On reducing the global state graph for verification of distributed computations
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

On Reducing the Global State Graph for Verification of Distributed Computations PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

On Reducing the Global State Graph for Verification of Distributed Computations. Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory The University of Texas at Austin. Roadmap. Motivation Background: Lattice Theory Interval Clocks and Congruences

Download Presentation

On Reducing the Global State Graph for Verification of Distributed Computations

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


On reducing the global state graph for verification of distributed computations

On Reducing the Global State Graph for Verification ofDistributed Computations

Vijay K. Garg, Arindam Chakraborty

Parallel and Distributed Systems Laboratory

The University of Texas at Austin


Roadmap

Roadmap

  • Motivation

  • Background: Lattice Theory

  • Interval Clocks and Congruences

  • Detecting CTL-X predicates

  • Optimal Congruence construction

  • Conclusion


Motivation reliable systems

Motivation: Reliable Systems

  • Concurrent systems are prone to errors.

    • Concurrency, nondeterminism, process and channel failures

      Techniques to ensure correctness

  • Model Checking and Formal Verification

    • Exponential complexity

  • Testing and Debugging


Trace total order vs partial order

Trace: Total Order vs Partial Order

  • Total order: interleaving of events in a trace

  • Partial order: Lamport’s happened-before model

Successful Trace

¬CS1

¬CS2

CS1

CS2

Specification:

CS1 ΛCS2

f1

f2

e2

e1

Partial Order Trace

Faulty Trace

¬ CS1

CS1

P1

e1

e2

¬CS1

CS2

CS1

¬CS2

¬CS2

CS2

P2

f1

e2

f2

e1

f2

f1


Global state graph of a trace

Global State Graph of a Trace

{e2, e1, f2, f1, ┴

e1

e2

P1

{e2, e1, f1, ┴}

{e1, f2, f1, ┴}

{e2, e1, ┴}

{e1, f1, ┴}

T

P2

{f1, ┴}

{e1, ┴}

f1

f2

{┴}

G is a (consistent) global state:

(f in G) and (e happened before f)

implies (e in G)


Problem statement

Problem Statement

  • Given

    • a partially ordered trace

    • a temporal logic formula

  • Determine:

    • if the formula is true in the graph of the global states of the trace

  • Examples:

    • EF:CS(1) /\ CS(2)

    • AG:(request(i) => AF:lock(i))


The main difficulty in partial order

The Main Difficulty in Partial Order

{e2, e1, f2, f1, ┴

e1

e2

P1

{e2, e1, f1, ┴}

{e1, f2, f1, ┴}

{e2, e1, ┴}

{e1, f1, ┴}

T

P2

{f1, ┴}

{e1, ┴}

f1

f2

{┴}

Too many global states : The graph may contain as many as O(kn) global states

  • k: maximum number of events on a process

  • n: number of processes


Reducing the global state graph

Reducing the Global State Graph

  • Idea: Reduce the global state graph w.r.t the formula that needs to be verified

  • Example: [Alagar, Venkatesan 01]

    • To detect a formula of the form EF:B it is sufficient to track only those variables that affect B

      B: non-temporal formula (e.g. x > y)

  • This paper:

    • How do we extend this result to CTL-X ?


Temporal logic predicates ctl

final cut

final cut

final cut

final cut

H

H

H

H

H satisfies EF(p)

H satisfies AF(p)

H satisfies EG(p)

H satisfies AG(p)

p holds

p does not hold

Temporal Logic Predicates (CTL)

E: some path A: all paths F: eventually G: always

simple predicates:EF(p), AF(p), EG(p), AG(p)

nested predicates: AG(p => AF(q))


Temporal logic ctl x

Temporal Logic CTL-X

  • CTL Operators: EF, AF, EG, AG, EU, AU and X.

