Download - Verification of Population Ring Protocols in PAT 1 ICFEM 2008 Verification of Population Ring Protocols in PAT Yang LIU, Jun PANG, Jun SUN and Jianhua

Verification of Population Ring Protocols in PAT

1ICFEM 2008


Yang LIU, Jun PANG, Jun SUN and Jianhua ZHAO


2TASE 2009

Outline

•Motivations•The Population Protocol Model

–Formal Definitions of Protocol Model

–Fairness Definitions

•Verification under Fairness in PAT•Population Ring Protocols

–Two hop coloring

–Orienting undirected rings

–Leader election (Bug founded)

–Token circulation

•Experiments•Conclusion and Future Works


Population Protocol Model

• Population protocol model [AR07] as an elegant computation paradigm for describing mobile ad hoc networks–Communication between multiple nodes–Wireless sensor networks, Biological computers

• Correctness property–With respect to all possible initial configurations, all nodes must eventually converge to the correct output values

• Need for Fairness–To ensure that the protocol makes progress

• Automatic verification–Model Checking using SPIN in TASE 08 [PLD08]–Model Checking using PAT

TASE 2009 3


4TASE 2009

Why do we need fairness?

•Critical systems requires safety and liveness properties–Safety: bad things never happen–Liveness: good things eventually happen

•Fairness is important–It is important in the system specification–No liveness property is true without fairness!

• The default fairness: a system must always eventually make some progress• Enabled processes/choices can not be infinitely ignored.


Population Protocol Defining Features

• Anonymous, finite-state agents: a large population of indistinguishable finite-state agents

• Computation by direct interaction: an interaction between two agents updates both of their states according to rules

• Unpredictable interaction patterns: the choice of interaction is made by an adversary with an imposed fairness condition

• Distributed inputs and outputs

• Convergence rather than termination: outputs are required to converge after some finite time to a correct configuration

TASE 2009 5


Formal Definitions of Protocol Model

• A network is represented as a graph G = (V,E). Each vertex represents a finite-state sensing device called an agent, and an edge (u, v) indicates the possibility of a communication between u and v in which u is the initiator and v is the responder.

• A protocol is specified as a six-tuple P(Q, C, X, Y,O, δ),– a finite set Q of states,

– a set C of configurations,

–a finite set X of input symbols,

–a finite set Y of output symbols,

–an output function O : Q → Y, and

–a transition function δ : (Q × X) × (Q × X) → 2Q× Q.

TASE 2009 6


Semantics

• A configuration C is a mapping C : V → Q assigning to each node its internal state.

• An input assignment α : V → X specifies the input for each node.

• C goes to C’ via edge e = (u, v) by transition ((C(u), α(u)), (C(v), α(v))) → (C’(u),C’(v)), abbreviated to (C, α) → C’.

• A pair of a transition r and an edge e constitutes an action σ = (r, e)

• An execution is an infinite sequence of configurations and assignments (C0, α0), (C1, α1), . . . , (Ci, αi), . . ., such that C0 C ∈ and for each i, (Ci, αi) → Ci+1.

TASE 2009 7

e


8TASE 2009

Fairness Constraints

•Weak fairness – If an action (σ = (r, e)) is continuously often enabled then it has to be executed infinitely often.

•Strong fairness (local fairness)– each action (σ = (r, e)) which is enabled infinitely often is actually taken infinitely often.

•Global fairness– each step ((C, α) → C’) that can be taken infinitely often is actually taken infinitely often.


Self-stabilizing

• A distributed system is said to be self-stabilizing if it satisfies the following two properties:

1. convergence: starting from an arbitrary configuration, the system is guaranteed to reach a stable configuration;

2. closure: once the system reaches a stable configuration, it cannot become unstable any more.

• LTL Formulation– <> [] property

TASE 2009 9


10TASE 2009

Process Analysis Toolkit

•PAT [SLDP09] : a toolkit for automatically analyzing event-based concurrent systems, possibly under fairness.

–System Modeling (CSP# with variables)–Visualized simulation with animations–Model checking

•Deadlock•Reachability •LTL (with fairness assumptions in multi-core CPU)•Refinement checking [SLD08] (vs. FDR)

•Website: http://pat.comp.nus.edu.sg/


11TASE 2009

How to verify fair systems?

•Current approaches–State fairness assumptions as premises of the liveness properties.

•Experiments using SPIN 4.6

-Weak fairness option in SPIN.

-Model fairness using global accepting states (or in the form of justice/compassion condition).


12TASE 2009

Fairness Model Checking Algorithm in PAT •On-the-fly model checking based on Tarjan’s algorithm for identifying SCC [SLDP09].

–Tarjan’s algorithm to search for SCCs–Check different fairness inside the found SCCs.–Keep searching until it is not SCC anymore.–A counterexample is a fair loop which fails the property.


Self-stabilizing Population Protocols in Rings• Four Protocols in Rings

–two-hop coloring [AAFJ08], –orienting nodes [AAFJ08],–protocols for leader election [JIANG07], and –token passing [AAFJ05]

• Requires global fairness

TASE 2009 13


Protocol 1 - Two hop coloring

14

• A general algorithm that enables each node in a degree-bounded graph to distinguish between its neighbors.

• The graph is colored such that any two nodes adjacent to the same node have different colors.–Only three colors are need for rings.

• for each node v, if u and w are distinct neighbors of v, then u and w must have different colors. (u, w) is called a two-hop pair.

• Each node u in a ring has two state components, color[u] encodes the color of node u and F[u] is a bit array, indexed by colors.–Initially, color[u] and F[u] can have arbitrary values.

