- 43 Views
- Uploaded on
- Presentation posted in: General

Monitoring Partial Order Snapshots

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Monitoring Partial Order Snapshots

Joint work with Peter Niebert

- Assume a model of execution with local events and synchronous communication.
- Concurrent events are monitored according to some (arbitrary) order.
- What are global states?
- What global states appear on execution (execution sequence)?

- Sometimes called “real concurrency”.
- There is no total order between events.
- More intuitive. Closer to the actual behavior of the system.
- More difficult to analyze.
- Less verification results.
- Natural transformation between models.
- Partial order: (S , <), where < is
- Transitive: x<y /\ y<z x<z.
- Antisymmetric: for no x, y, x<y /\ y>x.
- Antireflexive: for no x, x<x.

- Two branches, initially $1M each.
- In one branch: deposit, $2M.
- In another branch: robbery.
- How to model the system?

$1M, $1M

deposit

robbery

$3M, $1M

$1M, $0M

robbery

$3M, $0M

deposit

$1M, $1M

Invest!

deposit

robbery

$3M, $1M

$1M, $0M

robbery

$3M, $0M

deposit

Do not Invest!

Invest!

$1M

$1M

deposit

robbery

$3M

$0M

$1M

$1M

deposit

robbery

$3M

$0M

pc1=m0,x=0

pc2=n0,y=0,z=0

m0

m0:x:=x+1

n0:ch?z

pc1=m1,x=1

m1

n0

P1

P2

pc2=n1,y=0,z=1

pc1=m0,x=1

m1:ch!x

n1:y:=y+z

n1

m0

pc1=m1,x=2

pc2=n0,y=1,z=1

m1

n0

pc1=m0,x=2

pc2=n1,y=1,z=2

m0

n1

pc1=m0,x=0

pc2=n0,y=0,z=0

m0

pc1=m0,x=0,pc2=n0,y=0,z=0

pc1=m1,x=1

pc1=m1,x=1,pc2=n0,y=0,z=0

m1

n0

pc1=m0,x=1,pc2=n1,y=0,z=1

pc2=n1,y=0,z=1

pc1=m0,x=1

pc1=m1,x=2,pc2=n1,y=0,z=1

m0

n1

pc1=m1,x=2,pc2=n0,y=1,z=1

pc1=m1,x=2

pc2=n0,y=1,z=1

pc1=m0,x=2,pc2=n1,y=1,z=2

m1

n0

pc1=m0,x=2

pc2=n1,y=1,z=2

m0

n1

pc1=m0,x=0

pc2=n0,y=0,z=0

m0

pc1=m0,x=0,pc2=n0,y=0,z=0

pc1=m1,x=1

pc1=m1,x=1,pc2=n0,y=0,z=0

m1

n0

pc1=m0,x=1,pc2=n1,y=0,z=1

pc2=n1,y=0,z=1

pc1=m0,x=1

pc1=m0,x=1,pc2=n0,y=1,z=1

n1

m0

pc1=m1,x=2,pc2=n0,y=1,z=1

pc1=m1,x=2

pc2=n0,y=1,z=1

pc1=m0,x=2,pc2=n1,y=1,z=2

m1

n0

pc1=m0,x=2

pc2=n1,y=1,z=2

m0

n1

$1M

$1M

deposit

deposit

robbery

$3M

$1.1M

$0M

deposit

deposit

$3.1M

$1M

$1M

deposit

robbery

$3M

$0M

deposit

$3.1M

$1M

$1M

deposit

robbery

$1.1M

$0M

deposit

$3.1M

- An equivalence relation among sequences. Defined using some symmetric and antireflexive independence relation I×.
- Suppose that aIb, aIc (but not bIc).Then we have[abac ]=[baac,abac,aabc,baca,abca,bcaa ].
- Snapshots of execution [abac ] are states after [a ], [b ], [ab ], [aa ], [bc ], [aab ], [abc ].
- Note that the state after trace equivalent sequences, e.g., aab, aba, baa, are the same, so we can talk about the state after a trace.When clear, we write a trace also instead of the corresponding state at the end of it.

- Basic syntax as LTL.
- In addition, the “snapshot” operator[p], where p is a conjunction of positive and negative atomic propositions.
- Semantics of new operator:(u,v)|=p iff there exists finite sequences u1, u2 such that [u]=[u1][u2] and(u1,u2v)|=p.

- A deterministic automaton that keeps all the global states that are subsumed on the way.

<[aa],>,<[a],{a}>,

<[].{a}>

b

b

<[aab],>,<[ab],{a}>,

<[b].{a}>,<[a],{a,b}><[],{a,b}>

a

<[a],>,<[],{a}>

a

b

<[ab],>,<[b],{a}>,<[a],{b}>,<[],{a,b}>

c

<[],>

a

<[aabc],>,<[abc],{a}>,<[aab],{c}>

<[bc].{a}>,

<[ab],{a,c}>

<[aa],{b,c}>,<[a],{a,b}>,<[],{a,b}>

b

a

a

<[b],>,<[],{b}>

c

<[abc],>,<[ab],{c}>,

<[b].{a,c}>,<[a],{b,c}>,<[],{a,b,c}>

c

a

<[bc],>,<[b],{c}>,<[],{b,c}>

- Each node consists of a set of pairs<s,A>, where s is a (subsumed) state and A is a subset of actions.
- It denotes that s is a subsumed state, and it takes the actions A (with possible repetition) in some order to reach the current state.

A

s

t

b

b

A

b(s)

b(t)

X

Y

…,<s,A>,…

b

…, ?, …

- If <s,A> is in node X, then <s,A{b}> is in Y.
- If <s,A> is in node X and b is independent of all of A, then <b(s), A> is in Y.

Size: 2|S|x2||

- Each process Pi will have its own set of propositions, related to the local states of Pi.
- We can write in […] only a conjunction of local properties.

Existing subset

Execution of joint action kills subset

Existing subset

Execution of joint action extends subset

Existing subset

Execution of joint action maintains subset

- “Freeze sets”– subsets of processes satisfying their portion of the property.
- proc(a) – the set of processes where action a participates.
- addproc(s, a) – when executing action a from state s, these are the local states from proc(a) that satisfy the local propositions that we check.
- Extension: Let F1addproc(s,a) and F2 existing subset such that F2proc(a)=. Then extend F1 into F1F2.
- Propagation: For existing subset F such that proc(a)F, we maintain F.

Bingo!!

- Freeze sets T are closed under union and intersection.
- Need to store only a basis B of T, where unions are not included.
- In this case, size of basis is not larger than number of elements.
- Update of basis is polynomial.

- Construct an automaton for A¬ as usual. Construct an automaton for each conjunction that appears inside the […] operator to run in parallel.
- Binary search is still polynomial in number of processes and size of formula!

- Added capability of partial orders into LTL specification.
- Freeze sets construction for detecting global states that are subsumed during execution.
- Model checking is basically same complexity as for normal LTL!