verifying parameterized networks clarke, grumberg, jha

Verifying parameterized Networks Clarke, Grumberg, Jha

Presented by Adi Sosnovich , April 2012

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Verification of parameterized systems Given a temporal property and an infinite family

of distributed systems composed of similar processes, check for all the finite models from .

In general the problem is undecidable. [Apt, Kozen 86]

For specific families, the problem may be solvable. Various cases may depend on:

Communication topology of the family F Parallelism: synchronous, asynchronous Synchronization primitives Temporal properties: local , global

Verification of parameterized systems Previous work:

Establishing a bisimulation relation between a 2-process token ring and an n-process token ring for any . Drawback: constructing manually the bisimulation

relation.

Finding network invariants: Constructing an invariant s.t : for all . Using traditional model-checking on the invariant

process. Drawbacks:

the invariant is explicitly provided by the user. Can handle only networks with one repetitive

component.

Verification of parameterized systems Current work:

Works on context-free network grammars

The network is an infinite family of distributed systems composed of similar processes.

Trying to generate the invariant automatically based on the -grammar’s structure

The invariant simulates all processes in the language of the grammar. (all the finite models from the family).

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Labeled Transition System (LTS)

An LTS is a structure where:

- set of states

- set of initial states

– set of actions

– total transition relation

Labeled Transition System (LTS) Example :

We define the process P by the following LTS:

nc

𝜏

cs

𝜏

send-token

get-token

Labeled Transition System (LTS) Another example :

We define the process Q by the following LTS:

nc

𝜏

cs

𝜏

send-token

get-token

Labeled Transition System (LTS)

Composition function:

Given 2 LTSs: and

has the form: R’ depends on the exact semantic of the composition

function

Network grammars Network:

the set of all LTSs derived by a context-free network grammar

Network grammar: Defined over S (set of states) and ACT (set of

actions).

– set of terminals, each is an LTS, defined over S and ACT.

Also referred as basic processes. – set of nonterminals, each defines a network. – set of production rules of the form: – start symbol, represents the network generated by

G.

Network grammars - example , , where

The grammar produces rings with one process Q and at least 2 processes P.

The network consists of LTSs that perform a simple mutual exclusion using a token ring algorithm.

Network grammars - example

𝑆⟹𝑄∥ 𝐴⟹𝑄∥𝑃 ∥𝑃cs,nc,nc

𝜏

nc,cs,nc

𝜏

𝜏

𝜏

nc,nc,cs

𝜏

𝜏

Reachable states in LTS

has the form:

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Specification Language Goal: specify a network of LTSs composed of

any number of components (basic processes).

How to specify property of a global state of a system consisting of many components? Such a state is an n-tuple, for some n. Typical properties:

Some component is in state At least (at most) k components are in state (Some component in state ) (some component in state )

Such properties are conveniently expressed in terms of regular languages.

Specification Language Global state:

The word instead of n-tuple . Property:

A regular language the property Having the property:

The state has the property iff .

Example Property: Specifies states in which exactly one process is in

its critical section.

Specification Language Defining atomic state properties:

The regular language is specified by a deterministic automaton over :

is the set of words accepted by . A state of an LTS is a tuple from , for some .

Example:

q0

nc

q1 q2

nc nc,cs

cs cs

Automaton D with

Specification Language Assume we have a network defined by a

grammar on the tuple . The specification language is , with finite

automata over as the atomic formula.

Specification Language

Specification Language Example:

nc

𝜏

cs

𝜏

send-token

get-token

cs,nc,nc

𝜏

nc,cs,nc

𝜏

𝜏

𝜏

nc,nc,cs

𝜏

𝜏

𝐿 (𝐷 )= {𝑛𝑐 }∗𝑐𝑠 {𝑛𝑐 }∗

𝑃

𝑄∥𝑃 ∥𝑃

Specification Language Another Example:

expresses non-starvation for process Q.

Non-starvation is guaranteed only if some kind of fairness is assumed.

cs,nc,nc

𝜏

nc,cs,nc

𝜏

𝜏

𝜏

nc,nc,cs

𝜏

𝜏

𝐿 (𝐷 ′ )=𝑐𝑠 {𝑛𝑐 }∗

𝑄∥𝑃 ∥𝑃

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Abstract LTS Using abstraction in order to reduce the state

space required for the verification of networks.

Requirements:

There must be a simulation preorder an LTS is smaller by than the abstract LTS.

