1 / 71

Keeping a Crowd Safe On the Complexity of Parameterized Verification

This text explores the intricacies of parameterized verification, particularly concerning the coverability problem in anonymous crowds. The focus is on determining whether a global state can be reached in which certain conditions hold, given a finite automaton and a specified dangerous state. The discussion references key undecidability theorems, including Turing's and Rice's, highlighting the challenges of verifying properties in concurrent systems. The analysis emphasizes the balance between the desires for low complexity by verifiers and high complexity in design from crowd designers, aiming for a comprehensive understanding of these critical issues.

kenley
Télécharger la présentation

Keeping a Crowd Safe On the Complexity of Parameterized Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Keeping a Crowd SafeOn theComplexityofParameterizedVerification Javier Esparza Technical University ofMunich

  2. Wilfried Brauer (1937-2014) Book ofcondolence: http://kondolenz.informatik.tu-muenchen.de

  3. „Whydon´tyougiveup?“ Theorem (Alan Turing, 1936) Programterminationisundecidable. Theorem (Henry G. Rice, 1961) Every non-trivial propertyofprogramsisundecidable. Theorem (Marvin Minsky, 1969) Every non-trivial propertyofwhile-programswithtwocounter variables isundecidable.

  4. „Whydon´tyougiveup?“ Theorem (Alan Turing, 1936) Programterminationisundecidable. Theorem (Henry G. Rice, 1961) Every non-trivial propertyofprogramsisundecidable. Theorem (Marvin Minsky, 1969) Every non-trivial propertyofwhile-programswithtwocounter variables isundecidable.

  5. „Whydon´tyougiveup?“ Theorem (Alan Turing, 1936) Programterminationisundecidable. Theorem (Henry G. Rice, 1961) Every non-trivial propertyofprogramsisundecidable. Theorem (Marvin Minsky, 1969) Every non-trivial propertyofwhile-programswithtwocounter variables isundecidable.

  6. Because … • Undecidabilityrequiressomesourceof „infinity“: • Variables with an infinite range • Dynamic datastructures (lists, trees) • Unboundedrecursion • Concurrentsystems • aredifficulttogetright, and • oftenhave a finite statespace.

  7. Dijkstra´s Mutual ExclusionAlgorithm CC CACM 8:9, 1965

  8. Concurrentprogramsareoften finite-state CC

  9. Concurrentprogramsareoften finite-state CC Onlytwoboolean variables per process!

  10. Concurrentprogramsaredifficulttogetright CC CACM 9:1, 1966

  11. Concurrentprogramsaredifficulttogetright CC

  12. A Leader ElectionAlgorithm (90s)

  13. A Cache-Coherence Protocol (00s) Murphi modelchecker (Dill et al.) Source: Wikipedia

  14. A Model of a Bluetooth Driver (10s) KISS (Qadeerand Wu)

  15. ParameterizedVerification • Model-checkingtoolscanonly check instancesofthesesystemsforparticularvaluesofthenumber N ofprocesses. Can weprovecorrectnessforevery N ? • Amountstochecking an infinite familyof finite-statesystems.

  16. ParameterizedVerification • Model-checkingtoolscanonly check instancesofthesesystemsforparticularvaluesofthenumber N ofprocesses. Can weprovecorrectnessforevery N ? • Amountstochecking an infinite familyof finite-statesystems.

  17. Keeping a Crowd Safe • The coverabilityproblem: • Given: a program templatewith finite-range variables, a „dangerous“ controlpointof. • Decide: Isthere a number such thatthecrowd canreach a global state in which at least oneofis at ?

  18. ParameterizedVerification: Giveup? Theorem (folklore): The HaltingProblem canbereducedtotheparameterizedcoverabilityproblem. • Reduction: • The templatemodelsthebehaviourofonetapecell. • TM terminates • ituses a finite number N ofcells • N copiesofthetemplatereachthedangerousstate

  19. ParameterizedVerification: Giveup? Theorem (folklore): The HaltingProblem canbereducedtotheparameterizedcoverabilityproblem.

  20. ParameterizedVerification: Giveup? Theorem (folklore): The HaltingProblem canbereducedtotheparameterizedcoverabilityproblem. Parameterizedverificationisdoomed!

  21. Identities • In thisreductionprocesses do not executeexactlythe same code • The codemakesuseoftheprocessidentity(theindex) toorganizeprocesses in an array. • But manysystems do not useidentities: • DKR Leader Electionusesidentities. • Dijkstra´salgorithm, MESI-protocol, and Bluetooth driverdo not. • In others, processesmustremainanonymous!

  22. Anonymous Crowds • Weinvestigatethedecidabilityandcomplexityofthecoverabilityproblemforcrowdsin which • everyprocessexecutesexactlythe same code, (anonymouscrowds), and • thenumberofprocessesisunknowntotheprocesses.

  23. Keeping an Anonymous Crowd Safe • The coverabilityproblemforanonymouscrowds (TCS version) : • Given: a finite automatonanda „dangerous“ stateof. • Decide: Isthere a number such thattheanonymouscrowd canreach a global state in which at least oneofthecopiesis at ?

