Monitoring Partial Order Snapshots

1 / 37

# Monitoring Partial Order Snapshots - PowerPoint PPT Presentation

Monitoring Partial Order Snapshots. Joint work with Peter Niebert. Monitoring an interleaving sequence. Assume a model of execution with local events and synchronous communication. Concurrent events are monitored according to some (arbitrary) order. What are global states?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Monitoring Partial Order Snapshots' - keira

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Monitoring Partial Order Snapshots

Joint work with Peter Niebert

Monitoring an interleaving sequence
• Assume a model of execution with local events and synchronous communication.
• Concurrent events are monitored according to some (arbitrary) order.
• What are global states?
• What global states appear on execution (execution sequence)?
Partial Order Semantics
• Sometimes called “real concurrency”.
• There is no total order between events.
• More intuitive. Closer to the actual behavior of the system.
• More difficult to analyze.
• Less verification results.
• Natural transformation between models.
• Partial order: (S , <), where < is
• Transitive: x<y /\ y<z  x<z.
• Antisymmetric: for no x, y, x<y /\ y>x.
• Antireflexive: for no x, x<x.
Bank Example
• Two branches, initially \$1M each.
• In one branch: deposit, \$2M.
• In another branch: robbery.
• How to model the system?
Global state space

\$1M, \$1M

deposit

robbery

\$3M, \$1M

\$1M, \$0M

robbery

\$3M, \$0M

deposit

Should we invest in this bank?

\$1M, \$1M

Invest!

deposit

robbery

\$3M, \$1M

\$1M, \$0M

robbery

\$3M, \$0M

deposit

Do not Invest!

Invest!

