310 likes | 466 Views
Priority Scheduling of Distributed Systems based on Model Checking. Ananda Basu, Saddek Bensalem, Doron Peled , Joseph Sifakis. 3 trains: TGV, regular, freight ’ compete on entering station. Concurrent systems with priorities!. Transition system with priorities.
E N D
Priority Scheduling of Distributed Systems based on Model Checking Ananda Basu, Saddek Bensalem, Doron Peled, Joseph Sifakis
3 trains: TGV, regular, freight’ compete on entering station.Concurrent systems with priorities!
Transition system with priorities • We are given a transition system, e.g., a Petri Net. • Priorities: a partial order between the transitions. • At each global state, we can execute a transition that has a maximal priority among enabled transitions.
p2 p1 t2 t1 p7 p4 p3 t3 t4 p5 p6 A (safe) Petri Net A state is a set of places, e.g., {p1, p2, p3}. Can be written as p1 /\ p2 /\ ¬ p3 /\ ¬ p4 /\ ¬ p5 /\ ¬ p6 /\ p7.
A (safe) Petri Net p2 p1 t2 t1 p7 p4 p3 t3 t4 p5 p6
A (safe) Petri Net p2 p1 p7 is a “semaphore”! t2 t1 p7 p4 p3 t3 t4 p5 p6
A (safe) Petri Net p2 p1 t2 t1 p7 p4 p3 t3 t4 p5 p6
A (safe) Petri Net p2 p1 t2 t1 p7 p4 p3 t3 t4 p5 p6
A (safe) Petri Net with priorities. Partial order between transitions. p2 p1 t2 t1 p4 p3 t3 t4 p5 p6 t1<<t4, t2<<t3
A (safe) Petri Net with priorities. Partial order between transitions. p2 p1 t2 t1 p4 p3 t3 t4 p5 p6 t1<<t4, t2<<t3
A (safe) Petri Net with priorities. Partial order between transitions. p2 p1 t2 t1 p4 p3 t3 t4 p5 p6 t1<<t4, t2<<t3
Problem: how to guarantee execution according to priorities? • Execute only maximally enabled transitions. • Make a distributed (local) decision. • Is it even possible? • Can we check when it is possible? • What if we cannot make the distributed decision?
So, what can we do? • Main question: what do we know in each local state? • Use logic of knowledge to state (and check) if a process knows that its enabled transition has maximal priority. • Transform the program to act based on the knowledge. • There are variations of knowledge; price of transformation is accordingly.
Some definitions p2 p1 • A process is a set oftransitions.The processes cover all the transitions (there can be additional constraints). • The neighborhoodof a process is the set of all input and output places of it. t2 t1 p7 p4 p3 t3 t4 p5 p6 The local information of a process in a state, is the state limited to the neighborhood of the process. E.g., for the left process, in { p1, p2, p7}, it is {p1,p7}. (=“local state”).
p2 p1 t2 t1 p7 p4 p3 t3 t4 p5 p6 We are ready to define “knowledge” • Given my “local information” as a process, I know everything that is consistent with it. • Easy to calculate what a process knows. • That is: I know of any property that holds in all global states with the same “local information”. • This is a standard definitions (e.g., [FMHV]. • Later: “knowledge with perfect recall”. When left process is given that p1 /\ p7, it knows that p4.
Calculating what a process knows given some local information • Can write a formula that represents “all reachable states”: reach. • Can write a formula that represents “a given local information x”: x. • Intersect the above two formulas, and obtain “the states given some local information”:reach /\x. • We know, when x, whatever is implied from this intersection (reach /\x ) . • The standard notation is K and we can embed this within temporal logic.
What is known, during execution can be model checked: 1Each process knows which of its enabled transition have maximal priorities. 2Each process knows about at least one of its enabled transitions to have a maximal priority. 3In each non-deadlock state, at least one process knows about at least one enabled maximal priority transition.
The supporting process policy • A transition can belong to multiple processes (e.g., communication). • If enabled, andat least one process knows of it having maximal priority,then it can fire. • Equivalently in control theory:we are seeking a distributed disjunctive controller with limited observability (in general: undecideable). • Build for each process a “support table”: for each local information, which transition, if any, is supported.
What is known, during execution can be model checked: 1Each process knows which of its enabled transition have maximal priorities. Preserves transition fairness/justice. 2Each process knows about at least one of its enabled transitions to have a maximal priority. Preserves process fairness/justice. 3In each non-deadlock state, at least one process knows about at least one enabled maximal priority transition. Does not introduce deadlocks.
Some important points: • The knowledge is calculated based on the states of the original (priorityless) program. • Then transitions are being controlled, which generates a different program. • The transformation adds conditions to the enabledness conditions, based on the support table. • What is known about the original program remains known in the transformed program, since the reachable states can only reduce!
And what if neither of these invariants hold? • May combine processes. The “knowledge of several processes” is bigger than of single processes. • Compromise, and allow transitions that are not maximal, to complete support table, such that in any reachable state, at least one transition is enabled. Experimentally measure how far is a compromised execution from a perfectly prioritized one. • Can calculate ”knowledge of perfect recall”.
t3<<t5<<t4<<t7 Motivation: given local information {p3} for left process: t3 is enabled, can it be fired? p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
t3<<t5<<t4<<t7 Motivation: when t3 is enabled, can it be fired? Now it has a maximal priority. p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
t3<<t5<<t4<<t7 Motivation: when t3 is enabled, can it be fired? Continuing the execution… p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
t3<<t5<<t4<<t7 Motivation: when t3 is enabled, can it be fired? Continuing the execution… p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
t3<<t5<<t4<<t7 Motivation: when t3 is enabled, can it be fired? Continuing the execution… p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
t3<<t5<<t4<<t7 Motivation: when t3 is enabled, can it be fired? Same local information as before for left process: {p3}. Now t5 has maximal priority! p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
t3<<t5<<t4<<t7 Based on this, the left process does not know if t3 has the highest priority. But if we remember how many times t1 fired, we can distinguish between these two cases! p2 p1 t2 t1 p8 p7 p4 p3 t3 t4 t5 p5 p6 p9 t6 p10 t7 p11
Knowledge of perfect recall • Knowledge is based on the history that a process can sense, up to any point in its computation. • A process can sense changes in its neighborhood, including changes to the neighborhood by other processes. • This way we can distinguish between two local states (local informations) with different histories. So, we know more! • But don’t we need infinite amount of information?
Knowledge of perfect recall: finite information. • Ron Van der Meiden has shown that finite amount of information is sufficient. • Given some history of computation, the rest of the system can be in a finite number of states consistent with it. • If a process makes a single transition, or some process changes the neighborhood, the system can be in any global state that is obtained by making that transition, plus any sequence of transitions that do not change the neighborhood. • For the transformation, we can keep the information as an automaton. This can become a gigantic automaton: with each change to the neighborhood, we move to a state that represent a set of global states of the system.
Conclusions • We can employ model checking to implement priorities in a distributed way. • We use logic of knowledge, and model checking of knowledge. • Program transformation uses model checking to control the system. • Solves a distributed controllability with limited observability problem. • Does not provide a perfect solution (not always the least constrained solution)! • Tradeoff in using logic of perfect recall. • Apply various compromises when knowledge is not enough. • Practical: Verimag’s BIP system.