  • X (next-time) is not preserved by state reductions, hence focus on CTL without X

  • Example:, ”once a process requests a lock then it eventually gets the lock”, can be expressed as

  • EG, AG and AU can be expressed in terms of EF, AF and EU

  • Allows specification of path properties


Preserving path properties

Preserving path properties

AF:Φ holds in the original graph but not the reduced graph


Our approach

Our Approach

  • Uses the fact that global state graph is a lattice

  • Put constraints on the global states that can be merged so that path properties preserved

  • Key result

    • If the global states are combined using lattice congruences then path properties are preserved


Distributive lattice

final global state = {a, b, c, d, ┴}

G={a, b, c, ┴}

{a, c, d, ┴}

{a, c, ┴}

{a, b, ┴}

{a, ┴}

{c, ┴}

initial global state = {┴}

Distributive Lattice

The set of global states forms a distributive lattice

  • closed under meet and join (union, intersection)

  • meet distributes over join

a

b

Τ

c

d

G


Congruences

Congruences

  • An equivalence relation is a lattice congruence if it preserves meets and joins


Interval clocks

Interval Clocks

  • Interval: a maximal sequence of consecutive events on a process such that Φ stays same


Global intervals

Global Intervals

  • Consistency of intervals

  • Global Interval

  • Consistent global interval

  • Global Interval Lattice


State space reduction

State Space Reduction


Intervals and congruences

Intervals and Congruences

  • Theorem [Alagar, Venkatesan 01]: There exists a global interval at which a predicate Φ is true if and only if there exists a global state at which Φ is true

  • Hence interval clocks can be used to detect EF:B

  • Result [this paper]: The global interval lattice formed by interval clocks is a reduced lattice modulo a congruence relation.


Detecting temporal formulae with intervals

Detecting Temporal Formulae with Intervals

  • B : any non-temporal formula.

  • θ : any lattice congruence that refines the equivalence class induced by B.

  • Theorem: AF:B holds in a lattice L iff AF:B holds in L/θ

  • Key Lemma [Equivalence of Paths]: For any path in L, there exists an “equivalent” path in L/θ and vice-versa.

  • Theorem: E:B1 U B2 holds in a lattice L iff E:B1 U B2 holds in L/θ.

    (Note: EG, AG and AU can be expressed in terms of AF, EF and EU)


Optimal congruence

Optimal Congruence

  • Using interval clocks,

    • an online algorithm for state space reduction

    • Intervals can be computed locally by each process

    • A process reports only the relevant events to the monitor process

  • Disadvantage:

    • Does not give the optimal congruence since each process decides locally

  • Centralized Model:

    • each process reports every event to the monitor.

    • The monitor process has information from every process

    • compute exactly which global states need to be added


Optimal congruence1

Optimal Congruence

  • Principal Congruence: Given two elements a, b in L, the smallest congruence that puts a and b in the same congruence class is called the principal congruence of a and b, denoted

  • Theorem: Given a lattice L and an equivalence relation E on L, the largest congruence that is contained in E is given by:

  • x in J(L) if there exists an event e such that x is the least global state that contains e, x* = x – {e}.


Algorithm

Algorithm


Conclusions

Conclusions

  • using congruences for the state space explosion problem

    • Induce equivalence on the global state graph by the value of the properties evaluated at each state

    • find the largest congruence that is contained in this equivalence relation

  • Extended property verification using reduced lattices to CTL−X

  • An algorithm to compute the optimal congruence


On reducing the global state graph for verification of distributed computations

Q & A

and thanks!


Nested temporal formulae

Nested Temporal Formulae

  • Handle nested temporal formulae using the recursive sub-formulae evaluation technique of model checking

  • Say we want to verify

  • Interval Clocks will be based on non-temporal predicates p, r

  • Model checking algorithms evaluate nested temporal formulae on the global state graph by recursively evaluating all sub-formulae. Given the global interval graph G and the formula Φ, model checking algorithms will return the set of all states which satisfy Φ(say [Φ]).

  • We modify model checking so that along with returning [Φ], it also simultaneously labels each state s on the graph by whether Φ is true at s or not.


Algorithm1

Algorithm

  • Find the set S of all sub-formulae without temporal operators, from the set of properties to be verified on the computation

  • Create the global interval lattice L from the computation by using interval clocks with respect to the set S

  • Run model checking algorithm on L with the modification that states are labeled in each step as described earlier. Nested temporal formulae, due to state labeling of sub-formulae, can be treated as simple unnested temporal formulae.


  • Login