Synthesis for Concurrent Models

1
Synthesis for Concurrent Models
Anca Muscholl LIAFA, Univ. Paris 7
joint work with Blaise Genest (Warwick, UK)
Dagstuhl, June 2005
2
Framework

• Current applications/systems (web, networks,
  embedded systems) are mostly distributed and
  asynchronous
• Design process needs formal methods and automatic
  verification techniques
• Here Distributed synthesis for closed systems

3
Outline of talk

• Models for distributed systems
• Synthesis for shared-variable FSM
• Synthesis for communicating FSM
• Outlook

4
Distributed Models

• Fixed set of processes and FSM Mp (one per
  process p)
• Mp cooperate either through
• messages/signals (message-passing, I/0
  automata) or
• shared variables (Petri nets, asynchronous
  automata)

5
Outline of talk

• Models for distributed systems
• Synthesis for shared-variable FSM
• Synthesis for communicating FSM
• Outlook

6
Shared-variable models

• distributed alphabet A (A1, , An),
• over processes 1,2,,n
• action a involves processes from dom(a) i
  j a 2 Ai
• a-transition changes all local states of
  processes i 2 dom(a)

7
Shared variables
Two flavors of transitions
(q1,,qn) !a (q1,,qn)

• Loosely cooperating
• qi !a,i qi for all i 2 dom(a)
• Synchronously communicating (asynchronous
  automata)
• (qi)i 2 dom(a) !a (qi)i 2 dom(a)

8
Shared variables
Example A a,b,c, A1 a,b, A2
b,c dom(a) 1, dom(b) 1,2, dom(c) 2
loosely-cooperating if (0,0) !b (1,1) and
(1,1) !b (0,0), then also (0,1) !b (1,0)
and (1,0) !b (0,1)
a
q1
b
q2
c
9
Loosely cooperating case
Given FSM M (Q, A, q0, !) Q Test whether M
is equivalent to a loosely cooperating FSM,
and construct one, if yes.
PSPACE algorithm test whether L(M) is a
product language L(M) ?i Proji L(M)
10
Synchronous communication
Given FSM M (Q, A, q0, !, F) Q Test whether
M is equivalent to a synchronously-communica
ting FSM, and construct one, if yes.
PSPACE algorithm test whether L(M) is
commutation-closed dom(a) Å dom(b) implies
u ab v 2 L(M) iff u ba v 2 L(M)
11
Synchronous communication
Framework Mazurkiewicz traces

• alphabet A,
• independence relation µ A A
• a b iff dom(a) Å dom(b)
• Mazurkiewicz trace w set of words
• obtained from w by commuting independent
  adjacent letters

12
Synchronous communication
Example A a,b,c, A1 a,b, A2
b,c dom(a) 1, dom(b) 1,2, dom(c) 2
trace acabbca acabbca, aacbbca,
caabbac, L ((aaaccacc) (ac) b)
commutation-closed
13
Synchronous communication
Zielonkas Theorem 87 For every
commutation-closed regular language one can
construct an equivalent, deterministic
synchronous-communication FSM of doubly
exponential size.
Rem. Determinism hard to get. Doubly exponential
only in number of processes.
14
Synchronous communication

Example A a,b,c, A1 a,b, A2 b,c L
((aaaccacc) (ac) b) comm.-closed

• FSM M1, M2, with state set Qi 0,1
• each a-transition counts modulo 2 in Q1
  (c-transition modulo 2 in Q2)
• each b-transition checks that the sum is odd, and
  resets both counters

15
Synchronous communication
Deterministic synchronous-comm. (Muller) FSM
Regular, commutation- closed languages
Monadic second-order logic over trace pomsets
Ebinger, Diekert, Muscholl, Thomas, Zielonka 9x
16
Synchronous communication deadlocks

• Additional requirement deadlock-freeness
• Safe synchr.-comm. FSM all reachable states are
  final
• Stefanescu/Esparza/M.03, Mukund02
• A regular, commutation-closed language L is
  safely implementable iff it is prefix-closed and
  satisfies the forward diamond property
• ua 2 L, ub 2 L, a b implies uab 2 L

