Priority scheduling of distributed systems based on model checking
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Priority Scheduling of Distributed Systems based on Model Checking PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Priority Scheduling of Distributed Systems based on Model Checking. Ananda Basu, Saddek Bensalem, Doron Peled , Joseph Sifakis. 3 trains: TGV, regular, freight ’ compete on entering station. Concurrent systems with priorities!. Transition system with priorities.

Download Presentation

Priority Scheduling of Distributed Systems based on Model Checking

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Priority scheduling of distributed systems based on model checking

Priority Scheduling of Distributed Systems based on Model Checking

Ananda Basu,

Saddek Bensalem,

Doron Peled,

Joseph Sifakis


3 trains tgv regular freight compete on entering station concurrent systems with priorities

3 trains: TGV, regular, freight’ compete on entering station.Concurrent systems with priorities!


Transition system with priorities

Transition system with priorities

  • We are given a transition system, e.g., a Petri Net.

  • Priorities: a partial order between the transitions.

  • At each global state, we can execute a transition that has a maximal priority among enabled transitions.


A safe petri net

p2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6

A (safe) Petri Net

A state is a set of places, e.g., {p1, p2, p3}.

Can be written as p1 /\ p2 /\ ¬ p3 /\ ¬ p4 /\ ¬ p5 /\ ¬ p6 /\ p7.


A safe petri net1

A (safe) Petri Net

p2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6


A safe petri net2

A (safe) Petri Net

p2

p1

p7 is a

“semaphore”!

t2

t1

p7

p4

p3

t3

t4

p5

p6


A safe petri net3

A (safe) Petri Net

p2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6


A safe petri net4

A (safe) Petri Net

p2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6


A safe petri net with priorities partial order between transitions

A (safe) Petri Net with priorities. Partial order between transitions.

p2

p1

t2

t1

p4

p3

t3

t4

p5

p6

t1<<t4, t2<<t3


A safe petri net with priorities partial order between transitions1

A (safe) Petri Net with priorities. Partial order between transitions.

p2

p1

t2

t1

p4

p3

t3

t4

p5

p6

t1<<t4, t2<<t3


A safe petri net with priorities partial order between transitions2

A (safe) Petri Net with priorities. Partial order between transitions.

p2

p1

t2

t1

p4

p3

t3

t4

p5

p6

t1<<t4, t2<<t3


Problem how to guarantee execution according to priorities

Problem: how to guarantee execution according to priorities?

  • Execute only maximally enabled transitions.

  • Make a distributed (local) decision.

  • Is it even possible?

  • Can we check when it is possible?

  • What if we cannot make the distributed decision?


So what can we do

So, what can we do?

  • Main question: what do we know in each local state?

  • Use logic of knowledge to state (and check) if a process knows that its enabled transition has maximal priority.

  • Transform the program to act based on the knowledge.

  • There are variations of knowledge; price of transformation is accordingly.


Some definitions

Some definitions

p2

p1

  • A process is a set oftransitions.The processes cover all the transitions (there can be additional constraints).

  • The neighborhoodof a process is the set of all input and output places of it.

t2

t1

p7

p4

p3

t3

t4

p5

p6

The local information of a process in a state, is the state limited to the neighborhood of the process. E.g., for the left process, in { p1, p2, p7}, it is {p1,p7}. (=“local state”).


We are ready to define knowledge

p2

p1

t2

t1

p7

p4

p3

t3

t4

p5

p6

We are ready to define “knowledge”

  • Given my “local information” as a process, I know everything that is consistent with it.

  • Easy to calculate what a process knows.

  • That is: I know of any property that holds in all global states with the same “local information”.

  • This is a standard definitions (e.g., [FMHV].

  • Later: “knowledge with perfect recall”.

When left process is given that p1 /\ p7, it knows that p4.


Calculating what a process knows given some local information

Calculating what a process knows given some local information

  • Can write a formula that represents “all reachable states”: reach.

  • Can write a formula that represents “a given local information x”: x.

  • Intersect the above two formulas, and obtain “the states given some local information”:reach /\x.

  • We know, when x, whatever is implied from this intersection (reach /\x )  .

