1 / 68

I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc.

This talk provides an overview of different I/O Automaton models including basic, timed, hybrid, and probabilistic models. The talk will discuss their applications in distributed systems and theoretical algorithms, as well as future work in this field.

carleyj
Download Presentation

I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. I/O Automaton Models: Basic, Timed, Hybrid, Probabilistic, Etc. Nancy Lynch, Dilsun Kirli, MIT University of Illinois, Urbana-Champaign, MURI Meeting October 4, 2002 Based on work with Roberto Segala, Frits Vaandrager

  2. I/O Automata • Mathematical, infinite-state, automaton models. • Describe states, transitions. • Describe system modularity: • Parallel composition of interacting components. • Levels of abstraction. • Example: Generic distributed system • Diagram represents interfaces. • IOA models also describe behavior. • Abstract models for system components. • Channel: Implemented by TCP, modeled as reliable FIFO queue. • Node: Implemented by C++ program, modeled as algorithm automaton.

  3. Reliable FIFO Channel Model send(m) receive(m) Channel(M) • Signature: • Inputs: • send(m), m in M • Outputs: • receive(m), m in M • States: • queue, a finite sequence of elements of M, initially empty • Transitions: • send(m) • Effect: Add m to end of queue • receive(m) • Precondition: m is first on queue • Effect: remove first element of queue

  4. Levels of Abstraction TO-Bcast GCS GCS • Used in system development by successive refinement. • Top level: Specification for allowed behaviors. • Can write in same automaton style. • Refine through many levels, to code-like, detailed description. • Example: Group communication: • Automata used to represent totally-ordered reliable broadcast service, group communication service, and algorithm. • Composition of algorithm and GCS automata implements TO-Bcast automaton. • Continue, implementing GCS in terms of lower-level network.

  5. Flavors of I/O Automaton Models • Basic IOAs deal with: • What happens, in what order (not when). • Discrete events (not continuous behavior). • Timing: TIOA • For describing timeout-based algorithms. • Local clocks, clock synchronization. • Timing/performance analysis. • Hybrid (continuous/discrete): HIOA • Systems with real world + computer components • Vehicle control: ground, air, space • Embedded systems • Probabilistic: PIOA, PTIOA, PHIOA • Randomized distributed algorithms • Security protocols • Safety-critical systems

  6. Talk Outline • Brief overview of the models • HIOA model, in more detail (Lynch) • TIOA model (Kirli) • PIOA model (Lynch) • Future work on models • Future work on applications

  7. 1. Brief Overview of the Models

  8. I/O Automata (IOA) • Static description: • Actions a (input, output, internal) • States s, start states • Transitions (s, a, s'); input actions enabled in all states. • Dynamic description: • Execution: s0 a1s1a2s2 … • Trace: Sequence of input and output actions; externally visible behavior. • A implements B: traces(A)  traces(B). • Operations for building automata: • Parallel composition, identifying inputs and outputs. • Action hiding. • Reasoning methods: • Invariant assertions: Property holds in all reachable states. • Simulation relations: Imply one automaton implements another. • Compositional methods

  9. Example Applications • Theoretical distributed algorithms: • Mutual exclusion, Byzantine agreement, atomic object implementation, resource allocation, data management… • Distributed systems: • Orca DSM system: Two-layer model, following the implementation. Found, fixed logical error. Proofs. • Transis group communication system: Models for key layers. Proofs. Algorithmic improvements. • Ensemble GC system: Models for key layers. Found, fixed logical error. Proofs. • Algorithms for dynamic networks (new): • RAMBO reconfigurable atomic memory algorithm • Dynamic atomic broadcast algorithm

  10. Timed I/O Automata (TIOA) • Add special time-passage actions, pass(t), to IOA model. • Example: Reliable FIFO channel that always delivers messages within time d. • send(m) • Effect: Add (m, now + d) to end of queue • receive(m) • Precondition: (m,u) is first on queue (for some u) • Effect: remove first element of queue • pass(t) • Precondition: for all (m,u) in queue, now + t  u • Effect: now := now + t • Can use standard automaton-based reasoning methods: • Invariant: for all (m,u) in queue, now  u  now + d. • Inductive proofs.

  11. Example Applications • Theoretical distributed algorithms: • Mutual exclusion, consensus,… • Timeout-based communication protocols: • TCP,… • Group communication systems: • Using GCS to build TO-Bcast: Conditional performance analysis. • Scalable GCS: Performance analysis. • RAMBO: Performance analysis. • Hybrid (continuous/discrete) systems: • RR crossing, steam boiler controller • Stretched TIOA capabilities; motivated HIOA.

