Synthesis for Concurrent Models

Anca Muscholl

LIAFA, Univ. Paris 7

Dagstuhl, June 2005

joint work with Blaise Genest (Warwick, UK)

Framework

Current applications/systems (web, networks, embedded systems…) are mostly distributed and asynchronous

Design process needs formal methods and automatic verification techniques

Here: Distributed synthesis for closed systems

Outline of talk

Models for distributed systems

Synthesis for shared-variable FSM

Synthesis for communicating FSM

Outlook

Distributed Models

Fixed set of processes and FSM Mp

(one per process p)

Mp cooperate either through

messages/signals (message-passing, I/0 automata) or

shared variables (Petri nets, asynchronous automata)

Outline of talk

Models for distributed systems

Synthesis for shared-variable FSM

Synthesis for communicating FSM

Outlook

Shared-variable models

distributed alphabet A = (A1, …, An), over processes {1,2,…,n}

action a involves processes from dom(a) = { i j a 2 Ai }

a-transition changes all local states of processes i 2 dom(a)

Shared variables

Two flavors of transitions: (q1,…,qn) !a (q’1,…,q’n)

Loosely cooperating

qi !a,i q’i for all i 2 dom(a)

Synchronously communicating (asynchronous automata)

(qi)i 2 dom(a) !a (q’i)i 2 dom(a)

Shared variables

Example: A = {a,b,c}, A1 = {a,b}, A2 = {b,c}

dom(a) = {1}, dom(b) = {1,2}, dom(c) = {2}

q1

q2

a

b

c

loosely-cooperating:

if (0,0) !b (1,1) and (1,1) !b (0,0), then also (0,1) !b (1,0) and(1,0) !b (0,1)

Loosely cooperating case

Given: FSM M = (Q, A, q0, !)

Q: Test whether M is equivalent to a loosely cooperating FSM, and construct one, if yes.

PSPACE algorithm:

test whether L(M) is a product language:

L(M) = i Proji L(M)

Synchronous communication

Given: FSM M = (Q, A, q0, !, F)

Q: Test whether M is equivalent to a synchronously-communicating FSM, and construct one, if yes.

PSPACE algorithm: test whether L(M) is commutation-closed:

dom(a) Å dom(b) = ; implies u ab v 2 L(M) iff u ba v 2 L(M)

Synchronous communication

alphabet A,

independence relation || µ A £ A

a || b iff dom(a) Å dom(b) = ;

Mazurkiewicz trace [w] = set of words

obtained from w by commuting independent adjacent letters

Framework: Mazurkiewicz traces

Synchronous communication

Example:

A = {a,b,c}, A1 = {a,b}, A2 = {b,c}

dom(a) = {1}, dom(b) = {1,2}, dom(c) = {2}

trace [acabbca] = {acabbca, aacbbca, caabbac,…}

L = ((aa+ac+ca+cc)* (a+c) b)* commutation-closed

Synchronous communication

Zielonka’s Theorem ’87

For every commutation-closed regular language one can construct an equivalent,deterministic synchronous-communication FSM of doubly exponential size.

Rem. Determinism hard to get. Doubly exponential only in number of processes.

Synchronous communication

FSM M1, M2, with state set Qi = {0,1}

each a-transition counts modulo 2 in Q1 (c-transition modulo 2 in Q2)

each b-transition checks that the sum is odd, and resets both counters

Example: A = {a,b,c}, A1 = {a,b}, A2 = {b,c}

L = ((aa+ac+ca+cc)* (a+c) b)* comm.-closed

Synchronous communication

Deterministic synchronous-comm. (Muller) FSM

Regular,commutation-closed languages

Monadic second-order logic

over trace pomsets

[Ebinger, Diekert, Muscholl, Thomas, Zielonka ‘9x]

Synchronous communication: deadlocks

Additional requirement: deadlock-freeness Safe synchr.-comm. FSM: all reachable

states are final [Stefanescu/Esparza/M.’03, Mukund’02]

A regular, commutation-closed language L is safely implementable iff it is prefix-closed and satisfies the forward diamond property:

ua 2 L, ub 2 L, a || b implies uab 2 L

Outline of talk

Models for distributed systems

Synthesis for shared-variable FSM

Synthesis for communicating FSM

Outlook

Asynchronous communication models

Several peers exchange messages through P2P fifo channels (unbounded)

Each peer: FSM with send/receive events to/from other peers

ITU norm Z.100 (SDL)

Sequential processes P, Q, …

Each process: FSM AP with events:

send P snd Q(m), receive P rcv Q(m)

Configuration of CFM = current local states sP

+ current contents of (FIFO) channels CP,Q

infinite-state systems

Communicating FSM (CFM)

CFM: Good for what?

CFM hard to design (need to consider global runs/executions)

… aka assembler programming

CFM: models of protocols

Suitable formalism for protocol specification?

