710 likes | 821 Views
Keeping a Crowd Safe On the Complexity of Parameterized Verification. Javier Esparza Technical University of Munich. Wilfried Brauer (1937-2014). Book of condolence : http://kondolenz.informatik.tu-muenchen.de. „ Why don´t you give up ?“. Theorem (Alan Turing, 1936)
E N D
Keeping a Crowd SafeOn theComplexityofParameterizedVerification Javier Esparza Technical University ofMunich
Wilfried Brauer (1937-2014) Book ofcondolence: http://kondolenz.informatik.tu-muenchen.de
„Whydon´tyougiveup?“ Theorem (Alan Turing, 1936) Programterminationisundecidable. Theorem (Henry G. Rice, 1961) Every non-trivial propertyofprogramsisundecidable. Theorem (Marvin Minsky, 1969) Every non-trivial propertyofwhile-programswithtwocounter variables isundecidable.
„Whydon´tyougiveup?“ Theorem (Alan Turing, 1936) Programterminationisundecidable. Theorem (Henry G. Rice, 1961) Every non-trivial propertyofprogramsisundecidable. Theorem (Marvin Minsky, 1969) Every non-trivial propertyofwhile-programswithtwocounter variables isundecidable.
„Whydon´tyougiveup?“ Theorem (Alan Turing, 1936) Programterminationisundecidable. Theorem (Henry G. Rice, 1961) Every non-trivial propertyofprogramsisundecidable. Theorem (Marvin Minsky, 1969) Every non-trivial propertyofwhile-programswithtwocounter variables isundecidable.
Because … • Undecidabilityrequiressomesourceof „infinity“: • Variables with an infinite range • Dynamic datastructures (lists, trees) • Unboundedrecursion • Concurrentsystems • aredifficulttogetright, and • oftenhave a finite statespace.
Dijkstra´s Mutual ExclusionAlgorithm CC CACM 8:9, 1965
Concurrentprogramsareoften finite-state CC Onlytwoboolean variables per process!
Concurrentprogramsaredifficulttogetright CC CACM 9:1, 1966
A Cache-Coherence Protocol (00s) Murphi modelchecker (Dill et al.) Source: Wikipedia
A Model of a Bluetooth Driver (10s) KISS (Qadeerand Wu)
ParameterizedVerification • Model-checkingtoolscanonly check instancesofthesesystemsforparticularvaluesofthenumber N ofprocesses. Can weprovecorrectnessforevery N ? • Amountstochecking an infinite familyof finite-statesystems.
ParameterizedVerification • Model-checkingtoolscanonly check instancesofthesesystemsforparticularvaluesofthenumber N ofprocesses. Can weprovecorrectnessforevery N ? • Amountstochecking an infinite familyof finite-statesystems.
Keeping a Crowd Safe • The coverabilityproblem: • Given: a program templatewith finite-range variables, a „dangerous“ controlpointof. • Decide: Isthere a number such thatthecrowd canreach a global state in which at least oneofis at ?
ParameterizedVerification: Giveup? Theorem (folklore): The HaltingProblem canbereducedtotheparameterizedcoverabilityproblem. • Reduction: • The templatemodelsthebehaviourofonetapecell. • TM terminates • ituses a finite number N ofcells • N copiesofthetemplatereachthedangerousstate
ParameterizedVerification: Giveup? Theorem (folklore): The HaltingProblem canbereducedtotheparameterizedcoverabilityproblem.
ParameterizedVerification: Giveup? Theorem (folklore): The HaltingProblem canbereducedtotheparameterizedcoverabilityproblem. Parameterizedverificationisdoomed!
Identities • In thisreductionprocesses do not executeexactlythe same code • The codemakesuseoftheprocessidentity(theindex) toorganizeprocesses in an array. • But manysystems do not useidentities: • DKR Leader Electionusesidentities. • Dijkstra´salgorithm, MESI-protocol, and Bluetooth driverdo not. • In others, processesmustremainanonymous!
Anonymous Crowds • Weinvestigatethedecidabilityandcomplexityofthecoverabilityproblemforcrowdsin which • everyprocessexecutesexactlythe same code, (anonymouscrowds), and • thenumberofprocessesisunknowntotheprocesses.
Keeping an Anonymous Crowd Safe • The coverabilityproblemforanonymouscrowds (TCS version) : • Given: a finite automatonanda „dangerous“ stateof. • Decide: Isthere a number such thattheanonymouscrowd canreach a global state in which at least oneofthecopiesis at ?