Composing 2 abstract states will result in an abstraction of their composition.

State Equivalence Goal:

Given an , define equivalence relation over , s.t equivalence classes are the states of the abstract LTS .

Requirements:1.

equivalent states both satisfy/falsify atomic formula.

2.

preserving equivalence under composition.

State Equivalence First try:

Satisfies 1st requirement Doesn’t satisfy 2nd requirement

Example for a composition in which equivalence is not preserved: The LTS:

Explaining the example

because and

because and

because

We need a refined equivalence relation that will be preserved under composition.

State Equivalence Refining the equivalence relation

Definition:

Given an automaton and a word , the function induced by on , is:

Example

D=

To find , we need to find for each .

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

=

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

=

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

q0

nc

q1 q2

nc nc,cs

cs cs

Example

Finding :

=

q0

nc

q1 q2

nc nc,cs

cs cs

Example

D=

Conclusion:

q0

nc

q1 q2

nc nc,cs

cs cs

State Equivalence Refining the equivalence relation

Defining equivalence

is the abstraction of s , and is denoted by .

State Equivalence The new equivalence relation satisfies both

requirements. Proof:

1.

2.

Comment: We extend to abstract states s.t ,

in order to interpret specifications on abstract LTSs.

State Equivalence Example:

Considering the automaton over , induces functions for every :

There are only 3 different functions, each identifying an equivalence class over .

q0

nc

q1 q2

nc nc,cs

cs cs

Abstract States - set of functions corresponding to the

deterministic automaton . – the set of states of . In the worst case: In practice, the size is much smaller.

In the previous example:

In practice:

Extension to any set of atomic formulas

Where

The abstraction of :

iff for all :

States that are mapped to the same abstract states agree on all atomic properties.

Abstract LTS

Example:

cs,nc,nc

𝜏

nc,cs,nc

𝜏

𝜏

𝜏

nc,nc,cs

𝜏

𝜏 𝒇 𝟐

𝜏

h

𝑄∥𝑃 ∥𝑃 h (𝑄∥𝑃∥𝑃 )

Simulation Definition: iff there is a simulation preorder that

satisfies:

1. there is s.t : .

Notation: If , we say that .

Abstract LTS Lemma:

1. The simulation relation is:

2. Let be the simulation relation between .Define the relation as the following:

Abstract LTS Theorem:

And there are some more cases to prove…

Abstract LTS Conclusion:

Proof: there is s.t : : (theorem)

Abstract LTS and Simulation Example:

cs,nc,nc

𝜏

nc,cs,nc

𝜏

𝜏

𝜏

nc,nc,cs

𝜏

𝜏 𝒇 𝟐

𝜏

h

𝑄∥𝑃 ∥𝑃 h (𝑄∥𝑃∥𝑃 )

Abstract LTS and Simulation Another Example:

h

𝑃 h (𝑃)

nc

𝜏

cs

𝜏

send-token

get-token 𝒇 𝟏

𝜏

𝒇 𝟐

𝜏

send-token

get-token

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Verification Method is a monotonic grammar is an formula with atomic formulas To check that every LTS derived by satisfies

we perform:1. For every symbol A in G, choose and construct

the abstract LTS with respect to the atomic formulas .

2. Check that the set of representatives satisfy the monotonicity property.

3. Perform MC on with as the specification.

Monotonic Grammar Monotonic composition:

The composition is monotonic iff given LTSs , :

Monotonic grammar: A network grammar G is monotonic iff all rules in

the grammar use only monotonic composition operators.

Representative Processes For a network grammar , we find for each

symbol A of the grammar a representative process .

Monotonicity property: Given a grammar and a set of representatives:

Theorem Let be a monotonic grammar Suppose we can find representatives that

satisfy the monotonicity property. Let A be a symbol of Let be an LTS derived from A using the rules

of . Then:

Proof We will prove that .

Since , we will get that . [transitivity of simulation relation].

Let . We will prove by induction on k.

(k=0) : is a terminal the result follows from the monotonicity property.

Proof (k>0) : Let be the first rule in the derivation of a

from A .Assume: , , , By I.H : , .

We have the following equations:

Lemma 3.2.3

Back to the verification method… is a monotonic grammar is an formula with atomic formulas To check that every LTS derived by satisfies

we perform:1. For every symbol A in G, choose and construct

the abstract LTS with respect to the atomic formulas .

