Upload
avani
View
41
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Verifying parameterized Networks Clarke, Grumberg, Jha. Presented by Adi Sosnovich , April 2012. Outline. Introduction Verification of parameterized systems Definitions Labeled transition system Network grammars Specification language Abstract LTS Verification Method - PowerPoint PPT Presentation
Citation preview
Verifying parameterized Networks Clarke, Grumberg, Jha
Presented by Adi Sosnovich , April 2012
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Verification of parameterized systems Given a temporal property and an infinite family
of distributed systems composed of similar processes, check for all the finite models from .
In general the problem is undecidable. [Apt, Kozen 86]
For specific families, the problem may be solvable. Various cases may depend on:
Communication topology of the family F Parallelism: synchronous, asynchronous Synchronization primitives Temporal properties: local , global
Verification of parameterized systems Previous work:
Establishing a bisimulation relation between a 2-process token ring and an n-process token ring for any . Drawback: constructing manually the bisimulation
relation.
Finding network invariants: Constructing an invariant s.t : for all . Using traditional model-checking on the invariant
process. Drawbacks:
the invariant is explicitly provided by the user. Can handle only networks with one repetitive
component.
Verification of parameterized systems Current work:
Works on context-free network grammars
The network is an infinite family of distributed systems composed of similar processes.
Trying to generate the invariant automatically based on the -grammar’s structure
The invariant simulates all processes in the language of the grammar. (all the finite models from the family).
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Labeled Transition System (LTS)
An LTS is a structure where:
- set of states
- set of initial states
– set of actions
– total transition relation
Labeled Transition System (LTS) Example :
We define the process P by the following LTS:
nc
𝜏
cs
𝜏
send-token
get-token
Labeled Transition System (LTS) Another example :
We define the process Q by the following LTS:
nc
𝜏
cs
𝜏
send-token
get-token
Labeled Transition System (LTS)
Composition function:
Given 2 LTSs: and
has the form: R’ depends on the exact semantic of the composition
function
Network grammars Network:
the set of all LTSs derived by a context-free network grammar
Network grammar: Defined over S (set of states) and ACT (set of
actions).
– set of terminals, each is an LTS, defined over S and ACT.
Also referred as basic processes. – set of nonterminals, each defines a network. – set of production rules of the form: – start symbol, represents the network generated by
G.
Network grammars - example , , where
The grammar produces rings with one process Q and at least 2 processes P.
The network consists of LTSs that perform a simple mutual exclusion using a token ring algorithm.
Network grammars - example
𝑆⟹𝑄∥ 𝐴⟹𝑄∥𝑃 ∥𝑃cs,nc,nc
𝜏
nc,cs,nc
𝜏
𝜏
𝜏
nc,nc,cs
𝜏
𝜏
Reachable states in LTS
has the form:
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Specification Language Goal: specify a network of LTSs composed of
any number of components (basic processes).
How to specify property of a global state of a system consisting of many components? Such a state is an n-tuple, for some n. Typical properties:
Some component is in state At least (at most) k components are in state (Some component in state ) (some component in state )
Such properties are conveniently expressed in terms of regular languages.
Specification Language Global state:
The word instead of n-tuple . Property:
A regular language the property Having the property:
The state has the property iff .
Example Property: Specifies states in which exactly one process is in
its critical section.
Specification Language Defining atomic state properties:
The regular language is specified by a deterministic automaton over :
is the set of words accepted by . A state of an LTS is a tuple from , for some .
Example:
q0
nc
q1 q2
nc nc,cs
cs cs
Automaton D with
Specification Language Assume we have a network defined by a
grammar on the tuple . The specification language is , with finite
automata over as the atomic formula.
Specification Language
Specification Language Example:
nc
𝜏
cs
𝜏
send-token
get-token
cs,nc,nc
𝜏
nc,cs,nc
𝜏
𝜏
𝜏
nc,nc,cs
𝜏
𝜏
𝐿 (𝐷 )= {𝑛𝑐 }∗𝑐𝑠 {𝑛𝑐 }∗
𝑃
𝑄∥𝑃 ∥𝑃
Specification Language Another Example:
expresses non-starvation for process Q.
Non-starvation is guaranteed only if some kind of fairness is assumed.
cs,nc,nc
𝜏
nc,cs,nc
𝜏
𝜏
𝜏
nc,nc,cs
𝜏
𝜏
𝐿 (𝐷 ′ )=𝑐𝑠 {𝑛𝑐 }∗
𝑄∥𝑃 ∥𝑃
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Abstract LTS Using abstraction in order to reduce the state
space required for the verification of networks.
