On Reducing the Global State Graph for Verification of

Distributed ComputationsVijay K. Garg, Arindam Chakraborty

Parallel and Distributed Systems Laboratory

The University of Texas at Austin

Roadmap

Motivation Background: Lattice Theory Interval Clocks and Congruences Detecting CTL-X predicates Optimal Congruence construction Conclusion

Motivation: Reliable Systems

Concurrent systems are prone to errors. Concurrency, nondeterminism, process and

channel failures

Techniques to ensure correctness Model Checking and Formal Verification

Exponential complexity Testing and Debugging

Trace: Total Order vs Partial Order Total order: interleaving of events in a trace Partial order: Lamport’s happened-before model

f2e1

CS2 CS1

f1 e2

P1

P2

Partial Order Trace

CS2

CS1

e1 e2

f1 f2

e2e1

CS1CS2

f1 f2

Successful Trace

Specification:CS1 Λ CS2

¬CS2 ¬CS1

¬ CS1

¬CS2

¬CS1 ¬ CS2

Faulty Trace

Global State Graph of a Trace

G is a (consistent) global state:

(f in G) and (e happened before f)

implies (e in G)

e1 e2

f1 f2

T┴

P1

P2 {e1, ┴} {f1, ┴}

{e1, f1, ┴}

{e2, e1, f1, ┴}

{e2, e1, f2, f1, ┴

{e1, f2, f1, ┴}

{e2, e1, ┴}

{┴}

Problem Statement

Given a partially ordered trace a temporal logic formula

Determine: if the formula is true in the graph of the global

states of the trace Examples:

EF:CS(1) /\ CS(2) AG:(request(i) => AF:lock(i))

The Main Difficulty in Partial Order

Too many global states : The graph may contain as many as O(kn) global states

k: maximum number of events on a process n: number of processes

e1 e2

f1 f2

T┴

P1

P2 {e1, ┴} {f1, ┴}

{e1, f1, ┴}

{e2, e1, f1, ┴}

{e2, e1, f2, f1, ┴

{e1, f2, f1, ┴}

{e2, e1, ┴}

{┴}

Reducing the Global State Graph Idea: Reduce the global state graph w.r.t the

formula that needs to be verified Example: [Alagar, Venkatesan 01]

To detect a formula of the form EF:B it is sufficient to track only those variables that affect B

B: non-temporal formula (e.g. x > y) This paper:

How do we extend this result to CTL-X ?

Temporal Logic Predicates (CTL)

H H H H

final cut final cutfinal cutfinal cut

H satisfies EF(p)

H satisfies AF(p)

H satisfies EG(p)

H satisfies AG(p)

p holds p does not hold

E: some path A: all paths F: eventually G: always

simple predicates: EF(p), AF(p), EG(p), AG(p) nested predicates: AG(p => AF(q))

Temporal Logic CTL-X

CTL Operators: EF, AF, EG, AG, EU, AU and X. X (next-time) is not preserved by state reductions,

hence focus on CTL without X Example:, ”once a process requests a lock then it

eventually gets the lock”, can be expressed as

EG, AG and AU can be expressed in terms of EF, AF and EU

Allows specification of path properties

Preserving path properties

AF:Φ holds in the original graph but not the reduced graph

Our Approach

Uses the fact that global state graph is a lattice

Put constraints on the global states that can be merged so that path properties preserved

Key result If the global states are combined using lattice

congruences then path properties are preserved

Distributive LatticeThe set of global states forms a distributive lattice

closed under meet and join (union, intersection) meet distributes over join

a b

c d

┴ Τ

G

initial global state = {┴}

{a, ┴} {c, ┴}

{a, c, ┴}

{a, c, d, ┴}

final global state = {a, b, c, d, ┴}

G={a, b, c, ┴}

{a, b, ┴}

Congruences

An equivalence relation is a lattice congruence if it preserves meets and joins

Interval Clocks

Interval: a maximal sequence of consecutive events on a process such that Φ stays same

Global Intervals

Consistency of intervals Global Interval Consistent global interval Global Interval Lattice

State Space Reduction

→

Intervals and Congruences

Theorem [Alagar, Venkatesan 01]: There exists a global interval at which a predicate Φ is true if and only if there exists a global state at which Φ is true

Hence interval clocks can be used to detect EF:B

Result [this paper]: The global interval lattice formed by interval clocks is a reduced lattice modulo a congruence relation.

Detecting Temporal Formulae with Intervals B : any non-temporal formula. θ : any lattice congruence that refines the equivalence

class induced by B. Theorem: AF:B holds in a lattice L iff AF:B holds in L/θ

Key Lemma [Equivalence of Paths]: For any path in L, there exists an “equivalent” path in L/θ and vice-versa.

Theorem: E:B1 U B2 holds in a lattice L iff E:B1 U B2 holds in L/θ.

(Note: EG, AG and AU can be expressed in terms of AF, EF and EU)

Optimal Congruence

Using interval clocks, an online algorithm for state space reduction Intervals can be computed locally by each process A process reports only the relevant events to the monitor process

Disadvantage: Does not give the optimal congruence since each process decides

locally

Centralized Model: each process reports every event to the monitor. The monitor process has information from every process compute exactly which global states need to be added

Optimal Congruence

Principal Congruence: Given two elements a, b in L, the smallest congruence that puts a and b in the same congruence class is called the principal congruence of a and b, denoted

Theorem: Given a lattice L and an equivalence relation E on L, the largest congruence that is contained in E is given by:

x in J(L) if there exists an event e such that x is the least global state that contains e, x* = x – {e}.

Algorithm

Conclusions

using congruences for the state space explosion problem Induce equivalence on the global state graph by the

value of the properties evaluated at each state find the largest congruence that is contained in this

equivalence relation

Extended property verification using reduced lattices to CTL−X

An algorithm to compute the optimal congruence

Q & A

and thanks!

Nested Temporal Formulae

Handle nested temporal formulae using the recursive sub-formulae evaluation technique of model checking

Say we want to verify Interval Clocks will be based on non-temporal predicates p, r Model checking algorithms evaluate nested temporal formulae

on the global state graph by recursively evaluating all sub-formulae. Given the global interval graph G and the formula Φ, model checking algorithms will return the set of all states which satisfy Φ (say [Φ]).

We modify model checking so that along with returning [Φ], it also simultaneously labels each state s on the graph by whether Φ is true at s or not.

Algorithm

1. Find the set S of all sub-formulae without temporal operators, from the set of properties to be verified on the computation

2. Create the global interval lattice L from the computation by using interval clocks with respect to the set S

3. Run model checking algorithm on L with the modification that states are labeled in each step as described earlier. Nested temporal formulae, due to state labeling of sub-formulae, can be treated as simple unnested temporal formulae.