Symbolic Synthesis of Masking Fault-Tolerant Distributed Programs. Borzoo Bonakdarpour Workshop APRETAF January 23, 2009. Joint work with Sandeep Kulkarni. Motivation. The most important goal of formal methods is achieving correctness in computing systems (programs). - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Alur and Henzinger propose verification and synthesis of
real-time systems
Alur and Henzinger propose verification and synthesis of
real-time systems
Clarke, Emerson, Sifakis, and Queille invent model checking
Clarke, Emerson, Sifakis, and Queille invent model checking
19811981
Emerson and Clarke propose synthesis from CTL properties
Emerson and Clarke propose synthesis from CTL properties
McMilan et al. intorduce BDD-based model
checking (1020 reachable states) and find bugs in
IEEE futurebus+
McMilan et al. intorduce BDD-based model
checking (1020 reachable states) and find bugs in
IEEE futurebus+
19931993
Wonham and Ramadge introduce
controller synthesis
Wonham and Ramadge introduce
controller synthesis
Intel reports bug in floating point operations in
Pentium processors
Intel reports bug in floating point operations in
Pentium processors
19941994
Clarke and Grumberg introduce counterexample guided abstraction-refinement (CEGAR), 101000 reachable states
Clarke and Grumberg introduce counterexample guided abstraction-refinement (CEGAR), 101000 reachable states
19991999
Kulkarni and Arora introduce automated addition of fault-tolerance to fault-intolerant programs
Kulkarni and Arora introduce automated addition of fault-tolerance to fault-intolerant programs
Biere and Clarke invent SAT-based model
checking (10500 reachable states)
Biere and Clarke invent SAT-based model
checking (10500 reachable states)
Bonakdarpour, Kulkarni, and Ebnenasir, and, Jobstmann and Bloem independently introduce program revision (repair) techniques
Bonakdarpour, Kulkarni, and Ebnenasir, and, Jobstmann and Bloem independently introduce program revision (repair) techniques
20072007
Bonakdarpour and Kulkarni synthesize distributed programs of size 1050
Bonakdarpour and Kulkarni synthesize distributed programs of size 1050
Clarke, Emerson, Sifakis, and Queille invent model checking
Clarke, Emerson, Sifakis, and Queille invent model checking
McMilan et al. intorduce BDD-based model
checking (1020 reachable states) and find bugs in
IEEE futurebus+
McMilan et al. intorduce BDD-based model
checking (1020 reachable states) and find bugs in
IEEE futurebus+
Mohamed Gouda:Mohamed Gouda:
When does your “12 years” end?!When does your “12 years” end?!
Mohamed Gouda:Mohamed Gouda:
When does your “12 years” end?!When does your “12 years” end?!20082008
Motivation
9
InvariantInvariantInvariantInvariant
f f
f
Fault-SpanFault-Span
State spaceState space
p
p
p
p
p
pp
pp
p
f
f
The Synthesis Problem
10
The Issue of Distribution
• Modeling distributed programs:– A program consists of a set of processes. Each process p is
specified by:• A set Vp of variables,
• A set Tp of transitions,
• A set Rp Vp of variables that p is allowed to read,
• A set Wp Rp of variable that p is allowed to write.
• Write restrictionsa = 0b = 1
a = 0b = 1
a = 1b = 1
a = 1b = 1
a Wp
a = 0b = 1
a = 0b = 1
a = 1b = 1
a = 1b = 1
a Wp
Such transitions cannot be executed by process p.
11
• Read restrictions
a = 1 b = 0
a = 1 b = 0
a = 0 b = 0
a = 0 b = 0
b Rp
a = 1 b = 1
a = 1 b = 1
a = 0b = 1
a = 0b = 1
a = 1 b = 0
a = 1 b = 0
a = 0 b = 0
a = 0 b = 0
b Rp
a = 1 b = 1
a = 1 b = 1
a = 0b = 1
a = 0b = 1
– Such set of transitions form a group.– Addition and removal of any transition must
occur along with its entire group.
The Issue of Distribution
12
What Is DifficultAbout Program Revision?
• Space complexity– The state explosion problem
• Time complexity– NP-completeness
• Identifying the complexity hierarchy of the problem• The need for designing efficient heuristics• Proofs are often helpful in identifying bottlenecks of the problem
The combination of the above complexitiesThe combination of the above complexitiesis the worst nightmare!is the worst nightmare!
13
Daniel MosDaniel Moséé::
As that wise man said “bridging theAs that wise man said “bridging the
gap between theory and practice isgap between theory and practice is
easier in theory than in practice!”easier in theory than in practice!”
Daniel MosDaniel Moséé::
As that wise man said “bridging theAs that wise man said “bridging the
gap between theory and practice isgap between theory and practice is
easier in theory than in practice!”easier in theory than in practice!”
What Is DifficultAbout Program Revision?
14
The Byzantine Agreement Problem
Decision
d.g {0, 1}
(d.j = ) ( f.j = false) d.j := d.g
(d.j ) ( f.j = false) f.j := true
d.j
d.k {0, 1, }
d.l
Decision
f.j
f.k {false, true}
f.l
Final?
GENERAL
NON-GENERALS
Program:
15
The Byzantine Agreement Problem
Byzantine?
b.g {false, true}
b.j
b.k {false, true}
b.l
Byzantine?
(b.j , b.k , b.l , b.g = false) b.j := true
(b.j := true) d.j := 0|1Faults:
16
• Experimental results with enumerative (explicit) state space (the tool FTSyn)– Byzantine agreement - 3 processes
• 6912 states
• Time: 10s
– Byzantine agreement - 4 processes • 82944 states
• Time: 15m
– Byzantine agreement - 5 processes• 995328 states
while (FaultSpan != current){ current = FaultSpan; BDD image = frontier * (P + F); // -FaulSpan frontier = Unprime(image); FaultSpan = current + frontier; }
19
Polynomial -Time Heuristics
Yes
No
Identify the state predicatems from where faults
alone violate the safety;
S := S ms
Re-compute theRe-compute thefault-spanfault-span
Identify transitions in the fault-intolerant programIdentify transitions in the fault-intolerant programthat may be included in the fault-tolerant programthat may be included in the fault-tolerant program
Fixpoint?Fixpoint?
Resolve deadlock statesResolve deadlock states
InvariantInvariant
Fault-Span
ffpp
p
Re-computing state predicates or transitions predicates do not occur often in model checking, but it does happen quite often during synthesis.
Re-computing state predicates or transitions predicates do not occur often in model checking, but it does happen quite often during synthesis.
s0
s1
20
Experimental Results
• Polynomial-time sound BDD-based heuristics– The tool SYCRAFT (http://www.cse.msu.edu/~borzoo/sycraft)– C++– CuDD (Colorado University Decision Diagram Package)