  24. Communication Mechanisms Reliablebroadcast • A processsends a message • All otherprocessesreceivethemessage (instantaneously) Rendez-vous • Synchronousexchangeof a messagebetweentwoprocesses

  25. Communication Mechanisms Reliablebroadcast • A processsends a message • All otherprocessesreceivethemessage (instantaneously) Rendez-vous • Synchronousexchangeof a messagebetweentwoprocesses

  26. Communication Mechanisms Sharedmemorywithlocking • Processescompetefor a lock • Processowningthe lock canperformreadsandwrites Sharedmemory, nolocking • Concurrentreadsandwritesallowed • Interleavingsemantics

  27. Communication Mechanisms Sharedmemorywithlocking • Processescompetefor a lock • Processowningthe lock canperformreadsandwrites Sharedmemory, nolocking • Concurrentreadsandwritesallowed • Interleavingsemantics

  28. High or Low Complexity? Verifierswantlowcomplexity

  29. High or Low Complexity? „Crowddesigners“ (swarmintelligence, populationprotocols, crowdsourcing) want high complexity Verifierswantlowcomplexity

  30. Reliablebroadcast • Theorem [E., Finkel, Mayr 99] The coverabilityproblemforbroadcastprotocolsisdecidable. • Informally: Anonymous crowdsare not Turing powerful • Straightforwardapplicationofthebackwardsreachabilityalgorithmby Abdulla et al., based on thetheoryof well-quasi-orders.

  31. Reliablebroadcast A configurationofthesystemiscompletelydeterminedbythenumberofprocesses in eachstate. (Noidentities) Symbolic Backward Search /* angerous */ Iterateuntil ; return „unsafe“ or fixpoint; return „safe“

  32. Reliablebroadcast A configurationofthesystemiscompletelydeterminedbythenumberofprocesses in eachstate. (Noidentities) Symbolic Backward Search /* angerous */ Iterateuntil ; return „unsafe“ or fixpoint; return „safe“ Problems: • contains infinite sets. Finite representation? • Termination?

  33. Reliablebroadcast • Partial orderon configurations: ifhas at least asmanyprocessesasin eachstate • “ is a well-quasi-order : a well-founded partial orderwithno infinite antichains. • Consequence: always hasfinitelymany minimal elements. • Finite representation • Termination

  34. Reliablebroadcast • Partial orderon configurations: ifhas at least asmanyprocessesasin eachstate • “ is a well-quasi-order : a well-founded partial orderwithno infinite antichains. • Consequence: always hasfinitelymany minimal elements. • Finite representation • Termination Love it!

  35. Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen 13) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity.

  36. Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen2013) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity.

  37. Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen 13) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity. Putthat in yourpipeand smoke it, Sherlock!

  38. Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen 13) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity. Don‘tdespair, Sherlock! Backwardsreachabilityisusefulforverification! I‘veusedittoprovepropertiesofa dozen cache-coherenceprotocols: theirtemplateshaveunder 10 states! G. Delzanno

  39. Sharedmemorywithlocking • Two essential propertiesofreliablebroadcast: • Everybodyreceiveseverymessage • The crowdcanproduce a leader • Sharedmemorywithlocking • Can still produce a leader • Can onlyguaranteethatsomebodyreceives a message

  40. Sharedmemorywithlocking Theorem: The coverabilityproblemforsystemscommunicatingthrough a global storewithlockingis EXSPACE-complete.

  41. Sharedmemorywithlocking A templatewithstatescansimulate a countercountingupto. Lowerbound [Lipton 1976]

  42. Sharedmemorywithlocking Upperbound [Rackoff 1978]: Lowerbound [Lipton 1976] If thegoalstateiscoverable, thenitiscoverable in an instancewith processes.

  43. Sharedmemorywithlocking Upperbound [Rackoff 1978]: Unfortunately, forusverifiersthisupperboundisalgorithmicallyuseless …

  44. Sharedmemorywithlocking Theorem [Bozzelli, Ganty 2012]: Symbolicbackwardsreachabilityruns in double exponential time for global storewithlocking.

  45. Sharedmemorywithlocking Love it! But backwardsalgorithmsoftengeneratetoomanyunreachablestates! Cant´tyoucomeupwith a forwardexplorationalgorithm? Theorem [Bozzelli, Ganty 2012]: Symbolicbackwardsreachabilityruns in double exponential time for global storewithlocking.

  46. Sharedmemorywithlocking The Karp-Miller coverabilitygraph (1969). • Configuration: • Generalizedconfiguration: wherestandsfor „arbitrarilymany“ • Initially: • Construct a „forwardreachabilitygraph“: Ifthen • Problem:termination

  47. Sharedmemorywithlocking • „Accelerate“ theconstruction: Change to • Theorem:The Karp-Miller graphisalways finite.

  48. Sharedmemorywithlocking • „Accelerate“ theconstruction: Change to • Theorem:The Karp-Miller graphisalways finite. • But: The Karp-Miller graphcanhave non-primitive recursivesize.

  49. Sharedmemorywithlocking • „Accelerate“ theconstruction: Change to • Theorem:The Karp-Miller graphisalways finite. • But: The Karp-Miller graphcanhave non-primitive recursivesize. Don´tloveit!

More Related