Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Synthesis of Masking Fault-Tolerant Distributed Programs Borzoo Bonakdarpour Workshop APRETAF January 23, 2009 Joint work with Sandeep Kulkarni.

Published byTimothy George Modified over 9 years ago

Similar presentations

Presentation on theme: "Symbolic Synthesis of Masking Fault-Tolerant Distributed Programs Borzoo Bonakdarpour Workshop APRETAF January 23, 2009 Joint work with Sandeep Kulkarni."— Presentation transcript:

1 Symbolic Synthesis of Masking Fault-Tolerant Distributed Programs Borzoo Bonakdarpour Workshop APRETAF January 23, 2009 Joint work with Sandeep Kulkarni

2 2 Motivation The most important goal of formal methods is achieving correctness in computing systems (programs). –Correct-by-verification A program is built manually The correctness of the program is verified by a model checker or a theorem prover. –Correct-by-construction A program is constructed so that its correctness is guaranteed. Manual Design Verification

3 3 Motivation Automated synthesis from temporal logic specifications –Pros: Ability to start from a null program Capability to handle highly expressive specifications –Cons: Highly complex decision procedures Limited to no reusability Automated program revision –An existing program is revised with respect to a property

4 4 Question: –Is it possible to revise the program automatically such that it satisfies the failed property while ensuring satisfaction of existing properties? bugs incomplete specification change of environment Counterexample Property Model Checker Model Checker Program Motivation

5 5 Revised program Property RevisionAlgorithmRevisionAlgorithm Program Motivation

6 6 A one-lane bridge is controlled by two traffic signals at the two ends of the bridge. (sig 1 = G)  (1 ≤ x 1 ≤ 10) sig 1 := Y; [] (1)(2) (sig 1 = Y)  (1 ≤ y 1 ≤ 2) sig 1 := R ; [] (sig 2 = R)  (z 1 ≤ 1) sig 2 := G ; [] {y1}{y1} {z1}{z1} {x2}{x2} Controller Program: ((sig 1 = G)  (x 1 ≤ 10))  ((sig 1 = Y )  (y 1 ≤ 2))  ((sig 1 = R)  (z 2 ≤ 1)) wait; SPEC bt = {(  0,  1 ) | sig 1 (  1 ) ≠ R  sig 2 (  1 ) ≠ R}

7 7 true skip; {z2}{z2} Traffic Controller Fault Action: (1)(2) 1. ( sig 1 = sig 2 = R)  (z 1 ≤ 1)  (z 2 > 1) 2. (sig 1 = sig 2 = R)  (z 1 ≤ 1)  (z 2 = 0) 3. (sig 1 = G)  ( sig 2 = R)  (z 1 ≤ 1)  (z 2 = 0) 4. (sig 1 = G)  (sig 2 =G)  (z 1 ≤ 1)  (z 2 = 0) Motivation

8 81982 2000 1986 1989 Vardi and Wolper introduce automata-theoretic verfication and synthesis Vardi and Wolper introduce automata-theoretic verfication and synthesis 20051992 Alur and Henzinger propose verification and synthesis of real-time systems Alur and Henzinger propose verification and synthesis of real-time systems Clarke, Emerson, Sifakis, and Queille invent model checking 1981 Emerson and Clarke propose synthesis from CTL properties McMilan et al. intorduce BDD-based model checking (10 20 reachable states) and find bugs in IEEE futurebus+ 1993 Wonham and Ramadge introduce controller synthesis Wonham and Ramadge introduce controller synthesis Intel reports bug in floating point operations in Pentium processors 1994 Clarke and Grumberg introduce counterexample guided abstraction-refinement (CEGAR), 10 1000 reachable states 1999 Kulkarni and Arora introduce automated addition of fault- tolerance to fault- intolerant programs Biere and Clarke invent SAT-based model checking (10 500 reachable states) Biere and Clarke invent SAT-based model checking (10 500 reachable states) Bonakdarpour, Kulkarni, and Ebnenasir, and, Jobstmann and Bloem independently introduce program revision (repair) techniques 2007 Bonakdarpour and Kulkarni synthesize distributed programs of size 10 50 Clarke, Emerson, Sifakis, and Queille invent model checking McMilan et al. intorduce BDD-based model checking (10 20 reachable states) and find bugs in IEEE futurebus+ Mohamed Gouda: When does your “12 years” end?! Mohamed Gouda: When does your “12 years” end?! 2008 Motivation

