380 likes | 547 Views
Partial Order Trace Analyzer. Ali Akkaya Boğaziçi University. Motivation. The Remote Agent Experiment During the May 1999 RAX mission, the satellite deadlocked in space, causing the ground crew to put the spacecraft on standby. Ariane 5 Flight 501
E N D
Partial Order Trace Analyzer Ali Akkaya Boğaziçi University
Motivation The Remote Agent Experiment During the May 1999 RAXmission, the satellite deadlocked in space, causing the groundcrew to put the spacecraft on standby. Ariane 5 Flight 501 Airane 5 Flight 501 was destroyed 40 seconds after takeoff. The US$1 billion prototype rocket self-destructed due to a bug in the on-board guidance software
Outline • Introduction • Runtime Verification Tools • Partial Order Trace Model • Computation Slicing • Regular Predicates • Partial Order Trace Analyzer (POTA) • Conclusion
Runtime Verification • Runtime Verification is the study of monitoring and analyzing system executions to detect/recover faults. • Two important aspects of program verification are • Testing • Use of Formal Methods
Runtime Verification Scalability Ideal Testing Runtime Verification Formal Methods Coverage
Runtime Verification Tools • Java PathExplorer (JPaX) • Java MultiPathExplorer (JMPaX) • Temporal ROVER (Commercial) • Cadence, Synopsys, Mentor (Commercial HW Tools) • Java MaC • Partial Order Trace Analyzer (POTA) • ….
Partial Order Trace Model • Partial Order Trace Model is used to get the benefit of properly dealing with concurrent events and especially of detecting errors from analyzing successful total order traces. • Surprisingly, checking properties, even on a finite partial order trace, is NP-complete in the size of the trace description
Partial Order Trace Model • State explosion problem exists when given a partial order execution trace as input. • Given a partial order trace generated by n processes (or threads) with k events on each process, the possible number of global states can be as high as O(kn), where a global state is comprised of n components.
Partial Order Trace Model • The approach to deal with state explosion problem • Slicing: The slice of a trace with respect to a property is a subtrace that contains all of the global states of the trace that satisfy the property such that it is computed efficiently and represented concisely • Predicate Restriction: Exploiting the structure of the property by imposing restriction to evaluate its value efficiently for a given execution trace
Simulation Trace Model • We assume a system consisting of processes denoted by P1; . . . ; Pn. • The initial event on process Pi, denoted by ┴i, occurs before any other event on Pi. • The final event on process Pi, denoted by ┬i, occurs after all other events on Pi. • Consistent cut(reachable global state, consistent global cut) on directed graphs as a subset of vertices such that, if the subset contains a vertex, then it contains all its incoming neighbors.
Consistent Cut • Consistent cut C {e3, f2}
Computation Slicing • A slice of a trace with respect to a specification p is a subtrace that contains all the states of the trace that satisfy p. • it contains all global states of the computation satisfying the given predicate, and • it contains the least number of global states • By exploiting the structure of the predicate, polynomial-time algorithms have been developed for nontemporal regular and linear predicates.
Computation Slicing Partial Order Trace Slice Slicing for P1 Check P1 Λ P2 Check P2 Global states satisfying P1
State Space Reduction Techniques • Other state space reduction techniques for reducing the time and/or space complexity, such as partial order reduction, BDD and SAT-based model checking are orthogonal to slicing and, as such, can be used in conjunction with slicing.
Computation Tree Logic (CTL) • CTL models time in a tree like structure in which future is not determined. • POTA predicate detector takes a partial order trace and a set of CTL predicates to detect their satisfaction or violation.
Computation Tree Logic (CTL) • The formal syntax of CTL is given below: • Every proposition ap Є AP is a CTL formula. • If p and q are CTL formulas, then so are ¬p, p Λ q, p V q, EF(p), EG(p), AG(p), AF(p), EX(p), AX(p), and EX(p)[j]. • There are two path quantifiers: A denotes for all fullpaths and E denotes for some fullpath.
Computation Tree Logic (CTL) • Linear temporal operators are as follows: • G is the always operator, F is the eventually operator, X is the next-time operator. • The formula AG(p) (respectively, EG(p)) intuitively means that for all fullpaths (respectively, for some fullpath), p always holds on the path. • The formula AF(p) (respectively, EF(p)) intuitively means that for all fullpaths (respectively, for some fullpath), p eventually holds on the path. • The formula AX(p) (respectively, EX(p)) intuitively means that for all fullpaths (respectively, for some fullpath), p holds next-time on the path. • The formula EX(p)[j] intuitively means that, when process j executes an event, for some fullpath, p holds next time on the path.
Regular Predicates, RCTL, and RCTL+ • A predicate is regular if, given two consistent cuts that satisfy the predicate, the consistent cuts obtained by their set union and set intersection also satisfy the predicate. • RTCL+: • Every predicate ap 2 AP is an RCTL+ formula. • If p and q are RCTL+ formulas, then so are p Λ q, p V q, EF(p), EG(p), and AG(p). • RCTL: The subset of RCTL+ where disjunction and negation operators are not allowed.
Predicate Classes • We can specify both the safety and liveness properties of a system using temporal logic. • A safety property specifies that something bad will never happen. • A liveness property specifies that something good will eventually happen.
Regular Predicates, RCTL, and RCTL+ • Express both safety property and liveness property. • It is proved that temporal predicates EF(p), AG(p), and EG(p) are regular when p is regular.
Predicate Detection • The Predicate Detection problem is to decide whether the initial consistent cut of a computation satisfies a predicate.
POTA Architecture • Contains three main modules • Analyzer: The analyzer module contains our computation slicing and predicate detection algorithms. • Translator: The translator module takes a partial order representation of a trace and generates output in specic languages. • Instrumentor: The instrumentation module inserts code at the appropriate places in the program to be monitored.
Experimental Results - MSI • SPIN took 90 seconds and 468 MB to complete for 10 processes and it ran out of memory for more than 10 processes, whereas POTA took 1,053 seconds and 44 MB to complete for 120 processes.
Conclusion • A Predicate Detection algorithm is provided for checking whether a given simulation trace satisfies a given predicate or not. • In order to alleviate the state explosion problem in partial order traces, computation slicing and predicate restriction techniques are used. • Proposed mode results in increased state space coverage and enables uncovering even those bugs in a given successful total order simulation trace that will only show up with a different ordering of concurrent events.
References • “Formal Verification of Simulation TracesUsing Computation Slicing”, Alper Sen, Member, IEEE, and Vijay K. Garg, Fellow, IEEE • “Partial Order Trace Analyzer (POTA) forDistributed Programs”, Alper Sen, Vijay K. Garg. • http://pswlab.kaist.ac.kr/lab-orientation/presentation-file/trace_2.ppt • http://users.ece.utexas.edu/~garg/dist/tmp/Intel-Garg07.ppt • http://www.cse.lehigh.edu/~gtan/bug/softwarebug.html • http://en.wikipedia.org/wiki/List_of_notable_software_bugs
Vector Clock • Vector Clocks is an algorithm for generating a partial ordering of events in a distributed system and detecting causality violations. A A:0 A:1 B:2 C:1 A:2 B:2 C:1 A:3 B:3 C:3 B B:0 B:1 C:1 B:2 C:1 A:3 B:4 C:1 B:3 C:1 C C:0 C:1 B:3 C:2 B:3 C:3