  12. Hybrid I/O Automata (HIOA) • TIOA plus facilities for representing continuous behavior. • Static description: • States: input, output, internal variables; start states • Actions: input, output, internal • Discrete steps (s, a, s') • Trajectories , mapping time intervals to states • Dynamic description: • Execution 0a11a22… • Trace: Project on external variables, external actions. • A implements B if traces(A)  traces(B). • Operations: Composition, hiding • Reasoning methods: Invariants, simulation relations, compositional methods

  13. Example Applications • Ground transportation: • People-mover (Raytheon) • California PATH automated highway system (Berkeley) • Aircraft control: • TCAS (Lincoln Labs) • Qwanser helicopter system (MIT Aero/Astro)

  14. Probabilistic I/O Automata [Segala] • Adds probabilistic transitions (s, a, P), where P is a probability distribution on states. • Includes both nondeterminism and probability. • External behavior represented by a set of trace distributions (one for each “adversary”, who resolves nondeterminism). • Implementation represented by subset (of sets of trace distributions). • Example applications: • Randomized distributed algorithms: • Rabin-Lehmann Dining Philosophers • Aspnes-Herlihy randomized consensus • Security protocols

  15. 2. Hybrid I/O Automata[Lynch, Segala, Vaandrager]

  16. Hybrid Systems • Hybrid systems: Continuous, real-world components + discrete, computer components • Examples: • Automated transportation systems • Robots • Factory control systems • Embedded systems • Mobile systems • Complex • Strong safety, performance requirements

  17. The HIOA Model • States, discrete transitions, trajectories. • Model plants, controllers, sensors, actuators, computer software, communication services, human operators. • Support for decomposing hybrid system descriptions: • External behavior: Models discrete and continuous interactions of component with its environment. • Composition: Synchronize external events, external trajectories. • Levels of abstraction: Implementation notion, respects external behavior. • Incorporate methods from control theory, computer science: • Control theory: Invariant sets, stability analysis using Lyapunov functions, robust control methods • Computer science: Invariants, simulation relations, compositional methods

  18. Related Work • Phase transition systems [Maler, Manna, Pnueli 92], [Alur, Courcoubetis, Halbwachs,…95], [Kesten, Manna, Pnueli 98] • Hybrid control systems [Branicky 95, 98] • Hybrid reactive modules [Alur, Henzinger 96, 97]

  19. Example: Hybrid Control System Plant Actuator Sensor Controller

  20. Describing Hybrid Behavior • Universal set of variables • Static type:type(v), set of values v may take on. • Dynamic type:dtype(v), allowed “trajectories” for v: • Set of functions from left-closed intervals of R to type(v). • Closed under time shift, subinterval, countable pasting. • Examples: Pasting closure of constant functions, of continuous functions, of differentiable functions, of integrable functions.

  21. Trajectories • Model evolution of variables over time intervals. • Valuation for V: Assigns value in type(v) to each v in V. • Trajectory: Let J be a left-closed interval, left endpoint 0. A J-trajectory for V is a function from J to valuations for V whose restriction to each variable v is in dtype(v). • Lemma: The set of trajectories for V together with the prefix ordering is an algebraic cpo. • Concatenation: At common point, use value from first trajectory.

  22. Hybrid Sequences • Let A be a set of actions, V a set of variables. An (A,V)-sequence is an alternating sequence, 0a11a22…of trajectories over V and actions in A. • Models a series of discrete and continuous changes. • Lemma: The set of (A,V)-sequences together with the prefix ordering is an algebraic cpo. • Concatenation: At common point, use value from first (A,V)-sequence.

  23. Hybrid I/O Automaton • U, Y, X: input, output, and internal (state) variables • V = U  Y  X • Q: states, a set of valuations of X • : start states • I, O, H: input, output, and internal actions • A = I  O  H • D Q  A  Q: discrete transitions • T: trajectories for V, in which the valuations of X are in Q. Closed under prefix, suffix, and countable concatenation.

  24. Input-Enabling Axioms • Input action enabling: For every state q and every input action a, there is some discrete transition (q,a,q’). As for ordinary I/O automata. • Input trajectory enabling: For every state s and every input trajectory , there is some trajectory  that starts with x, and either: • Spans all of , or • Spans a prefix of , after which some locally-controlled action is enabled.

  25. Executions and Traces • Execution fragment of HIOA A: • An (A,V)-sequence 0a11a22…, where: • Each iis a trajectory of A, and • Each (i.lstate, ai ,i+1.fstate) is a discrete step of A. • A,V are all the actions and variables of A. • Only states need match up. • Execution of A: • Fragment beginning in a start state. • Trace of an execution fragment: • Restrict to external actions E, external variables W. • (E,W)-sequence. • Aimplements B if they have the same external interface and tracesA tracesB.