Communication Mechanisms Reliablebroadcast • A processsends a message • All otherprocessesreceivethemessage (instantaneously) Rendez-vous • Synchronousexchangeof a messagebetweentwoprocesses
Communication Mechanisms Reliablebroadcast • A processsends a message • All otherprocessesreceivethemessage (instantaneously) Rendez-vous • Synchronousexchangeof a messagebetweentwoprocesses
Communication Mechanisms Sharedmemorywithlocking • Processescompetefor a lock • Processowningthe lock canperformreadsandwrites Sharedmemory, nolocking • Concurrentreadsandwritesallowed • Interleavingsemantics
Communication Mechanisms Sharedmemorywithlocking • Processescompetefor a lock • Processowningthe lock canperformreadsandwrites Sharedmemory, nolocking • Concurrentreadsandwritesallowed • Interleavingsemantics
High or Low Complexity? Verifierswantlowcomplexity
High or Low Complexity? „Crowddesigners“ (swarmintelligence, populationprotocols, crowdsourcing) want high complexity Verifierswantlowcomplexity
Reliablebroadcast • Theorem [E., Finkel, Mayr 99] The coverabilityproblemforbroadcastprotocolsisdecidable. • Informally: Anonymous crowdsare not Turing powerful • Straightforwardapplicationofthebackwardsreachabilityalgorithmby Abdulla et al., based on thetheoryof well-quasi-orders.
Reliablebroadcast A configurationofthesystemiscompletelydeterminedbythenumberofprocesses in eachstate. (Noidentities) Symbolic Backward Search /* angerous */ Iterateuntil ; return „unsafe“ or fixpoint; return „safe“
Reliablebroadcast A configurationofthesystemiscompletelydeterminedbythenumberofprocesses in eachstate. (Noidentities) Symbolic Backward Search /* angerous */ Iterateuntil ; return „unsafe“ or fixpoint; return „safe“ Problems: • contains infinite sets. Finite representation? • Termination?
Reliablebroadcast • Partial orderon configurations: ifhas at least asmanyprocessesasin eachstate • “ is a well-quasi-order : a well-founded partial orderwithno infinite antichains. • Consequence: always hasfinitelymany minimal elements. • Finite representation • Termination
Reliablebroadcast • Partial orderon configurations: ifhas at least asmanyprocessesasin eachstate • “ is a well-quasi-order : a well-founded partial orderwithno infinite antichains. • Consequence: always hasfinitelymany minimal elements. • Finite representation • Termination Love it!
Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen 13) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity.
Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen2013) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity.
Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen 13) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity. Putthat in yourpipeand smoke it, Sherlock!
Reliablebroadcast: Complexity Theorem (Schmitz andSchnoebelen 13) The coverabilityproblemforbroadcastprotocolshas non-primitive-recursivecomplexity. Don‘tdespair, Sherlock! Backwardsreachabilityisusefulforverification! I‘veusedittoprovepropertiesofa dozen cache-coherenceprotocols: theirtemplateshaveunder 10 states! G. Delzanno
Sharedmemorywithlocking • Two essential propertiesofreliablebroadcast: • Everybodyreceiveseverymessage • The crowdcanproduce a leader • Sharedmemorywithlocking • Can still produce a leader • Can onlyguaranteethatsomebodyreceives a message
Sharedmemorywithlocking Theorem: The coverabilityproblemforsystemscommunicatingthrough a global storewithlockingis EXSPACE-complete.
Sharedmemorywithlocking A templatewithstatescansimulate a countercountingupto. Lowerbound [Lipton 1976]
Sharedmemorywithlocking Upperbound [Rackoff 1978]: Lowerbound [Lipton 1976] If thegoalstateiscoverable, thenitiscoverable in an instancewith processes.
Sharedmemorywithlocking Upperbound [Rackoff 1978]: Unfortunately, forusverifiersthisupperboundisalgorithmicallyuseless …
Sharedmemorywithlocking Theorem [Bozzelli, Ganty 2012]: Symbolicbackwardsreachabilityruns in double exponential time for global storewithlocking.
Sharedmemorywithlocking Love it! But backwardsalgorithmsoftengeneratetoomanyunreachablestates! Cant´tyoucomeupwith a forwardexplorationalgorithm? Theorem [Bozzelli, Ganty 2012]: Symbolicbackwardsreachabilityruns in double exponential time for global storewithlocking.
Sharedmemorywithlocking The Karp-Miller coverabilitygraph (1969). • Configuration: • Generalizedconfiguration: wherestandsfor „arbitrarilymany“ • Initially: • Construct a „forwardreachabilitygraph“: Ifthen • Problem:termination
Sharedmemorywithlocking • „Accelerate“ theconstruction: Change to • Theorem:The Karp-Miller graphisalways finite.
Sharedmemorywithlocking • „Accelerate“ theconstruction: Change to • Theorem:The Karp-Miller graphisalways finite. • But: The Karp-Miller graphcanhave non-primitive recursivesize.
Sharedmemorywithlocking • „Accelerate“ theconstruction: Change to • Theorem:The Karp-Miller graphisalways finite. • But: The Karp-Miller graphcanhave non-primitive recursivesize. Don´tloveit!