mad - inriapeople.rennes.inria.fr/eric.fabre/papiers/mad 5.pptx.pdf · 4 limitaons • the product...
TRANSCRIPT
MADModels&AlgorithmsforDistributedsystems
--5/5--
downloadslidesath8p://people.rennes.inria.fr/Eric.Fabre/
1
Today…
• Anewmodelfordistributedsystems:Petrinets
• Mainfeatures– concurrencynaturally(graphically)encoded– runseasilyencodedasparFalordersofevents– languagesencodedasbranchingprocessesandunfoldings
(FghtlyrelatedtotheformalnoFonofeventstructure)
2
Whatdowehavesofar?
3
Model• networkofautomata• language=setofruns,arun=asequenceofevents• factorizaFon• aMazurkiewicztrace:
– onewaytorecoverconcurrency,arunbecomesaparFalorderofevents– encodingoftracesastuplesoflocalwords
Algebra• projecFon&producton(networksof)automataandlanguages• richproperFesdistributed/modularcomputaFonsinthisalgebra• workingwithfactorizedformsislikeworkingwithtraces• applicaFon:distributeddiagnosis,distributedplanning
A = A1 ⇥ ...⇥AN
L(A) = L(A1)⇥ ...⇥ L(AN ) ✓ ⌃⇤
w 2 w1 ⇥ ...⇥ wN
)
4
Limita1ons• theproductofautomatadoesnotmakeconcurrencyvisible
(createsconcurrencydiamonds),andleadstostateexplosion• thenaturalsequenFalsemanFcs(runsassequencesofevents)doesnot
capturewellconcurrency• tracesareanindirectwaytorecoveratrueconcurrencysemanFcsfrom
sequences,where“and”ismadeequivalentto“”;onemayneedtodisFnguishthesesituaFons:
a � b b � a b ? a
α1t2
bcac
ad bd
β
β
γ γt αβ
a
b
t3t4 α
c
d
γ
*(t , )2 c
*(t , )2 d
( ,t )4b*( ,t )4a*1 3(t ,t )
“I can go first” ^ “you can go first” 6) “we can go at the same time”
Petrinets
5
changeofnota1on• automaton
– transiFonsset– onetransiFon
• newnotaFon(PetriNetinspired)– arefinitesetsofstates(places),transiFons,labels– flowconnectstransiFonsandstates– presetandsym.forpostset– labelingoftransiFons
T ✓ S ⇥ ⌃⇥ St = (s,↵, s0) = (•t,�(t), t•)
A = (S, T,⌃, s0, SF )
A = (S, T,!, s0,�,⇤)S, T,⇤
! ✓ (S ⇥ T ) [ (T ⇥ S)8x 2 S [ T,
•x = {y 2 S [ T : y ! x} x
•
� : T ! ⇤
b
a
α3 t2 t1
βγt
6
Productwhere
• Places:– disjointunion(nottheproduct!)– iniFalplaces
• Transi1ons:asinglecopyofeachprivatetransiFon– synchrooncommonlabels– privatetransiFonsin1stcomp.– privatetransiFonsin2ndcomp.
• Flow:– isdefinedbyand– whereand
Ai = (Si, Ti,!i, s0,i,�i,⇤i)N = A1 ⇥A2 = (P, T,!, P0,�,⇤)
P = S1 ] S2
P0 = {s0,1, s0,2}
T = {(t1, t2) : �1(t1) = �2(t2)}[ {(t1, ?) : �1(t1) 2 ⇤1 \ ⇤2}[ {(?, t2) : �2(t2) 2 ⇤2 \ ⇤1}
(t1, t2)• = t•1 ] t•2
•(t1, t2) =•t1 ] •t2!