  26. Notation • We specify sets of trajectories using differential and algebraic equations (or inclusions). • Trajectory  satisfies algebraic equation v = e if the constraints on the variables expressed by this equation hold in every state of . • Trajectory  satisfies differential equation d(v) = e if for every t in the domain of : v(t) = v(0) + 0t e(t’) dt’ (“weak solutions”) • Algebraic/differential inclusions are handled similarly.

  27. Example: Vehicle HIOA Vehicle acc-in vel-out acc, vel • Follows a suggested acceleration to within an error of   0. Reports real velocity. • U: acc-in • Y: vel-out • X: vel, acc; Q: all valuations of X • : vel = 0, acc = 0 • I, O, H, D: empty • Trajectories T: • d(vel) = acc • acc(t) [acc-in(t)- , acc-in(t) + ], for t > 0 • vel-out = vel • No constraints on input variables in initial states of trajectories.

  28. Example: Controller HIOA Controller vel-out acc-in vel-sensed acc-suggested clock • Suggests accelerations for a vehicle with the intention of ensuring that the velocity does not exceed a pre-specified velocity, vmax. • Monitors velocity, computes suggestion every time d. • Q: Valuations in which clock  d. • : 0 everywhere • H: suggest • D: suggest transitions where • clock = d, clock’ = 0, • vel-sensed’ = vel-sensed • vel-sensed + (acc-suggested’+ ) d  vmax

  29. Controller Trajectories • d(acc-suggested) = 0 • d(clock) = 1 • vel-sensed(t) = vel-out(t), for t > 0 • acc-in = acc-suggested

  30. Simulation Relation • Let A, B be HIOAs with the same external interface. • Relation R from states of A to states of B satisfying: • Every start state of A is related to some start state of B. • If xAR xB and  is an execution fragment of A consisting of one action surrounded by two point trajectories, with .fstate = xA, then B has a closed execution fragment  with .fstate = xB, trace() = trace(), and .lstate R .fstate. • If xAR xB and  is an execution fragment of A consisting of a single closed trajectory, with .fstate = xA, then B has a closed execution fragment  with …

  31. Simulation relation • Theorem: If there is a simulation relation from A to B then A implements B (inclusion of trace sets). • Example: • Vehicle(1) implements Vehicle(2), if 1 2 • Show using simulation relation: identity mapping

  32. Composition • Assume A1 and A2 are compatible (no common outputs, internal actions/variables are private). • Compose A1 and A2 by matching up external actions, variables: • Y = Y1 Y2; X = X1 X2; U = (U1 U2 ) - (Y1 Y2 ) • O = O1 O2; H = H1 H2; I = (I1 I2 ) - (O1 O2 ) • Start states : Projections in 1, 2 • Discrete steps D: Projections in D1, D2 • Trajectories T: Projections in T1, T2 • Technicality: Composition need not satisfy input flow enabling, pre-HIOA. Assume “strong compatibility”. Holds in many interesting special cases.

  33. Composition Theorems • Projection and Pasting: Assume A = A1 || A2. Then tracesA is exactly the set of (E,W)-sequences whose restrictions to A1 and A2 are traces of A1 and A2, respectively. • Substitutivity: If A1 implements A2 and both are compatible with B, then A1 || B implements A2 || B.

  34. Example: Vehicle and Controller • Vehicle || Controller: • Invariant of Vehicle || Controller: vel  vmax. • Can prove this using a standard inductive argument. • Uses auxiliary invariants, most importantly: vel + (acc-suggested + ) (d – clock)  vmax Vehicle Controller vel-out vel-sensed acc-suggested clock acc-in acc, vel

  35. Hiding • ActHide(E,A) reclassifies the external actions in E as internal actions. • (New) VarHide(W,A) removes the external variables in W (but retains their induced constraints on the trajectories). • (Previously) VarHide(W,A) reclassified external variables in W as internal (state) variables.

  36. Example • In the composition Vehicle || Controller, we may hide the acc-in variable, which is used for communication between the components: A = VarHide({acc-in}, Vehicle || Controller) • In A, the only external variable is vel-out. • Express the correctness of A by showing that it implements an abstract specification HIOA VSpec. • VSpec expresses just the constraints vel vmax, and vel-out = vel. • Show correctness using a simulation relation.

