Synthesis for Concurrent Models Anca Muscholl LIAFA, Univ. Paris 7 Dagstuhl, June 2005 joint work with Blaise Genest (Warwick, UK)
Framework Current applications/systems (web, networks, embedded systems…) are mostly distributed and asynchronous Design process needs formal methods and automatic verification techniques Here: Distributed synthesis for closed systems
Outline of talk Models for distributed systems Synthesis for shared-variable FSM Synthesis for communicating FSM Outlook
Distributed Models Fixed set of processes and FSM M p (one per process p) M p cooperate either through messages/signals (message-passing, I/0 automata) or shared variables (Petri nets, asynchronous automata)
Outline of talk Models for distributed systems Synthesis for shared-variable FSM Synthesis for communicating FSM Outlook
Shared-variable models distributed alphabet A = (A 1, …, A n ), over processes {1,2,…,n} action a involves processes from dom(a) = { i j a 2 A i } a-transition changes all local states of processes i 2 dom(a)
Shared variables Two flavors of transitions: (q 1,…,q n ) ! a (q’ 1,…,q’ n ) Loosely cooperating q i ! a,i q’ i for all i 2 dom(a) Synchronously communicating (asynchronous automata) (q i ) i 2 dom(a) ! a (q’ i ) i 2 dom(a)
Shared variables Example: A = {a,b,c}, A 1 = {a,b}, A 2 = {b,c} dom(a) = {1}, dom(b) = {1,2}, dom(c) = {2} q1 q2 a b c loosely-cooperating: if (0,0) ! b (1,1) and (1,1) ! b (0,0), then also (0,1) ! b (1,0) and (1,0) ! b (0,1)
Loosely cooperating case Given: FSM M = (Q, A, q 0, ! ) Q: Test whether M is equivalent to a loosely cooperating FSM, and construct one, if yes. PSPACE algorithm: test whether L(M) is a product language: L(M) = i Proj i L(M)
Synchronous communication Given: FSM M = (Q, A, q 0, !, F) Q: Test whether M is equivalent to a synchronously-communicating FSM, and construct one, if yes. PSPACE algorithm: test whether L(M) is commutation-closed: dom(a) Å dom(b) = ; implies u ab v 2 L(M) iff u ba v 2 L(M)
Synchronous communication alphabet A, independence relation || µ A £ A a || b iff dom(a) Å dom(b) = ; Mazurkiewicz trace [w] = set of words obtained from w by commuting independent adjacent letters Framework: Mazurkiewicz traces
Synchronous communication Example: A = {a,b,c}, A 1 = {a,b}, A 2 = {b,c} dom(a) = {1}, dom(b) = {1,2}, dom(c) = {2} trace [acabbca] = {acabbca, aacbbca, caabbac,…} L = ((aa+ac+ca+cc)* (a+c) b)* commutation-closed
Synchronous communication Zielonka’s Theorem ’87 For every commutation-closed regular language one can construct an equivalent, deterministic synchronous-communication FSM of doubly exponential size. Rem. Determinism hard to get. Doubly exponential only in number of processes.
Synchronous communication FSM M 1, M 2, with state set Q i = {0,1} each a-transition counts modulo 2 in Q 1 (c-transition modulo 2 in Q 2 ) each b-transition checks that the sum is odd, and resets both counters Example: A = {a,b,c}, A 1 = {a,b}, A 2 = {b,c} L = ((aa+ac+ca+cc) * (a+c) b) * comm.-closed
Synchronous communication Deterministic synchronous- comm. (Muller) FSM Regular, commutation- closed languages Monadic second-order logic over trace pomsets [Ebinger, Diekert, Muscholl, Thomas, Zielonka ‘9x]
Synchronous communication: deadlocks Additional requirement: deadlock-freeness Safe synchr.-comm. FSM: all reachable states are final [Stefanescu/Esparza/M.’03, Mukund’02] A regular, commutation-closed language L is safely implementable iff it is prefix- closed and satisfies the forward diamond property: ua 2 L, ub 2 L, a || b implies uab 2 L
Outline of talk Models for distributed systems Synthesis for shared-variable FSM Synthesis for communicating FSM Outlook
Asynchronous communication models Several peers exchange messages through P2P fifo channels (unbounded) Each peer: FSM with send/receive events to/from other peers ITU norm Z.100 (SDL)
Sequential processes P, Q, … Each process: FSM A P with events: send P snd Q(m), receive P rcv Q(m) Configuration of CFM = current local states s P + current contents of (FIFO) channels C P,Q infinite-state systems Communicating FSM (CFM)
Psnd C Crcv P FIFO channels P C PCPC rcv P snd C Psnd C Crcv P Psnd C Crcv P Psnd C Crcv P CFM Executions of CFM
CFM: Good for what? CFM hard to design (need to consider global runs/executions) … aka assembler programming CFM: models of protocols Suitable formalism for protocol specification?