?• = ; •? = ;
7
Remarks• ingeneral,asfortheproductofautomata,theassociaFonoftransiFonsis
notonetoone• thisdefiniFonofproductextendsto(safe)Petrinets…• …andmakestheproductassociaFve
Example
cfe
d
b
a g
αt3 t2 t1 t4 t5 t6t’1
α β β
t’4
fc
g
b
a d
e
5 t6t3 t2 t1 t4 t
A1 A2 A3
8
DynamicsinaPetrinet• Marking:
– afuncFon– assignsanumberoftokenstoeachplace– notaFon:ifplacescontainatmostonetoken(safenet)
• EnablingofatransiFon– transiFonisenabledatmarkingiff– theresources/tokensneededbytarepresentinthecurrentmarking
• FiringofatransiFon– itchangesthecurrentmarkingmintom’with– tconsumestokensinitspresent,andproducessomeinitspostset
N = A1 ⇥A2 = (P, T,!, P0,�,⇤)
m : P ! N
m ✓ P
t 2 T m ✓ P •t ✓ m
m0 = m� •t+ t•
e
da
b
g
cf
3 t2 t5 t6t4t1t
9
Trueconcurrencyseman1cs• sequen1alseman1cs
– arun=asequenceoftransiFonfirings,rootedatm0=P0
– imposestheinterleavingofconcurrentevents– differentinterleavings=differentruns
• trueconcurrencyseman1cs– arunisaparFalorderofevents– encodedasanotherPetrinet,withoutcircuits,calledaconfigura1on
f
g
b
a
dc
a g e
b cd
c
g
b
a d
e
. . .
t3 t2 t1 t4 t5 t6
t4t3
t1
t5t1
Unfoldings
10
AsafePetrinet……andtwoofitsconfiguraFons(runs),asparFallyorderedevents
d
a g
dcb
b
a f
c
a g
dcb
ega
b
t1
t3
t1
t2
t6t4t3
t1
t5
fc
g
b
a d
e
5 t6t3 t2 t1 t4 t
Unfoldings
11
AsafePetrinet…mergingcommonprefixesyieldsanoccurrencenet
fc
g
b
a d
e
5 t6t3 t2 t1 t4 t
b
a g
dcb
b
a f
c
eg
d
t3
t1
t2
t6t4
t5t1
12
Occurrencenet• aspecialPetrinet• placesarecalledcondiFons,transiFonsarecalledevents• theflowisacyclic(parFalordering)• andthisparFalorderiswellfounded
• everycondiFonhasauniquecauseorisminimaland
• noeventisinself-conflict
O = (C,E,!, C0,�,⇤)
!
8x 2 C [ E, |{y 2 C [ E : y !⇤x}| < 1
8c 2 C, | •c| 1 C0 = {c 2 C,• c = ;}
x#x
0 , 9e 6= e
0 2 E,
•e \ •
e
0 6= ;, e !⇤x, e
0 !⇤x
0
e e’
x’x
#
13
concurrencyrepresentsnodesthatcanlieinthesameconfiguraFonco-set:suchthatrepresentsresources(tokens)thatareavailableatthesameFmeinsomerun/configuraFoncut:amaximalco-setforprefix:iffisacausallyclosedsub-netof,containingand
x ? y , ¬(x !⇤y) ^ ¬(y !⇤
x) ^ ¬(x#y)
X ✓ C 8c, c0 2 X, c ? c0
✓
O0 O C0 E0•O0 = (C 0, E0,!0, C0,�
0,⇤) v O
14
configura1on:denoted,aconflict-freeprefixoflocalconfigura1on:[e]=smallestconfiguraFoncontainingevente,=causalpastofe
O
Lem:relaFngcutsandconfiguraFonsXisacutofsuchthatX=max(C’) ,O 9 = (C 0, E0, ...)