  37. Progressive HIOAs • HIOAs should provide some response from any state, for any sequence of input actions and input trajectories. • HIOAs should not block the passage of time: they should allow time to pass to infinity, if their environment does so. • Definition: A pre-HIOA is progressive if it has no execution fragments in which it generates infinitely many locally-controlled actions in finite time. • Theorem: A progressive HIOA A can accommodate any input hybrid sequence, from every state: For each state x of A and each (I,U)-sequence , there is some execution fragment  from x such that   (I  U) = . • Theorem: The composition of progressive pre-HIOAs is progressive.

  38. Receptive HIOAs • But progressiveness isn’t enough: • HIOAs involving only upper bounds on timing are not progressive. • Such specifications are common. • Definition: A strategy for a pre-HIOA A is an HIOA A’ that is the same as A except that D’  D, and T’  T. • Nondeterministic, memoryless. • Definition: A pre-HIOA is receptive if it has a progressive strategy. • Theorem: A receptive pre-HIOA can accommodate any input hybrid sequence. • Theorem: Let A1 and A2 be compatible receptive HIOAs with strongly compatible progressive strategies B1 and B2. Then A1 || A2 is a receptive HIOA with progressive strategy B1 || B2.

  39. Applications • Raytheon people-mover [Lynch, Weinberg, Delisle] • California PATH automated highway system: Analysis of platoon maneuvers [Dolginova, Lygeros, Lynch] • TCAS [Livadas, Lygeros, Lynch] • Qwanser helicopter system [Mitra, Wang, Feron, Lynch]

  40. TCAS model Aircraft Aircraft Sensor Sensor Pilot Pilot Conflict detector Conflict detector Channel Conflict resolver Conflict resolver Channel

  41. 3. Timed I/O Automata[Kirli, Lynch, Segala, Vaandrager]

  42. From HIOA to TIOA • Hybrid systems: continuous, real-world components + discrete, computer components • Timed systems: continuous, time + discrete, computer components • Correctness depends not only on the order of events but also on their timing. • Example: Reliable FIFO channel that always delivers messages within time d.

  43. Work in Progress • Canonical model for timing-based systems • External behavior • Composition • Levels of abstraction • Identify major ideas from related models and express them in the common framework of TIOA • Timed automata [Alur and Dill] • Timed transition systems [Maler, Manna, Pnueli] • Clock GTA [DePrisco]

  44. Describing Timing Behavior • Timing behavior is described by using the same concepts as in HIOA: • Variables • Static and dynamic types • Trajectories • Hybrid sequences

  45. Timed I/O Automata • X: internal variables • Q: states, a set of valuations of X • : start states • I, O, H: input, output, internal actions • A = I  O  H • D  Q A  Q: discrete transitions • T: trajectories for X, in which the valuations of X are in Q. Closed under prefix, suffix, and countable concatenation.

  46. Execution and Traces • Execution fragment of TIOA A: • An (A,V)-sequence 0a11a22…, where: • Each iis a trajectory of A, and • Each (i.lstate, ai ,i+1.fstate) is a discrete step of A. • A,V are all the actions and variables of A. • Execution of A: Fragment beginning in a start state. • Trace of an execution fragment: • Restrict to external actions E, empty set of variables. • (E,)-sequence.

  47. Example: Time bounded channel • X: clock, queue • Q: all valuations of X • : clock=0, queue is empty • I: send(m) • O: receive(m) • Transitions: • send(m) • Effect: add (m,clock + d) to end of queue • receive(m) • Precondition: (m,u) is first on queue and clock  u • Effect: remove the first element of queue • Trajectories t satisfy: • d(clock)=1 • (t  queue) is a constant function

  48. Untiming Operation • Transform a timed automaton A to an untimed automaton Untime(A,R) • Define a notion of congruence. • Let R be a congruence for A. • States of Untime(A,R): the set of equivalence classes of R. • Untime(A,R) has a special internal action to represent time passage. • Theorem: If  is an execution of A, then Untime(A,R) has an execution ’ such that trace(’)=discrete(trace()) and vice versa. • Similar to region construction of Alur and Dill • Theorem: The equivalence relation used by Alur-Dill in region construction is a congruence

  49. Properties for I/O Automata • A property for A is a subset of the execution fragments of A. • P is a livenessproperty provided that for any state x of A, there is some execution fragment from x that is in P. • We say that A is receptive forP provided that there exists a strategy A’ for A such that every execution fragment of A’ is in P. • Theorem: If A1 is receptive for P1 and A2 is receptive for P2 then A1 || A2 is receptive for P1 || P2.

  50. 4. Probabilistic I/O Automata[Lynch, Segala, Vaandrager]

More Related