9 9 InvariantInvariant f f f Fault-Span State space p p p p p p p p p p f f The Synthesis Problem

10 10 The Issue of Distribution Modeling distributed programs: –A program consists of a set of processes. Each process p is specified by: A set V p of variables, A set T p of transitions, A set R p  V p of variables that p is allowed to read, A set W p  R p of variable that p is allowed to write. Write restrictions a = 0 b = 1 a = 0 b = 1 a = 1 b = 1 a = 1 b = 1 a  Wpa  Wp a = 0 b = 1 a = 0 b = 1 a = 1 b = 1 a = 1 b = 1 a  Wpa  Wp Such transitions cannot be executed by process p.

11 11 Read restrictions a = 1 b = 0 a = 1 b = 0 a = 0 b = 0 a = 0 b = 0 b  Rpb  Rp a = 1 b = 1 a = 1 b = 1 a = 0 b = 1 a = 0 b = 1 a = 1 b = 0 a = 1 b = 0 a = 0 b = 0 a = 0 b = 0 b  Rpb  Rp a = 1 b = 1 a = 1 b = 1 a = 0 b = 1 a = 0 b = 1 –Such set of transitions form a group. –Addition and removal of any transition must occur along with its entire group. The Issue of Distribution

12 12 What Is Difficult About Program Revision? Space complexity –The state explosion problem Time complexity –NP-completeness Identifying the complexity hierarchy of the problem The need for designing efficient heuristics Proofs are often helpful in identifying bottlenecks of the problem The combination of the above complexities is the worst nightmare!

13 13 Daniel Mosé: As that wise man said “bridging the gap between theory and practice is easier in theory than in practice!” Daniel Mosé: As that wise man said “bridging the gap between theory and practice is easier in theory than in practice!” What Is Difficult About Program Revision?

14 14 The Byzantine Agreement Problem Decision d.g  {0, 1} (d.j =  )  ( f.j = false)  d.j := d.g (d.j   )  ( f.j = false)  f.j := true d.j d.k  {0, 1,  } d.l Decision f.j f.k  {false, true} f.l Final? GENERAL NON-GENERALS Program:

15 15 The Byzantine Agreement Problem Byzantine? b.g  {false, true} b.j b.k  {false, true} b.l Byzantine? (b.j, b.k, b.l, b.g = false)  b.j := true (b.j := true)  d.j := 0|1 Faults:

16 16 Experimental results with enumerative (explicit) state space (the tool FTSyn) –Byzantine agreement - 3 processes 6912 states Time: 10s –Byzantine agreement - 4 processes 82944 states Time: 15m –Byzantine agreement - 5 processes 995328 states Out of memory! What Is Difficult About Program Revision?

17 17 Polynomial -Time Heuristics Identify the state predicate ms from where faults alone violate the safety; S := S  ms ms SPEC f f f f

18 18 Identify the state predicate ms from where faults alone violate the safety; S := S  ms Polynomial -Time Heuristics Re-compute the fault-span ms Inv. Fault-Span f f f f p p f p BDD frontier = Invariant; BDD current = mgr -> bddZero(); BDD FaultSpan = Invariant; while (FaultSpan != current) { current = FaultSpan; BDD image = frontier * (P + F); // -FaulSpan frontier = Unprime(image ); FaultSpan = current + frontier; } BDD frontier = Invariant; BDD current = mgr -> bddZero(); BDD FaultSpan = Invariant; while (FaultSpan != current) { current = FaultSpan; BDD image = frontier * (P + F); // -FaulSpan frontier = Unprime(image ); FaultSpan = current + frontier; }

19 19 Polynomial -Time Heuristics Yes No Identify the state predicate ms from where faults alone violate the safety; S := S  ms Re-compute the fault-span Identify transitions in the fault-intolerant program that may be included in the fault-tolerant program Fixpoint? Resolve deadlock states Invariant Fault-Span ff p p p Re-computing state predicates or transitions predicates do not occur often in model checking, but it does happen quite often during synthesis. s0s0 s1s1