15
Branchingprocess• abranchingprocessofnetisapair
whereisanoccurrencenet,andamorphismofnets(atotalfuncFon)
• f“labels”condiFons/eventsofbyplaces/transiFonsofitturnsaconfiguraFonofintoarunof
• parsimony:• ifX =maximalcondiFonsinconfiguraFon(Xformsacut)
thenf(X) isthemarkingofproducedbyrun
(O, f)
f : O ! NO
N
NOO N
8e, e0 2 E, •e = •e0 ^ f(e) = f(e0) ) e = e0
N
f
c c
a g
bd
cb
b b bb d
egaa
t6t4t3 t3
t2 t1
t5t1t2t1t2
fc
g
b
a d
e
5 t6t3 t2 t1 t4 tf
16
UnfoldingProof:mainideaistodefinetheunionofbranchingprocesses,ali8letechnical,butnotdifficult(seerefs.attheendofthelesson).Algorithm(unfolding)• init
– ,isomorphictothroughf–
• repeatunFlstability(extensionwithanewevent)– foracosetandtransiFon t suchthat– createevent(ifitdoesnotalreadyexist)suchthat– createnewcondiFonsandextendfsothat
Thm:thereexistsauniquebranchingprocessofmaximalforprefixinclusion,itiscalledtheunfoldingof
(UN , fN ) NNv
•e = X, f(e) = t
E = ;, != ;C = C0 P0
X ✓ C f(X) = •t
e 2 E
X 0 = e• ⇢ C f(X 0) = t•
17
Example
b c
ga a g
tt3 t2 t1 4
18
Example
c
ga
b c
a g
b
t3 t2 t1 t4 t1
19
Example
c
ga
b c
a g
b
t3 t2 t1 t4 t1
20
Example a a g
cbbc
g
b
1 4 t1t2t3 t2 t t
21
Example
bc
g
b
a a g
cb
4 t2 t1t3 t2 t1 t
22
Example
b
a
b c
ga
cb
ga
tt3 t2 t1 t4 t2
t3
1
23
Example
b c
ga
c
g
bb
a
a
tt3 t2 1t4 t2
t3
t1
24
Example
cb
b cc
g
b
a
b
ga
a
t3 t2 t1 t4 t2
t3
t1
t1
25
Example
b
bc
g
b
aa
a
cb
g
a
c
t3 t2 t1 t4 t2
t3 t3
t1
t1
26
Example
cb
c
g
b
a
g
b
ga
a
cb
a
t3 t2 t1 t4 t2
t3 t3 t4
t1
t1
27
Example
b
a
cc
g
b
b c
ga
a
b
a
b
c
g
t3 t2 t1 t4 t2
t3 t3 t4
t1 t1
t1
28
Applica1onoftheunfoldingReachability/coverabilitytest• onewishestoknowifthereexistsanaccessiblemarkingminnet
whereeachplaceofholdsatoken,i.e.• bycreaFngintanewtransiFontwith
thisamountstocheckingiftisaccessible
Ques1ons1. whatisthecomplexityofthistest?2. howfarshouldonegointhecomputaFonoftheunfolding?
Q ✓ P Q ✓ m
Q = •t
N
29
Proof:byreducFonofSATproblems(atleast3-SAT)example:encodingSATproblem• Thecomplexityofunfoldingthisnet(beforetf )ispolynomial,
sothecomplexityoffindingaco-setwheretfisfirableisNP-hard.• Asbuildinganunfoldingrequiresfindingco-sets,
onemustrelyonSATsolvers(whichmodernunfoldersdo).
Thm:thereachability/coverabilitytest(co-setconstrucFon)isNP-complete.
(x1 _ x2 _ x̄3) ^ (x̄1 _ x2)
falsetruefalsetrue true false
21x
OR
3
tf
OR clause 1
xx
clause 2
Finitecompleteprefix
30
Idea:Aprefixissaidtobecompleteifallreachablemarkingsinarerepresentedas(theimageof)acutin.(OnewishestoavoiduselessrepeFFonsofsimilarpa8ernsin)Moreformally:iscompleteiff
– reachablemarkingin,itappearsintheprefix
– i.e.tfirablefromm,itappearsasaneventontopofmarkingm
O v UN
OO
O v UN
8m N9 2 O : m = Mark() = fN (max())
8t 2 T, m[tim0,
9,0 2 O : m = Mark(), 0 = � {e}, fN (e) = t
N
31
Howtobuildafinitecompleteprefix?Naiveidea:
– applytheunfoldingalgorithm,andstopateventewhenthemarkingproducedby[e] isalreadypresentintheprefix:
– thismakeseacut-offevent,ontopofwhichnomoreeventwillbeadded
Problem:itgenerallyyieldsanincompleteprefix…example:stopeventsinred,firingoft5notseen
9 2 O : Mark() = Mark([e])
a
b c
f
b c
eded
ff
ed
cb
a
t3
t1 t2
t4
t5
e1 e2
e3 e5 e6
e7 e8t5 t5
t3 t4t4t3
t2t1
e4
32
Solu1on:breakthesymmetry,byfavoringsomeconfiguraFonsforextensionAdequateorder:on(local)configuraFons[e]
– wellfoundedparFalorder(finitenumberofpredecessors)– refinesprefixinclusion:– preservedbyisomorphicextensions:
Examples1. takefortheprefixinclusion2. definedbythenumberofevents(totalorder,proposedbyMcMillan)3. takeforthelexicographicorder,whennetismadeofseveralcomponents,
byorderingcomponents,andcounFngeventsineachcomponent,asinMa8ern’svectorclocks(parFalorder,proposedbyEsparza)
�
@ 0 ) � 0
� 0 ^ Mark() = Mark(0) ) � e � 0 � e0 where fN (e) = fN (e0)
@�
� N
�
33
Cut-offevent:eventeisacut-offeventintheBPofiffthereexistsanotherevente’insuchthatExample(conFnued)
– assume,whichmakese5 acut-offevent– thisentails,byisomorphicextension
– ,whichwouldmakee4acut-offevent,isfalse,asthiswouldentailbyisomorphicextension,whichisfalse
(O, f)N(O, f)
Mark([e0]) = Mark([e]) ^ [e0] � [e]
[e3] � [e5][e3, e4] � [e5, e6]
[e6] � [e4][e6, e5] � [e4, e3]
aa
b
f
c b c
eded
f
ed
cb
f
4t3
t1 t2
t4
t5
e1 e2
e3 e5 e6
e8t5
t3 t4t4t3
t2t1
e
e7 t5
34
Proof:seereferencesattheendofthelesson;finitenessandcompletenessareprovedseparately,andheavilyrelyonproperFesofadequateorders.