• Property: #define twocoloring (color[0] != color[2] && color[1] != color[2] && color[0] != color[1]); #assert TowHopColoring() |= <> [] twocoloring;

TASE 2009


Protocol 1 – Interaction rules

15


16ICFEM 2008

Two Hop Coloring Example in PAT


Protocol 2 - Orienting undirected rings

17

• Given a colored ring, it is possible to have a protocol that gives a sense of orientation to each node on an undirected ring such that:– (1) each node has exactly one predecessor and one successor, the predecessor and successor of a node are different;– (2) for any two nodes u and v, u is the predecessor of v if and only if v is the successor of u, for any edge (u, v), either u is the predecessor of v or v is the predecessor of u.

• Each node u in a ring has three state components:–color[u] encodes the color of node u, –precolor[u] the color of its predecessor, and –succolor[u] the color of its successor.

• Property: #define property1 (x : 0..N - 1@ precolor[x] != succolor[x])); #assert OrientingUndirected() |= <> []property1;

TASE 2009


Protocol 2 - Interaction rule

TASE 2009 18

Initially, all nodes are two-hop colored (array color satisfies the two-hop coloring property), precolor[u] and succolor[u] can have arbitrary values.


Protocol 3 - Leader election in oriented odd rings• Supposing each node has a label bit, a maximal sequence of alternating

labels is called a segment.– The head and tail of a segment can be defined in a natural way.

• One edge of the form (0,0) or (1,1) connecting the tail of one segment to the head of another segment is called a barrier edge.

• For a node u in a ring, it has four state components:–leader[u] states whether the node is a leader, –label[u] is its label, –probe[u] is 1 if u holds a probe token, and –phase[u] alternates between 0 and 1 to make each barrier alternate between ring a probe and moving forward.

• Property: #define oneleader (leader[0] + leader[1] + …+ leader[N] = 1); #assert LeaderElection() |=<> [] oneleader;

TASE 2009 19


Protocol 3 - Leader election

TASE 2009 20

• The barrier advances by flipping the label bit of the second node on the barrier

• When two barriers collide, they cancel out each other.

• Probes are sent out by the barrier in a clockwise direction and absorbed by any leader they run into.

• If a probe meets the barrier on its way back, it is converted to leader.

• Leaders fire bullets counter-clockwise around the ring.

• Bullets are absorbed by the barrier, but they kill any leaders they encounter along the way.


Protocol 3 - Counterexample

• Counterexample is a lasso:– an infinite execution containing a loop, – the loop is global fair

•within this loop, all actions enabled at

reachable configurations of the loop are executed. – these configurations contain more than two leaders.

• Reason of the bug:–In the explanation of the protocol, “Probes are sent out by the barrier in a clockwise direction and absorbed by any leader they run into”.

• Mission impossible without the newly developed model checking


Protocol 4 - Token circulation

TASE 2009 22

• The desired behavior of this protocol can be described as follows:–There is only one node who holds the token.–A node does not obtain again until every other node has obtained a token once.–Each node can have the token infinitely often.

• Simplifications:–It does not consider some nodes are not willing to release the token.–It is assumed that every node passes the token to next one right after it has got it.–The protocol also requires the existence of a common leader.


• The state of each node is represented by a pair {−,+} × {0, 1}. + means that the node is holding a token, and − the opposite. The second part of a state of a node is called the label.

• The symbol b matches either 0 or 1 and ¯ is its complement.

• The input for each node informs them who is leader, which is unique in the network.

• Property: #define onetoken(token[0] + token[1] + token[2] == 1); #assert TokenCirculation() |=<> []onetoken;

Protocol 4 - Token circulation

TASE 2009 23

b


Experiment Results I

TASE 2009 24


Experiment Results II

TASE 2009 25


26TASE 2009

Conclusion

•Using PAT, we have successfully model checked on a set of self-stabilizing population protocols for ring networks under global fairness assumption.

•We report one previously unknown bug in a protocol for leader election identified using PAT.

•During the analysis, we have faced the infamous state explosion problem


27TASE 2009

On-going and future works

• Model checking parameterized systems– network protocols are often designed for arbitrary or even unbounded number of nodes. – process identify and process counter abstraction – under fairness?

•Apply PAT to other population protocols, such as self-stabilizing consensus protocols


References

• [AAFJ05] D. Angluin, J. Aspnes, M. J. Fischer, and H. Jiang. Self-stabilizing Population Protocols. In OPODIS’05, volume 3974 of LNCS, pages 103–117. Springer, 2005.

• [AAFJ08] D. Angluin, J. Aspnes, M. J. Fischer, and H. Jiang. Self-stabilizing Population Protocols. ACM Transactions on Autonomous and Adaptive Systems, 3(4):643–644, 2008.

• [AR07] J. Aspnes and E. Ruppert. An Introduction to Population Protocols. Bulletin of the European Association for Theoretical Computer Science, 93:98–117, 2007.

• [JIANG07] H. Jiang. Distributed Systems of Simple Interacting Agents. PhD thesis, Yale University, 2007.

• [PLD08] J. Pang, Z. Luo, and Y. Deng. On Automatic Verification of Self-stabilizing Population Protocols. In TASE’08, pages 185–192. IEEE Computer Society, 2008.

• [SLD08] J. Sun, Y. Liu, and J. S. Dong. Model Checking CSP Revisited: Introducing a Process Analysis Toolkit. In ISoLA’08, pages 307–322. Springer, 2008.

• [SLDP09] J. Sun, Y. Liu, J. S. Dong, and J. Pang. PAT: Towards Flexible Verification under Fairness. In CAV’09, 2009.

TASE 2009 28


29ICFEM 2008

Thank You

Download - Verification of Population Ring Protocols in PAT 1 ICFEM 2008 Verification of Population Ring Protocols in PAT Yang LIU, Jun PANG, Jun SUN and Jianhua

Top Related