Requirements:
There must be a simulation preorder an LTS is smaller by than the abstract LTS.
Composing 2 abstract states will result in an abstraction of their composition.
State Equivalence Goal:
Given an , define equivalence relation over , s.t equivalence classes are the states of the abstract LTS .
Requirements:1.
equivalent states both satisfy/falsify atomic formula.
2.
preserving equivalence under composition.
State Equivalence First try:
Satisfies 1st requirement Doesn’t satisfy 2nd requirement
Example for a composition in which equivalence is not preserved: The LTS:
Explaining the example
because and
because and
because
We need a refined equivalence relation that will be preserved under composition.
State Equivalence Refining the equivalence relation
Definition:
Given an automaton and a word , the function induced by on , is:
Example
D=
To find , we need to find for each .
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
=
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
=
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
q0
nc
q1 q2
nc nc,cs
cs cs
Example
Finding :
=
q0
nc
q1 q2
nc nc,cs
cs cs
Example
D=
Conclusion:
q0
nc
q1 q2
nc nc,cs
cs cs
State Equivalence Refining the equivalence relation
Defining equivalence
is the abstraction of s , and is denoted by .
State Equivalence The new equivalence relation satisfies both
requirements. Proof:
1.
2.
Comment: We extend to abstract states s.t ,
in order to interpret specifications on abstract LTSs.
State Equivalence Example:
Considering the automaton over , induces functions for every :
There are only 3 different functions, each identifying an equivalence class over .
q0
nc
q1 q2
nc nc,cs
cs cs
Abstract States - set of functions corresponding to the
deterministic automaton . – the set of states of . In the worst case: In practice, the size is much smaller.
In the previous example:
In practice:
Extension to any set of atomic formulas
Where
The abstraction of :
iff for all :
States that are mapped to the same abstract states agree on all atomic properties.
Abstract LTS
Example:
cs,nc,nc
𝜏
nc,cs,nc
𝜏
𝜏
𝜏
nc,nc,cs
𝜏
𝜏 𝒇 𝟐
𝜏
h
𝑄∥𝑃 ∥𝑃 h (𝑄∥𝑃∥𝑃 )
Simulation Definition: iff there is a simulation preorder that
satisfies:
1. there is s.t : .
Notation: If , we say that .
Abstract LTS Lemma:
1. The simulation relation is:
2. Let be the simulation relation between .Define the relation as the following:
Abstract LTS Theorem:
And there are some more cases to prove…
Abstract LTS Conclusion:
Proof: there is s.t : : (theorem)
Abstract LTS and Simulation Example:
cs,nc,nc
𝜏
nc,cs,nc
𝜏
𝜏
𝜏
nc,nc,cs
𝜏
𝜏 𝒇 𝟐
𝜏
h
𝑄∥𝑃 ∥𝑃 h (𝑄∥𝑃∥𝑃 )
Abstract LTS and Simulation Another Example:
h
𝑃 h (𝑃)
nc
𝜏
cs
𝜏
send-token
get-token 𝒇 𝟏
𝜏
𝒇 𝟐
𝜏
send-token
get-token
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Verification Method is a monotonic grammar is an formula with atomic formulas To check that every LTS derived by satisfies
we perform:1. For every symbol A in G, choose and construct
the abstract LTS with respect to the atomic formulas .
2. Check that the set of representatives satisfy the monotonicity property.
3. Perform MC on with as the specification.
Monotonic Grammar Monotonic composition:
The composition is monotonic iff given LTSs , :
Monotonic grammar: A network grammar G is monotonic iff all rules in
the grammar use only monotonic composition operators.
Representative Processes For a network grammar , we find for each
symbol A of the grammar a representative process .
Monotonicity property: Given a grammar and a set of representatives:
Theorem Let be a monotonic grammar Suppose we can find representatives that
satisfy the monotonicity property. Let A be a symbol of Let be an LTS derived from A using the rules
of . Then:
Proof We will prove that .
Since , we will get that . [transitivity of simulation relation].
Let . We will prove by induction on k.
(k=0) : is a terminal the result follows from the monotonicity property.
Proof (k>0) : Let be the first rule in the derivation of a
from A .Assume: , , , By I.H : , .
We have the following equations:
Lemma 3.2.3
Back to the verification method… is a monotonic grammar is an formula with atomic formulas To check that every LTS derived by satisfies
we perform:1. For every symbol A in G, choose and construct
the abstract LTS with respect to the atomic formulas .