Partial Order Description

\$1M

\$1M

deposit

robbery

\$3M

\$0M

Constructing global states

\$1M

\$1M

deposit

robbery

\$3M

\$0M

pc1=m0,x=0

pc2=n0,y=0,z=0

m0

m0:x:=x+1

n0:ch?z

pc1=m1,x=1

m1

n0

P1

P2

pc2=n1,y=0,z=1

pc1=m0,x=1

m1:ch!x

n1:y:=y+z

n1

m0

pc1=m1,x=2

pc2=n0,y=1,z=1

m1

n0

pc1=m0,x=2

pc2=n1,y=1,z=2

m0

n1

Modeling with partial orders
Linearizations

pc1=m0,x=0

pc2=n0,y=0,z=0

m0

pc1=m0,x=0,pc2=n0,y=0,z=0

pc1=m1,x=1

pc1=m1,x=1,pc2=n0,y=0,z=0

m1

n0

pc1=m0,x=1,pc2=n1,y=0,z=1

pc2=n1,y=0,z=1

pc1=m0,x=1

pc1=m1,x=2,pc2=n1,y=0,z=1

m0

n1

pc1=m1,x=2,pc2=n0,y=1,z=1

pc1=m1,x=2

pc2=n0,y=1,z=1

pc1=m0,x=2,pc2=n1,y=1,z=2

m1

n0

pc1=m0,x=2

pc2=n1,y=1,z=2

m0

n1

Linearizations

pc1=m0,x=0

pc2=n0,y=0,z=0

m0

pc1=m0,x=0,pc2=n0,y=0,z=0

pc1=m1,x=1

pc1=m1,x=1,pc2=n0,y=0,z=0

m1

n0

pc1=m0,x=1,pc2=n1,y=0,z=1

pc2=n1,y=0,z=1

pc1=m0,x=1

pc1=m0,x=1,pc2=n0,y=1,z=1

n1

m0

pc1=m1,x=2,pc2=n0,y=1,z=1

pc1=m1,x=2

pc2=n0,y=1,z=1

pc1=m0,x=2,pc2=n1,y=1,z=2

m1

n0

pc1=m0,x=2

pc2=n1,y=1,z=2

m0

n1

\$1M

\$1M

deposit

deposit

robbery

\$3M

\$1.1M

\$0M

deposit

deposit

\$3.1M

Partial order execution 1

\$1M

\$1M

deposit

robbery

\$3M

\$0M

deposit

\$3.1M

Partial order execution 2

\$1M

\$1M

deposit

robbery

\$1.1M

\$0M

deposit

\$3.1M

Traces
• An equivalence relation among sequences. Defined using some symmetric and antireflexive independence relation I×.
• Suppose that aIb, aIc (but not bIc).Then we have[abac ]=[baac,abac,aabc,baca,abca,bcaa ].
• Snapshots of execution [abac ] are states after [a ], [b ], [ab ], [aa ], [bc ], [aab ], [abc ].
• Note that the state after trace equivalent sequences, e.g., aab, aba, baa, are the same, so we can talk about the state after a trace.When clear, we write a trace also instead of the corresponding state at the end of it.
Extended LTL: with snapshotsThe logic SLTL
• Basic syntax as LTL.
• In addition, the “snapshot” operator[p], where p is a conjunction of positive and negative atomic propositions.
• Semantics of new operator:(u,v)|=p iff there exists finite sequences u1, u2 such that [u]=[u1][u2] and(u1,u2v)|=p.
How to monitor executions and find snapshots?
• A deterministic automaton that keeps all the global states that are subsumed on the way.
Automaton forprefixes of [aabc].

<[aa],>,<[a],{a}>,

<[].{a}>

b

b

<[aab],>,<[ab],{a}>,

<[b].{a}>,<[a],{a,b}><[],{a,b}>

a

<[a],>,<[],{a}>

a

b

<[ab],>,<[b],{a}>,<[a],{b}>,<[],{a,b}>

c

<[],>

a

<[aabc],>,<[abc],{a}>,<[aab],{c}>

<[bc].{a}>,

<[ab],{a,c}>

<[aa],{b,c}>,<[a],{a,b}>,<[],{a,b}>

b

a

a

<[b],>,<[],{b}>

c

<[abc],>,<[ab],{c}>,

<[b].{a,c}>,<[a],{b,c}>,<[],{a,b,c}>

c

a

<[bc],>,<[b],{c}>,<[],{b,c}>

How to construct this automaton?
• Each node consists of a set of pairs<s,A>, where s is a (subsumed) state and A is a subset of actions.
• It denotes that s is a subsumed state, and it takes the actions A (with possible repetition) in some order to reach the current state.

A

s

t

b

b

A

b(s)

b(t)

How to update nodes?

X

Y

…,<s,A>,…

b

…, ?, …

• If <s,A> is in node X, then <s,A{b}> is in Y.
• If <s,A> is in node X and b is independent of all of A, then <b(s), A> is in Y.

Size: 2|S|x2||

We make a restriction:
• Each process Pi will have its own set of propositions, related to the local states of Pi.
• We can write in […] only a conjunction of local properties.
Idea 1: grow up subset of processes with part of states satisfying conjunction. Case 1

Existing subset

Execution of joint action kills subset

Idea 1: grow up subset of processes with part of states satisfying conjunction. Case 2

Existing subset

Execution of joint action extends subset

Existing subset

Idea 1: grow up subset of processes with part of states satisfying conjunction. Case 3

Execution of joint action maintains subset

Can be formulated as follows:
• “Freeze sets”– subsets of processes satisfying their portion of the property.
• proc(a) – the set of processes where action a participates.
• addproc(s, a) – when executing action a from state s, these are the local states from proc(a) that satisfy the local propositions that we check.
• Extension: Let F1addproc(s,a) and F2 existing subset such that F2proc(a)=. Then extend F1 into F1F2.
• Propagation: For existing subset F such that proc(a)F, we maintain F.
How to store efficiently?
• Freeze sets T are closed under union and intersection.
• Need to store only a basis B of T, where unions are not included.
• In this case, size of basis is not larger than number of elements.
• Update of basis is polynomial.
How to perform model checking?
• Construct an automaton for A¬ as usual. Construct an automaton for each conjunction that appears inside the […] operator to run in parallel.
• Binary search is still polynomial in number of processes and size of formula!
Conclusions
• Added capability of partial orders into LTL specification.
• Freeze sets construction for detecting global states that are subsumed during execution.
• Model checking is basically same complexity as for normal LTL!