20 20 Experimental Results Polynomial-time sound BDD-based heuristics –The tool SYCRAFT (http://www.cse.msu.edu/~borzoo/sycraft) –C++ –CuDD (Colorado University Decision Diagram Package) Platform –Dedicated PC –2.2GHz AMD Opteron processor –1.2GB RAM

21 21 Experimental Results Goal: –Identifying various bottlenecks of our synthesis heuristics Fault-span generation Deadlock resolution –Adding recovery –State elimination Cycle detection and resolution Memory usage Total synthesis time

22 22 Experimental Results

23 23 Experimental Results

24 24 Byzantine agreement Performance of synthesizing the Byzantine agreement program Experimental Results

25 25 Observations –10 50 reachable states –State elimination (deadlock resolution) is the most serious bottleneck –We run of time before we run out of space –Size of state space by itself is not a bottleneck Experimental Results

26 26 ----------------------------------------------------------------------------------------------------- UNCHANGED ACTIONS: ----------------------------------------------------------------------------------------------------- 1- (d.j==2) & !(f.j==1) & !(b.j==1)  (d.j:=dg) ----------------------------------------------------------------------------------------------------- REVISED ACTIONS: ----------------------------------------------------------------------------------------------------- 2- (b.j==0) & (d.j==1) & (d.k==1) & (f.j==0)  (f.j:=1) 3- (b.j==0) & (d.j==0) & (d.l==0) & (f.j==0)  (f.j:=1) 4- (b.j==0) & (d.j==0) & (d.k==0) & (f.j==0)  (f.j:=1) 5- (b.j==0) & (d.j==1) & (d.l==1) & (f.j==0)  (f.j:=1) ----------------------------------------------------------------------------------------------------- NEW RECOVERY ACTIONS: ----------------------------------------------------------------------------------------------------- 6- (b.j==0) & (d.j==0) & (d.l==1) & (d.k==1) & (f.j==0)  (d.j:=1) 7- (b.j==0) & (d.j==1) & (d.l==0) & (d.k==0) & (f.j==0)  (d.j:=0) 8- (b.j==0) & (d.j==0) & (d.l==1) & (d.k==1) & (f.j==0)  (d.j:=1), (f.j:=1) 9- (b.j==0) & (d.j==1) & (d.l==0) & (d.k==0) & (f.j==0)  (d.j:=0), (f.j:=1) ------------------------------------------------------------------------------------------ Experimental Results

27 27 human knowledge The effect of exploiting human knowledge (Each non-general process is allowed to finalize its decision if no two non- generals are undecided.) Experimental Results

28 28 Experimental Results token ring Performance of synthesizing token ring mutual exclusion with multi-step recovery

29 29 Experimental Results single-step recovery Multi-step vs. single-step recovery for synthesizing token ring mutual exclusion

30 30 November 7, 2008 Doctoral Dissertation Defense Open Problems Exploiting techniques from model checking –State space generation (e.g., clustering and partitioning) –Symmetry reduction –Counter-example guided abstraction-refinement (CEGAR) –SMT/QBF-based methods –Distributed/parallel techniques

31 31 November 7, 2008 Doctoral Dissertation Defense Open Problems Multidisciplinary research problems – Revising hybrid systems – Synthesizing programs with multiple concerns (e.g., security, communication, real-time, fault-tolerance, distribution) in epistemic logic – Program synthesis using graph mining and machine learning techniques – Biologically-inspired revision/synthesis techniques

32 THANK YOU!

Download ppt "Symbolic Synthesis of Masking Fault-Tolerant Distributed Programs Borzoo Bonakdarpour Workshop APRETAF January 23, 2009 Joint work with Sandeep Kulkarni."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
PRESENTER: PCLee 2011.12.14. System-on-chip (SoC) designs use bus protocols for high performance data transfer among the Intellectual Property (IP) cores.

PRESENTER: PCLee System-on-chip (SoC) designs use bus protocols for high performance data transfer among the Intellectual Property (IP) cores.
1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google