze set further Existing freeze set Execution of joint action kills freeze set P1P1 P4P4 P3P3 P2P2

The red events do not form a history closed set of events. Thus, do not form a partial global state. Existing subset But it is possible to grow a new subset (surrounded) including {P 1,P 2 }

Grow up freeze sets Case 2: independent event. Existing subset Execution of joint action extends subset

Grow up freeze sets Case 3: events of subsumed set of processes Execution of joint action maintains subset Existing subset

Can be formulated as follows: proc(a) – the set of processes where action a participates. addproc(s, a) – when executing action a from state s, these are the local states from proc(a) that satisfy the local propositions that we check. Extension: Let F 1  addproc(s,a) and F 2 existing subset such that F 2  proc(a)= . Then extend F 1 into F 1  F 2. Propagation: For existing subset F such that proc(a)  F, we maintain F.

Propagation of “ freeze sets ”

Success!!

How to store efficiently? Freeze sets T closed under union and intersection. Need to store only a basis B of T, where unions are not included. In this case, size of basis is not larger than number of elements. Update of basis is polynomial.

Another example. We do not keep sets that are unions of others

Another example

We ignore some additional subsets: {P 1, P 2, P 3 }, etc.

How to perform model checking? Construct an automaton for A ¬  as usual. Construct an automaton for each conjunction that appears inside the […] operator to run in parallel. Binary search is still polynomial in number of processes and size of formula!

Conclusions Added capability of partial orders into LTL specification. Freeze sets construction for detecting global states that are subsumed during execution. Model checking is basically same complexity as for normal LTL!