Thmtheprefixobtainedbystoppingtheunfoldingalgorithmatcut-offeventsisfiniteandcomplete[McMillan,Esparza].
O v UN
35
Proof:seereferencesattheendofthelesson;finitenessandcompletenessareprovedseparately,andheavilyrelyonproperFesofadequateorders.
Thmtheprefixobtainedbystoppingtheunfoldingalgorithmatcut-offeventsisfiniteandcomplete[McMillan,Esparza].
O v UN
ThmiftheadequateorderusedtobuidtheFCPisatotalorder,thenthenumberofnon-cut-offeventsinisboundedbythenumberofreachablemarkingsin.
O v UN�O
N
Proof:fortwoeventssuchthateitherorholds,sooneoftheseeventsisacut-off
Mark([e]) = Mark([e0])e, e0 2 O[e] � [e0] [e0] � [e]
36
Applica1ontodeadlockcheckingDeadlock:amarkingofwherenomoretransiFoncanbefiredN
ThmLetbeafinitecompleteprefix.ThereisnodeadlockiniffeveryconfiguraioncanbeextendedintoaconfiguraFonthatcontainsacut-offevent.[McMillan]
O v UN v O
v 0 v ON
Proof:(sketchof)• amaximalconfiguraFonwithnocut-offcan’tbeextended:
theterminalmarkingisadead-end• conversely,atacut-off,onereachesamarkingthatispresentandextended
elsewhereintheprefix,whichmeansthataconFnuaFonispossible
Takehomemessages
(Safe)Petrinets• areanaturalmodelforconcurrentsystems• canbebuildbyproduct,asnetworksofautomata• admitnatural(builtin)trueconcurrencysemanFcsfortheirruns• setsofrunscanbehandledbybranchingprocesses(unfoldings)
insteadoflanguages
Extraresults• byrestricFngbranchingprocessestoevents,onegets
(prime)eventstructuresacompletetheoryofeventstructuresexists
• onecandefineaproductonunfoldings,andprojecFonsexistsaswell,whichenablesdistributedcomputaFonsbasedbranchingprocesses,oronotherstructures(e.g.eventstructures).
37
U(N1 ⇥ ...⇥NK) = U(N1)⇥ ...⇥ U(NK)
E = (E,!,#)
References
38
Aboutprefixconstruc1on1. AnunfoldingalgorithmforsynchronousproductsoftransiFonsystems,Esparzaand
Romer,proceedingsofCONCUR’99,pp2-202. AnimprovementofMcMillan’sunfoldingalgorithm,EsparzaandRomer,LNCS1055,
pp87-106,19963. CanonicalprefixesofPetrinetunfoldings,Khomenko,KoutnyandVogler,Acta
InformaFca40,pp95-118,2003
Moreorientedtomodel-checkingapplica1ons
1. Modelcheckingusingnetunfoldings,Esparza,ScienceofComputerProgramming23,pp151-195,1994
2. Reachabilityanalysisunsingnetunfoldings,SchroterandEsparza3. Deadlockcheckingusingnetunfoldings,MelzerandRomer,LNCS1254,pp352-363,
19974. UsingnetunfoldingstoavoidthestateexplosionproblemintheverificaFonof
asynchronouscircuits,McMillan,LNCS663,pp164-174,1992