PCPC rcv(P) snd(C) Psnd(C) Crcv(P) Psnd(C) Crcv(P) Psnd(C) Crcv(P) P C several executions: one diagram Message sequence chart (ITU norm Z120) Diagrams: One for All
Events a,b,c,d Partial order: process order: a < P c, b < C d message order: a < b, c < d time MSC P C a b c d Partial order semantics: Example: events b and c are uncomparable Message Sequence Charts (MSC, ITU Z.120)
Scenario-based formalism: positive and negative scenarios Capture requirements in visual form Good for high-level description Collection of MSC: MSC-graphs
P C P C P C P C Graph representation: composition, iteration, choice MSC-graph defines set of MSCs: Collections of scenarios: MSC-graphs
L(G) = set of MSC labeling accepting paths of G C1C1 C2C2 G P data C1C1 C2C2 P C1C1 C2C2 P ack resend ack A B C S = {A,B,C} Initial state A Final state C Accepting paths AB * C resend MSC-Graphs (ITU Z.120)
L(G) = set of MSC labelling accepting paths of G C1C1 C2C2 G P data C1C1 C2C2 P C1C1 C2C2 P ack resend ack C1C1 C2C2 P A B C MSC-Graphs: executions
L(G) = set of MSC labeling accepting paths of G C1C1 C2C2 G P data C1C1 C2C2 P C1C1 C2C2 P ack resend ack C1C1 C2C2 P data A B C A MSC-Graphs: executions
L(G) = set of MSC labeling accepting paths of G C1C1 C2C2 G P data C1C1 C2C2 P C1C1 C2C2 P ack resend ack C1C1 C2C2 P data resend ack resend A B C AB MSC-Graphs: executions
L(G) = set of MSC labeling accepting paths of G C1C1 C2C2 G P data C1C1 C2C2 P C1C1 C2C2 P ack resend ack C1C1 C2C2 P data resend ack resend ack A B C ABC MSC-Graphs: executions
P C MSC-graph equivalent to Specification PCPC rcv(P) snd(C) CFM Implementation CFM versus MSC-Graphs?
Mismatch between MSC and CFM CMSC CMSC-graph [Peled et al. ’01] Compositional MSC (CMSC) and CMSC-graphs
Synthesis: Communication Specification: high-level, abstract,.. MSC-graph,.. Implementation: local design Communicating FSM (CFM)
Synthesis: Bounded (regular) case A CFM is bounded if there is a bound B such that in any reachable configuration, the number of pending messages on any channel is · B. Loop-connected MSC-graph G: syntactical property ensuring boundedness (communication graph of each loop of G is strongly connected)
Bounded case: expressivity Bounded CFM [Mukund, Thiagarajan et al. 00] Loop-connected (C)MSC-graphs Monadic second-order logic over bounded MSCs
Bounded case Loop-connected MSC-graphs can be translated into finite automata, hence they can be model-checked. [M/Peled 99, Alur/Yannakakis 99] Distributed synthesis: from regular MSC language to CFM [Mukund, Thiagarajan et al. 00]
Bounded case: too weak PCPC rcv(P) snd(C) CFM Bounded CFM have low expressivity. Producer/consumer: typical unbounded behavior
Weakly bounded channels PCPC rcv(P) snd(C) R = (P snd(C) C rcv(P))* regular set of representatives: every execution of the CFM has an equivalent execution in R A CFM is weakly-B-bounded if its B-bounded executions build a set of representatives. Def.
Weakly bounded channels What does a weak channel bound mean? Receiving messages can be (fairly) scheduled within channels of some fixed size. Implementations of communication protocols are usually weakly bounded!
Weak bounds: expressivity Weakly-bounded CFM [Genest, Kuske, Muscholl 04] Globally- cooperative CMSC-graphs Monadic second order logic over w-bounded MSC
Weak bounds: main result Globally cooperative CMSC-graph Weakly-bounded CFM Regular set of B-bounded representatives Monadic second-order logic over w-bounded MSC Distributed synthesis
Some proof ideas weakly-2-bounded: P C a b a a b a b b a a b b a b a b a b a b a b, … Compute B-bounded executions by applying special rewriting rules (commutations). [Kuske’s trick] Example:
Weakly bounded CMSC-graphs and Mazurkiewicz traces a b ´ b a a,a,b,b} alphabet ab ab ab ´ a a b a b b ´ a a b b a b C P a a b M a b b [ab ab ab] ´ Mazurkiewicz trace commutation rules
B-bounded executions a a msg rev lPlP lPlP a b b lClC lClC b rev associates the i-th receive with the (i+2)-th send Process order < P Message order msg Relation rev B-bounded executions = set of Mazurkiewicz traces
Mazurkiewicz Trace Theory: [Zielonka ‘87] Synchr.-communicating automata Start with CMSC-graph (or MSO-formula) such that the set of B-bounded executions is a regular set of representatives Construct an equivalent, weakly-B-bounded CFM. special case of distributed synthesis From regular representatives to CFM
2. Simulate a synchr.-comm. automaton T by a CFM : 1. B-bounded executions: equivalent trace automaton T uses: process order message order rev relation (k 1 ) state k 1 k2k2 k3k3 (k 3 ) k4k4 (k 5,GUESS) k5k5 k6k6 check GUESS = k 2 From regular representatives to CFM
Using trace automata: equivalent CFM up to weakly-B-bounded executions Reject non-weakly-B-bounded MSCs: Given Set of MSCs with regular set of B-bounded representatives. Construct equivalent CFM Construct CFM that controls weakly-B-bounded on-the-fly. From regular representatives to CFM
Asynchronous communication: deadlocks Our implementation of weakly-bounded MSC- graphs has too many deadlocks Another approach [Genest, Concur’05]: Implement a given regular specification by adding messages (within a fixed architecture). Then: Any specification satisfying the diamond properties is deadlock-free implementable, if choices are always local.
Conclusion Shared-variable case is solved. Communication-based models: solved for language equivalence (modulo deadlocks), but other types of equivalence are even more challenging Weak channel bounds are a reasonable restriction: messages can be scheduled on finite channels
Outlook Deadlocks: find reasonable restrictions on specifications ensuring deadlock-free implementations (Genest’05) Extend the MSC-graph framework by partial views, synthesis from partial views? Open systems: Alternating synchr.-comm. automata (Gastin et al. ’04): special case CFM with uncontrolable processes?