2. Check that the set of representatives satisfy the monotonicity property.

3. Perform MC on with as the specification.

Back to the verification method… Now we have proved that in step #3 , for

every derived by the grammar , . Thus, if is an formula and , we can conclude

that for all LTSs derived by : .

The next question: How to find representatives that satisfy the

monotonicity property?

The Unfolding Heuristic Might be helpful in automatically finding

monotonic representatives. Basic ideas:

Initial representative of a symbol A will be the LTS derived by A using the minimum number of rules.

Often certain behaviors only occur when a process is composed with other processes (that provide the environment).

By unfolding the current set of representatives we will find a larger set of potential representatives, that might satisfy the monotonicity property.

The Unfolding Heuristic Some notations: Association function for a grammar :

Assigns a set of processes to each symbol of This set will contain the potential representatives

of the symbol.

Given 2 sets of LTSs and we define as:

The Unfolding Heuristic Finding the initial association

For a terminal A , .

The Unfolding Heuristic Example : Finding the initial association - , where

0

1

2𝐴𝑆0 ( 𝐴 )=𝐴𝑆 (𝑃 )∥ 𝐴𝑆(𝑃 )𝐴𝑆0 (𝑆 )=𝐴𝑆 (𝑄 ) ∥ 𝐴𝑆( 𝐴)

The Unfolding Heuristic Example : Finding the initial association - , where

The Unfolding Heuristic The algorithm to find representatives:

The unfolding operator:

The Unfolding Heuristic Example : Unfolding the current association-

The Unfolding Heuristic Example:

The corresponding representatives didn’t satisfy the monotonicity property.

The process might have more abstract states than . We need to find a representative that “has more behaviors than ”.

The Unfolding Heuristic After unfolding:

If we choose representatives as:

The process have more abstract states than

The Unfolding Heuristic Observations:

Each iteration increases the set of processes associated with a nonterminal.

Unfolding results in processes that are a combination of a larger number of basic processes.

The procedure might not terminate. The user will have to put a limit on the number of iterations.

The Unfolding Heuristic If we find representatives with the

monotonicity property s.t : , then we cannot conclude anything about the correctness of the network derived by G.

Counter example might aid the user in finding more refined representatives or we may want to apply the unfolding technique again.

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Synchronous model of computation Presenting a synchronous framework, that has

the properties required by the verification method.

LTSs represent Moore machines:

Transition: with , occurs only if the environment supplies inputs , and the machine produces the outputs .

Synchronous model of computation Synchronous composition , :

and and and

Synchronous model of computation Lemma:

The composition is monotonic w.r.t .

We should prove that:

Synchronous model of computation Lemma:

The composition is monotonic w.r.t .

Proof – continued: We say that

We show that has the required properties.

1.

Synchronous model of computation Lemma:

The composition is monotonic w.r.t .

Proof – continued:2.

3.

Network Grammars for Synchronous Models

Each is associated with and .

In G we allow different composition operators for different production rules.

Network Grammars for Synchronous Models Definitions: Renaming function :

When applied to A, it maps inputs to inputs and outputs to outputs s.t: .

Applying to an LTS results in an LTS with:, , , , and

Hiding function : For ,is a renaming function that maps each

element in act to .

Network Grammars for Synchronous Models Definitions: Renaming function :

When applied to A, it maps inputs to inputs and outputs to outputs s.t: .

Applying to an LTS results in an LTS with:, , , , and

Hiding function : For ,is a renaming function that maps each

element in act to .

Network Grammars for Synchronous Models Typical composition operator:

Network Grammars for Synchronous Models Example

Describing more precisely the processes and the network grammar that constructs rings with any number of processes.

P and Q identical, except that now: , .

Derivation rules:

Network Grammars for Synchronous Models

Applying this rule results in a network with one terminal Q and one nonterminal A, connected as a ring.

Network Grammars for Synchronous Models is defined as:

Outline Introduction

Verification of parameterized systems Definitions

Labeled transition system Network grammars

Specification language Abstract LTS Verification Method Synchronous model of computation Conclusion

Conclusion Described the verification problem of

parameterized systems. Defined network grammars, LTSs , and

abstraction of LTSs. Specifying state properties using regular

languages. The method requires a monotonic grammar. To apply the method we must find

representatives that satisfy the monotonicity property Might be done automatically using the unfolding

heuristics. Presented synchronous model of computation

that has the required properties by the verification method.