1 / 37

Monitoring Partial Order Snapshots

Monitoring Partial Order Snapshots. Joint work with Peter Niebert. Monitoring an interleaving sequence. Assume a model of execution with local events and synchronous communication. Concurrent events are monitored according to some (arbitrary) order. What are global states?

keira
Télécharger la présentation

Monitoring Partial Order Snapshots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Monitoring Partial Order Snapshots Joint work with Peter Niebert

  2. Monitoring an interleaving sequence • Assume a model of execution with local events and synchronous communication. • Concurrent events are monitored according to some (arbitrary) order. • What are global states? • What global states appear on execution (execution sequence)?

  3. Partial Order Semantics • Sometimes called “real concurrency”. • There is no total order between events. • More intuitive. Closer to the actual behavior of the system. • More difficult to analyze. • Less verification results. • Natural transformation between models. • Partial order: (S , <), where < is • Transitive: x<y /\ y<z  x<z. • Antisymmetric: for no x, y, x<y /\ y>x. • Antireflexive: for no x, x<x.

  4. Bank Example • Two branches, initially $1M each. • In one branch: deposit, $2M. • In another branch: robbery. • How to model the system?

  5. Global state space $1M, $1M deposit robbery $3M, $1M $1M, $0M robbery $3M, $0M deposit

  6. Should we invest in this bank? $1M, $1M Invest! deposit robbery $3M, $1M $1M, $0M robbery $3M, $0M deposit Do not Invest! Invest!

  7. Partial Order Description $1M $1M deposit robbery $3M $0M

  8. Constructing global states $1M $1M deposit robbery $3M $0M

  9. pc1=m0,x=0 pc2=n0,y=0,z=0 m0 m0:x:=x+1 n0:ch?z pc1=m1,x=1 m1 n0 P1 P2 pc2=n1,y=0,z=1 pc1=m0,x=1 m1:ch!x n1:y:=y+z n1 m0 pc1=m1,x=2 pc2=n0,y=1,z=1 m1 n0 pc1=m0,x=2 pc2=n1,y=1,z=2 m0 n1 Modeling with partial orders

  10. Linearizations pc1=m0,x=0 pc2=n0,y=0,z=0 m0 pc1=m0,x=0,pc2=n0,y=0,z=0 pc1=m1,x=1 pc1=m1,x=1,pc2=n0,y=0,z=0 m1 n0 pc1=m0,x=1,pc2=n1,y=0,z=1 pc2=n1,y=0,z=1 pc1=m0,x=1 pc1=m1,x=2,pc2=n1,y=0,z=1 m0 n1 pc1=m1,x=2,pc2=n0,y=1,z=1 pc1=m1,x=2 pc2=n0,y=1,z=1 pc1=m0,x=2,pc2=n1,y=1,z=2 m1 n0 pc1=m0,x=2 pc2=n1,y=1,z=2 m0 n1

  11. Linearizations pc1=m0,x=0 pc2=n0,y=0,z=0 m0 pc1=m0,x=0,pc2=n0,y=0,z=0 pc1=m1,x=1 pc1=m1,x=1,pc2=n0,y=0,z=0 m1 n0 pc1=m0,x=1,pc2=n1,y=0,z=1 pc2=n1,y=0,z=1 pc1=m0,x=1 pc1=m0,x=1,pc2=n0,y=1,z=1 n1 m0 pc1=m1,x=2,pc2=n0,y=1,z=1 pc1=m1,x=2 pc2=n0,y=1,z=1 pc1=m0,x=2,pc2=n1,y=1,z=2 m1 n0 pc1=m0,x=2 pc2=n1,y=1,z=2 m0 n1

  12. Nondeterminism is different from concurrency: Bank with one teller $1M $1M deposit deposit robbery $3M $1.1M $0M deposit deposit $3.1M

  13. Partial order execution 1 $1M $1M deposit robbery $3M $0M deposit $3.1M

  14. Partial order execution 2 $1M $1M deposit robbery $1.1M $0M deposit $3.1M

  15. Traces • An equivalence relation among sequences. Defined using some symmetric and antireflexive independence relation I×. • Suppose that aIb, aIc (but not bIc).Then we have[abac ]=[baac,abac,aabc,baca,abca,bcaa ]. • Snapshots of execution [abac ] are states after [a ], [b ], [ab ], [aa ], [bc ], [aab ], [abc ]. • Note that the state after trace equivalent sequences, e.g., aab, aba, baa, are the same, so we can talk about the state after a trace.When clear, we write a trace also instead of the corresponding state at the end of it.

