Loading in 5 sec....

Priority Scheduling of Distributed Systems based on Model CheckingPowerPoint Presentation

Priority Scheduling of Distributed Systems based on Model Checking

- By
**zayit** - Follow User

- 107 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Priority Scheduling of Distributed Systems based on Model Checking' - zayit

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Priority Scheduling of Distributed Systems based on Model Checking

Ananda Basu,

Saddek Bensalem,

Doron Peled,

Joseph Sifakis

3 trains: TGV, regular, freight Checking’ compete on entering station.Concurrent systems with priorities!

Transition system with priorities Checking

- We are given a transition system, e.g., a Petri Net.
- Priorities: a partial order between the transitions.
- At each global state, we can execute a transition that has a maximal priority among enabled transitions.

p Checking2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6

A (safe) Petri NetA state is a set of places, e.g., {p1, p2, p3}.

Can be written as p1 /\ p2 /\ ¬ p3 /\ ¬ p4 /\ ¬ p5 /\ ¬ p6 /\ p7.

A (safe) Petri Net with priorities. Partial order between transitions.

p2

p1

t2

t1

p4

p3

t3

t4

p5

p6

t1<<t4, t2<<t3

A (safe) Petri Net with priorities. Partial order between transitions.

p2

p1

t2

t1

p4

p3

t3

t4

p5

p6

t1<<t4, t2<<t3

A (safe) Petri Net with priorities. Partial order between transitions.

p2

p1

t2

t1

p4

p3

t3

t4

p5

p6

t1<<t4, t2<<t3

Problem: how to guarantee execution according to priorities? transitions.

- Execute only maximally enabled transitions.
- Make a distributed (local) decision.
- Is it even possible?
- Can we check when it is possible?
- What if we cannot make the distributed decision?

So, what can we do? transitions.

- Main question: what do we know in each local state?
- Use logic of knowledge to state (and check) if a process knows that its enabled transition has maximal priority.
- Transform the program to act based on the knowledge.
- There are variations of knowledge; price of transformation is accordingly.

Some definitions transitions.

p2

p1

- A process is a set oftransitions.The processes cover all the transitions (there can be additional constraints).
- The neighborhoodof a process is the set of all input and output places of it.

t2

t1

p7

p4

p3

t3

t4

p5

p6

The local information of a process in a state, is the state limited to the neighborhood of the process. E.g., for the left process, in { p1, p2, p7}, it is {p1,p7}. (=“local state”).

p transitions.2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6

We are ready to define “knowledge”- Given my “local information” as a process, I know everything that is consistent with it.
- Easy to calculate what a process knows.
- That is: I know of any property that holds in all global states with the same “local information”.
- This is a standard definitions (e.g., [FMHV].
- Later: “knowledge with perfect recall”.

When left process is given that p1 /\ p7, it knows that p4.

Calculating what a process knows given some local information

- Can write a formula that represents “all reachable states”: reach.
- Can write a formula that represents “a given local information x”: x.
- Intersect the above two formulas, and obtain “the states given some local information”:reach /\x.
- We know, when x, whatever is implied from this intersection (reach /\x ) .
- The standard notation is K and we can embed this within temporal logic.

What is known, during execution can be model checked: information

1Each process knows which of its enabled transition have maximal priorities.

2Each process knows about at least one of its enabled transitions to have a maximal priority.

3In each non-deadlock state, at least one process knows about at least one enabled maximal priority transition.

The informationsupporting process policy

- A transition can belong to multiple processes (e.g., communication).
- If enabled, andat least one process knows of it having maximal priority,then it can fire.
- Equivalently in control theory:we are seeking a distributed disjunctive controller with limited observability (in general: undecideable).
- Build for each process a “support table”: for each local information, which transition, if any, is supported.

What is known, during execution can be model checked: information

1Each process knows which of its enabled transition have maximal priorities. Preserves transition fairness/justice.

2Each process knows about at least one of its enabled transitions to have a maximal priority. Preserves process fairness/justice.

3In each non-deadlock state, at least one process knows about at least one enabled maximal priority transition. Does not introduce deadlocks.

Some important points: information

- The knowledge is calculated based on the states of the original (priorityless) program.
- Then transitions are being controlled, which generates a different program.
- The transformation adds conditions to the enabledness conditions, based on the support table.
- What is known about the original program remains known in the transformed program, since the reachable states can only reduce!

And what if neither of these invariants hold? information

- May combine processes. The “knowledge of several processes” is bigger than of single processes.
- Compromise, and allow transitions that are not maximal, to complete support table, such that in any reachable state, at least one transition is enabled. Experimentally measure how far is a compromised execution from a perfectly prioritized one.
- Can calculate ”knowledge of perfect recall”.

t information3<<t5<<t4<<t7

Motivation: given local information {p3} for left process:

t3 is enabled, can it be fired?

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

t information3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Now it has a maximal priority.

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

t information3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Continuing the execution…

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

t information3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Continuing the execution…

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

t information3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Continuing the execution…

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

t information3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Same local information as before for left process: {p3}.

Now t5 has maximal priority!

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

t information3<<t5<<t4<<t7

Based on this, the left process does not know if t3 has the highest priority. But if we remember how many times t1 fired, we can distinguish between these two cases!

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11

Knowledge of perfect recall information

- Knowledge is based on the history that a process can sense, up to any point in its computation.
- A process can sense changes in its neighborhood, including changes to the neighborhood by other processes.
- This way we can distinguish between two local states (local informations) with different histories. So, we know more!
- But don’t we need infinite amount of information?

Knowledge of perfect recall: finite information. information

- Ron Van der Meiden has shown that finite amount of information is sufficient.
- Given some history of computation, the rest of the system can be in a finite number of states consistent with it.
- If a process makes a single transition, or some process changes the neighborhood, the system can be in any global state that is obtained by making that transition, plus any sequence of transitions that do not change the neighborhood.
- For the transformation, we can keep the information as an automaton. This can become a gigantic automaton: with each change to the neighborhood, we move to a state that represent a set of global states of the system.

Conclusions information

- We can employ model checking to implement priorities in a distributed way.
- We use logic of knowledge, and model checking of knowledge.
- Program transformation uses model checking to control the system.
- Solves a distributed controllability with limited observability problem.
- Does not provide a perfect solution (not always the least constrained solution)!
- Tradeoff in using logic of perfect recall.
- Apply various compromises when knowledge is not enough.
- Practical: Verimag’s BIP system.

Download Presentation

Connecting to Server..