17
Outline of talk

• Models for distributed systems
• Synthesis for shared-variable FSM
• Synthesis for communicating FSM
• Outlook

18
Asynchronous communication models

• Several peers exchange messages through P2P fifo
  channels (unbounded)
• Each peer FSM with send/receive events to/from
  other peers

ITU norm Z.100 (SDL)
19
Communicating FSM (CFM)
Sequential processes P, Q, Each process FSM
AP with events send P snd Q(m), receive P
rcv Q(m) Configuration of CFM current local
states sP current contents of (FIFO)
channels CP,Q
infinite-state systems
20
Executions of CFM
P C
FIFO channels
P C
snd C
Psnd C
Psnd C
Crcv P
Crcv P
Psnd C
Crcv P
Psnd C
Crcv P
rcv P
Psnd C
Crcv P
CFM
21
CFM Good for what?

• CFM hard to design (need to consider global
  runs/executions)
• aka assembler programming
• CFM models of protocols
• Suitable formalism for protocol specification?

22
Diagrams One for All
Psnd(C)
Psnd(C)
Crcv(P)
Crcv(P)
P C
Psnd(C)
Crcv(P)
Psnd(C)
Crcv(P)
snd(C)
several executions one diagram
rcv(P)
P
C
Message sequence chart (ITU norm Z120)
23
Message Sequence Charts (MSC, ITU Z.120)
Partial order semantics
C
P
Events a,b,c,d Partial order process
order a ltP c, b ltC d message order a
lt b, c lt d
a
b
c
d
MSC
Example events b and c are uncomparable
24
Message Sequence Charts (MSC, ITU Z.120)

• Scenario-based formalism positive and negative
  scenarios
• Capture requirements in visual form
• Good for high-level description
• Collection of MSC MSC-graphs

25
Collections of scenarios MSC-graphs
Graph representation composition, iteration,
choice
P
C
P
C
P
C
MSC-graph defines set of MSCs
26
MSC-Graphs (ITU Z.120)
P
C2
P
C1
C1
C2
A
data
ack
C
data
S A,B,C Initial state A Final state
C Accepting paths AB C
ack
ack
ack
G
B
resend
resend
C2
C1
P
L(G) set of MSC labeling accepting paths of G
27
MSC-Graphs executions
P
P
C1
C2
C1
C2
data
ack
C
data
C2
P
A
C1
ack
G
ack
ack
B
resend
C2
C1
P
L(G) set of MSC labelling accepting paths of G
28
MSC-Graphs executions
P
P
C1
C2
C1
C2
data
ack
C
data
A
C1
C2
P
ack
data
data
G
ack
ack
B
resend
C2
C1
A
P
L(G) set of MSC labeling accepting paths of G
29
MSC-Graphs executions
P
P
C1
C2
C1
C2
data
ack
C
data
P
A
C2
C1
ack
data
data
ack
G
ack
ack
ack
resend
B
resend
resend
C2
C1
AB
P
L(G) set of MSC labeling accepting paths of G
30
MSC-Graphs executions
P
P
C1
C2
C1
C2
ack
data
C
data
P
A
C2
C1
ack
data
data
ack
G
ack
ack
ack
resend
B
resend
resend
ack
C2
C1
ack
ABC
P
L(G) set of MSC labeling accepting paths of G
31
CFM versus MSC-Graphs?
C
P
P C
snd(C)
equivalent to
rcv(P)
MSC-graph
CFM
Specification
Implementation
32
Compositional MSC (CMSC) and CMSC-graphs
Mismatch between MSC and CFM CMSC
CMSC-graph Peled et al. 01
33
Synthesis Communication

• Specification high-level, abstract,..
• MSC-graph,..
• Implementation local design
• Communicating FSM (CFM)

34
Synthesis Bounded (regular) case

• A CFM is bounded if there is a bound B such that
  in any reachable configuration, the number of
  pending messages on any channel is B.
• Loop-connected MSC-graph G syntactical property
  ensuring boundedness
• (communication graph of each loop of G is
  strongly connected)