  16. Extended LTL: with snapshotsThe logic SLTL • Basic syntax as LTL. • In addition, the “snapshot” operator[p], where p is a conjunction of positive and negative atomic propositions. • Semantics of new operator:(u,v)|=p iff there exists finite sequences u1, u2 such that [u]=[u1][u2] and(u1,u2v)|=p.

  17. How to monitor executions and find snapshots? • A deterministic automaton that keeps all the global states that are subsumed on the way.

  18. Automaton forprefixes of [aabc]. <[aa],>,<[a],{a}>, <[].{a}> b b <[aab],>,<[ab],{a}>, <[b].{a}>,<[a],{a,b}><[],{a,b}> a <[a],>,<[],{a}> a b <[ab],>,<[b],{a}>,<[a],{b}>,<[],{a,b}> c <[],> a <[aabc],>,<[abc],{a}>,<[aab],{c}> <[bc].{a}>, <[ab],{a,c}> <[aa],{b,c}>,<[a],{a,b}>,<[],{a,b}> b a a <[b],>,<[],{b}> c <[abc],>,<[ab],{c}>, <[b].{a,c}>,<[a],{b,c}>,<[],{a,b,c}> c a <[bc],>,<[b],{c}>,<[],{b,c}>

  19. How to construct this automaton? • Each node consists of a set of pairs<s,A>, where s is a (subsumed) state and A is a subset of actions. • It denotes that s is a subsumed state, and it takes the actions A (with possible repetition) in some order to reach the current state.

  20. A s t b b A b(s) b(t) How to update nodes? X Y …,<s,A>,… b …, ?, … • If <s,A> is in node X, then <s,A{b}> is in Y. • If <s,A> is in node X and b is independent of all of A, then <b(s), A> is in Y. Size: 2|S|x2||

  21. We make a restriction: • Each process Pi will have its own set of propositions, related to the local states of Pi. • We can write in […] only a conjunction of local properties.

  22. Idea 1: grow up subset of processes with part of states satisfying conjunction. Case 1 Existing subset Execution of joint action kills subset

  23. Idea 1: grow up subset of processes with part of states satisfying conjunction. Case 2 Existing subset Execution of joint action extends subset

  24. Existing subset Idea 1: grow up subset of processes with part of states satisfying conjunction. Case 3 Execution of joint action maintains subset

  25. Can be formulated as follows: • “Freeze sets”– subsets of processes satisfying their portion of the property. • proc(a) – the set of processes where action a participates. • addproc(s, a) – when executing action a from state s, these are the local states from proc(a) that satisfy the local propositions that we check. • Extension: Let F1addproc(s,a) and F2 existing subset such that F2proc(a)=. Then extend F1 into F1F2. • Propagation: For existing subset F such that proc(a)F, we maintain F.

  26. Propagation of “freeze sets”

  27. Propagation of “freeze sets”

  28. Propagation of “freeze sets”

  29. Propagation of “freeze sets”

  30. Propagation of “freeze sets” Bingo!!

  31. How to store efficiently? • Freeze sets T are closed under union and intersection. • Need to store only a basis B of T, where unions are not included. • In this case, size of basis is not larger than number of elements. • Update of basis is polynomial.

  32. Another example. We do not keep sets that are unions of others

  33. Another example

  34. We ignore some additional subsets: {P1, P2, P3}, etc.

  35. We ignore some additional subsets: {P1, P2, P3}, etc.

  36. How to perform model checking? • Construct an automaton for A¬ as usual. Construct an automaton for each conjunction that appears inside the […] operator to run in parallel. • Binary search is still polynomial in number of processes and size of formula!

  37. Conclusions • Added capability of partial orders into LTL specification. • Freeze sets construction for detecting global states that are subsumed during execution. • Model checking is basically same complexity as for normal LTL!

More Related