P

C

rcv(P)

snd(C)

Psnd(C) Psnd(C) Crcv(P) Crcv(P)

Psnd(C) Crcv(P) Psnd(C) Crcv(P)

P C

several executions: one diagram

Message sequence chart(ITU norm Z120)

Diagrams: One for All

Events a,b,c,d

Partial order:

process order: a <P c, b <C d

message order: a < b, c < d

time

MSC

P C

a

b

c

d

Partial order semantics:

Example: events b and c are uncomparable

Message Sequence Charts (MSC, ITU Z.120)

Message Sequence Charts (MSC, ITU Z.120)

Scenario-based formalism: positive and negative scenarios

Capture requirements in visual form

Good for high-level description

Collection of MSC: MSC-graphs

P C P CP C

P C

Graph representation: composition, iteration, choice

MSC-graph defines set of MSCs:

Collections of scenarios: MSC-graphs

L(G) = set of MSC labeling accepting paths of G

C1 C2

G

P

data

C1 C2P

C1C2

P

dataack

ack

ack

resend

ack

A

B

CS = {A,B,C}

Initial state A

Final state C

Accepting paths AB* Cresend

MSC-Graphs (ITU Z.120)

Synthesis: Communication

Specification: high-level, abstract,.. MSC-graph,..

Implementation: local design

Communicating FSM (CFM)

Synthesis: Bounded (regular) case

A CFM is bounded if there is a bound B such that in any reachable configuration, the number of pending messages on any channel is · B.

Loop-connected MSC-graph G: syntactical property ensuring boundedness

(communication graph of each loop of G is strongly connected)

Bounded case: expressivity

Bounded CFM

[Mukund, Thiagarajan et al. 00]

Loop-connected(C)MSC-graphs

Monadic second-order

logic overbounded MSCs

Bounded case

Loop-connected MSC-graphs can be translated into finite automata, hence they can be model-checked.

[M/Peled 99, Alur/Yannakakis 99]

Distributed synthesis: from regular MSC language to CFM

[Mukund, Thiagarajan et al. 00]

Bounded case: too weak

P

C

rcv(P)

snd(C)

CFM

Bounded CFM have low expressivity.

Producer/consumer:typical unbounded behavior

Weakly bounded channels

P

C

rcv(P)

snd(C) R = (P snd(C) C rcv(P))* regularset of representatives:

every execution of the CFM has anequivalent execution in R

A CFM is weakly-B-bounded if its B-boundedexecutions build a set of representatives.

Def.

Weakly bounded channels

What does a weak channel bound mean?

Receiving messages can be (fairly) scheduled within channels of some fixed size.

Implementations of communication protocols are usually weakly bounded!

Weak bounds: expressivity

Weakly-boundedCFM

[Genest, Kuske, Muscholl 04]

Globally-cooperative

CMSC-graphs

Monadic second order logic over

w-bounded MSC

Weak bounds: main result

Globallycooperative CMSC-graph

Weakly-bounded CFM

Regular set of B-boundedrepresentatives

Monadic second-order logic over w-bounded MSC

Distributed synthesis

Some proof ideas

weakly-2-bounded:

P C

a

ba a b a b b a a b ba b a b a b a b a b, …

Compute B-bounded executions by applying special rewriting rules (commutations). [Kuske’s trick]

Example:

Weakly bounded CMSC-graphs and Mazurkiewicz traces

a b ´ b aa b ´ b a

a,a,b,b}alphabet

ab ab ab ´ a a b a b b ´ a a b b a b

CP

a

a b

M

a

b

b

[ab ab ab]´

Mazurkiewicz trace

commutation rules

B-bounded executions

a

amsg

rev

lP

lP

a b

b

lC

lC

brev associates the i-th receive

with the (i+2)-th send

Process order <P

Message order msgRelation rev

B-bounded executions = set of Mazurkiewicz traces

Mazurkiewicz Trace Theory: [Zielonka ‘87] Synchr.-communicating automata

Start with CMSC-graph (or MSO-formula) such thatthe set of B-bounded executions is a regular set of representatives

Construct an equivalent, weakly-B-bounded CFM.

special case of distributed synthesis

From regular representatives to CFM

2. Simulate a synchr.-comm. automaton T by a CFM:

1. B-bounded executions: equivalent trace automaton

T uses:

process ordermessage orderrev relation

(k1)

state k1

k2

k3 (k

3)

k4 (k5 ,GUESS)

k5

k6

check GUESS = k2

From regular representatives to CFM

Using trace automata: equivalent CFM up to weakly-B-bounded executions

Reject non-weakly-B-bounded MSCs:

Given Set of MSCs with regular set of B-bounded representatives. Construct equivalent CFM

Construct CFM that controls weakly-B-bounded on-the-fly.

From regular representatives to CFM

Asynchronous communication: deadlocks

Our implementation of weakly-bounded MSC-graphs has too many deadlocks

Another approach [Genest, Concur’05]: Implement a given regular specification by adding messages (within a fixed

architecture). Then: Any specification satisfying the diamond

properties is deadlock-free implementable, if choices are always local.

Conclusion

Shared-variable case is solved. Communication-based models: solved

for language equivalence (modulo deadlocks), but other types of equivalence are even more challenging

Weak channel bounds are a reasonable restriction: messages can be scheduled on finite channels

Outlook

Deadlocks: find reasonable restrictions on specifications ensuring deadlock-free implementations (Genest’05)

Extend the MSC-graph framework by partial views, synthesis from partial

views? Open systems: Alternating synchr.-comm. automata

(Gastin et al. ’04): special case CFM with uncontrolable processes?