  • The standard notation is K and we can embed this within temporal logic.


What is known during execution can be model checked

What is known, during execution can be model checked:

1Each process knows which of its enabled transition have maximal priorities.

2Each process knows about at least one of its enabled transitions to have a maximal priority.

3In each non-deadlock state, at least one process knows about at least one enabled maximal priority transition.


The supporting process policy

The supporting process policy

  • A transition can belong to multiple processes (e.g., communication).

  • If enabled, andat least one process knows of it having maximal priority,then it can fire.

  • Equivalently in control theory:we are seeking a distributed disjunctive controller with limited observability (in general: undecideable).

  • Build for each process a “support table”: for each local information, which transition, if any, is supported.


What is known during execution can be model checked1

What is known, during execution can be model checked:

1Each process knows which of its enabled transition have maximal priorities. Preserves transition fairness/justice.

2Each process knows about at least one of its enabled transitions to have a maximal priority. Preserves process fairness/justice.

3In each non-deadlock state, at least one process knows about at least one enabled maximal priority transition. Does not introduce deadlocks.


Some important points

Some important points:

  • The knowledge is calculated based on the states of the original (priorityless) program.

  • Then transitions are being controlled, which generates a different program.

  • The transformation adds conditions to the enabledness conditions, based on the support table.

  • What is known about the original program remains known in the transformed program, since the reachable states can only reduce!


And what if neither of these invariants hold

And what if neither of these invariants hold?

  • May combine processes. The “knowledge of several processes” is bigger than of single processes.

  • Compromise, and allow transitions that are not maximal, to complete support table, such that in any reachable state, at least one transition is enabled. Experimentally measure how far is a compromised execution from a perfectly prioritized one.

  • Can calculate ”knowledge of perfect recall”.


T 3 t 5 t 4 t 7

t3<<t5<<t4<<t7

Motivation: given local information {p3} for left process:

t3 is enabled, can it be fired?

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


T 3 t 5 t 4 t 71

t3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Now it has a maximal priority.

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


T 3 t 5 t 4 t 72

t3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Continuing the execution…

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


T 3 t 5 t 4 t 73

t3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Continuing the execution…

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


T 3 t 5 t 4 t 74

t3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Continuing the execution…

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


T 3 t 5 t 4 t 75

t3<<t5<<t4<<t7

Motivation: when t3 is enabled, can it be fired?

Same local information as before for left process: {p3}.

Now t5 has maximal priority!

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


T 3 t 5 t 4 t 76

t3<<t5<<t4<<t7

Based on this, the left process does not know if t3 has the highest priority. But if we remember how many times t1 fired, we can distinguish between these two cases!

p2

p1

t2

t1

p8

p7

p4

p3

t3

t4

t5

p5

p6

p9

t6

p10

t7

p11


Knowledge of perfect recall

Knowledge of perfect recall

  • Knowledge is based on the history that a process can sense, up to any point in its computation.

  • A process can sense changes in its neighborhood, including changes to the neighborhood by other processes.

  • This way we can distinguish between two local states (local informations) with different histories. So, we know more!

  • But don’t we need infinite amount of information?


Knowledge of perfect recall finite information

Knowledge of perfect recall: finite information.

  • Ron Van der Meiden has shown that finite amount of information is sufficient.

  • Given some history of computation, the rest of the system can be in a finite number of states consistent with it.

  • If a process makes a single transition, or some process changes the neighborhood, the system can be in any global state that is obtained by making that transition, plus any sequence of transitions that do not change the neighborhood.

  • For the transformation, we can keep the information as an automaton. This can become a gigantic automaton: with each change to the neighborhood, we move to a state that represent a set of global states of the system.


Conclusions

Conclusions

  • We can employ model checking to implement priorities in a distributed way.

  • We use logic of knowledge, and model checking of knowledge.

  • Program transformation uses model checking to control the system.

  • Solves a distributed controllability with limited observability problem.

  • Does not provide a perfect solution (not always the least constrained solution)!

  • Tradeoff in using logic of perfect recall.

  • Apply various compromises when knowledge is not enough.

  • Practical: Verimag’s BIP system.


  • Login