35
Bounded case expressivity
Bounded CFM
Monadic second-order logic over bounded MSCs
Loop-connected (C)MSC-graphs
Mukund, Thiagarajan et al. 00
36
Bounded case

• Loop-connected MSC-graphs can be translated into
  finite automata, hence they can be model-checked.
• M/Peled 99, Alur/Yannakakis 99
• Distributed synthesis from regular MSC language
  to CFM
• Mukund, Thiagarajan et al. 00

37
Bounded case too weak
P C
snd(C)
Producer/consumer typical unbounded behavior
rcv(P)
CFM
Bounded CFM have low expressivity.
38
Weakly bounded channels
R (P snd(C) C rcv(P)) regular set of
representatives every execution of the CFM has
an equivalent execution in R
P C
snd(C)
rcv(P)
Def.
A CFM is weakly-B-bounded if its
B-bounded executions build a set of
representatives.
39
Weakly bounded channels
What does a weak channel bound mean? Receiving
messages can be (fairly) scheduled within
channels of some fixed size.
Implementations of communication protocols are
usually weakly bounded!
40
Weak bounds expressivity
Weakly-bounded CFM
Globally-cooperative CMSC-graphs
Monadic second order logic over w-bounded MSC
Genest, Kuske, Muscholl 04
41
Weak bounds main result
Monadic second-order logic over w-bounded MSC
Weakly-bounded CFM
Globally cooperative CMSC-graph
Distributed synthesis
Regular set of B-bounded representatives
42
Some proof ideas
Compute B-bounded executions by applying
special rewriting rules (commutations).

Kuskes trick
Example
P
C
weakly-2-bounded
a
a a b a b b a a b b a b a b a b a b a b,
b
43
Weakly bounded CMSC-graphs and Mazurkiewicz traces
P
C
a,a,b,b
alphabet
a
a b b a a b b a
commutation rules
b
a
b
a
ab ab ab a a b a b b a a b b a b
ab ab ab Mazurkiewicz trace
b
M
44
B-bounded executions
a
lP
msg
Process order ltP Message order msg Relation rev
a
b
rev
lC
lP
a
b
lC
rev associates the i-th receive with the
(i2)-th send
b
B-bounded executions set of Mazurkiewicz
traces
45
From regular representatives to CFM
Start with CMSC-graph (or MSO-formula) such
that the set of B-bounded executions is a regular
set of representatives
Construct an equivalent, weakly-B-bounded CFM.
special case of distributed synthesis
Mazurkiewicz Trace Theory Zielonka 87
Synchr.-communicating automata
46
From regular representatives to CFM
1. B-bounded executions equivalent trace
automaton
2. Simulate a synchr.-comm. automaton T by a CFM
state k1
T uses process order message order rev relation
(k1)
k2
k3
(k3)
k4
k5
(k5,GUESS)
k6
check GUESS k2
47
From regular representatives to CFM
Given Set of MSCs with regular set of B-bounded
representatives. Construct equivalent CFM
Using trace automata equivalent CFM up to
weakly-B-bounded executions
Reject non-weakly-B-bounded MSCs
Construct CFM that controls weakly-B-bounded
on-the-fly.
48
Asynchronous communication deadlocks

• Our implementation of weakly-bounded MSC-graphs
  has too many deadlocks ?
• Another approach Genest, Concur05
• Implement a given regular specification
• by adding messages (within a fixed
  architecture).
• Then Any specification satisfying the
  diamond properties is deadlock-free
  implementable, if choices are always local.

49
Conclusion

• Shared-variable case is solved.
• Communication-based models solved for language
  equivalence (modulo deadlocks), but other types
  of equivalence are even more challenging ?
• Weak channel bounds are a reasonable restriction
  messages can be scheduled on finite channels

50
Outlook

• Deadlocks find reasonable restrictions on
  specifications ensuring deadlock-free
  implementations (Genest05)
• Extend the MSC-graph framework
• by partial views, synthesis from partial
  views?
• Open systems
• Alternating synchr.-comm. automata (Gastin et
  al. 04) special case
• CFM with uncontrolable processes?