2. Check that the set of representatives satisfy the monotonicity property.
3. Perform MC on with as the specification.
Back to the verification method… Now we have proved that in step #3 , for
every derived by the grammar , . Thus, if is an formula and , we can conclude
that for all LTSs derived by : .
The next question: How to find representatives that satisfy the
monotonicity property?
The Unfolding Heuristic Might be helpful in automatically finding
monotonic representatives. Basic ideas:
Initial representative of a symbol A will be the LTS derived by A using the minimum number of rules.
Often certain behaviors only occur when a process is composed with other processes (that provide the environment).
By unfolding the current set of representatives we will find a larger set of potential representatives, that might satisfy the monotonicity property.
The Unfolding Heuristic Some notations: Association function for a grammar :
Assigns a set of processes to each symbol of This set will contain the potential representatives
of the symbol.
Given 2 sets of LTSs and we define as:
The Unfolding Heuristic Finding the initial association
For a terminal A , .
The Unfolding Heuristic Example : Finding the initial association - , where
0
1
2𝐴𝑆0 ( 𝐴 )=𝐴𝑆 (𝑃 )∥ 𝐴𝑆(𝑃 )𝐴𝑆0 (𝑆 )=𝐴𝑆 (𝑄 ) ∥ 𝐴𝑆( 𝐴)
The Unfolding Heuristic Example : Finding the initial association - , where
The Unfolding Heuristic The algorithm to find representatives:
The unfolding operator:
The Unfolding Heuristic Example : Unfolding the current association-
The Unfolding Heuristic Example:
The corresponding representatives didn’t satisfy the monotonicity property.
The process might have more abstract states than . We need to find a representative that “has more behaviors than ”.
The Unfolding Heuristic After unfolding:
If we choose representatives as:
The process have more abstract states than
The Unfolding Heuristic Observations:
Each iteration increases the set of processes associated with a nonterminal.
Unfolding results in processes that are a combination of a larger number of basic processes.
The procedure might not terminate. The user will have to put a limit on the number of iterations.
The Unfolding Heuristic If we find representatives with the
monotonicity property s.t : , then we cannot conclude anything about the correctness of the network derived by G.
Counter example might aid the user in finding more refined representatives or we may want to apply the unfolding technique again.
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Synchronous model of computation Presenting a synchronous framework, that has
the properties required by the verification method.
LTSs represent Moore machines:
Transition: with , occurs only if the environment supplies inputs , and the machine produces the outputs .
Synchronous model of computation Synchronous composition , :
and and and
Synchronous model of computation Lemma:
The composition is monotonic w.r.t .
We should prove that:
Synchronous model of computation Lemma:
The composition is monotonic w.r.t .
Proof – continued: We say that
We show that has the required properties.
1.
Synchronous model of computation Lemma:
The composition is monotonic w.r.t .
Proof – continued:2.
3.
Network Grammars for Synchronous Models
Each is associated with and .
In G we allow different composition operators for different production rules.
Network Grammars for Synchronous Models Definitions: Renaming function :
When applied to A, it maps inputs to inputs and outputs to outputs s.t: .
Applying to an LTS results in an LTS with:, , , , and
Hiding function : For ,is a renaming function that maps each
element in act to .
Network Grammars for Synchronous Models Definitions: Renaming function :
When applied to A, it maps inputs to inputs and outputs to outputs s.t: .
Applying to an LTS results in an LTS with:, , , , and
Hiding function : For ,is a renaming function that maps each
element in act to .
Network Grammars for Synchronous Models Typical composition operator:
Network Grammars for Synchronous Models Example
Describing more precisely the processes and the network grammar that constructs rings with any number of processes.
P and Q identical, except that now: , .
Derivation rules:
Network Grammars for Synchronous Models
Applying this rule results in a network with one terminal Q and one nonterminal A, connected as a ring.
Network Grammars for Synchronous Models is defined as:
Outline Introduction
Verification of parameterized systems Definitions
Labeled transition system Network grammars
Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion
Conclusion Described the verification problem of
parameterized systems. Defined network grammars, LTSs , and
abstraction of LTSs. Specifying state properties using regular
languages. The method requires a monotonic grammar. To apply the method we must find
representatives that satisfy the monotonicity property Might be done automatically using the unfolding
heuristics. Presented synchronous model of computation
that has the required properties by the verification method.