Presentation is loading. Please wait.

Presentation is loading. Please wait.

Synthesis of Fault-Tolerant Distributed Programs Ali Ebnenasir Department of Computer Science and Engineering Michigan State University East Lansing MI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Synthesis of Fault-Tolerant Distributed Programs Ali Ebnenasir Department of Computer Science and Engineering Michigan State University East Lansing MI."— Presentation transcript:

1 Synthesis of Fault-Tolerant Distributed Programs Ali Ebnenasir Department of Computer Science and Engineering Michigan State University East Lansing MI 48824 USA ebnenasi@cse.msu.edu Advisor: Dr. Sandeep S. Kulkarni

2 2 Motivation Programs are subject to unanticipated faults New classes of faults, add corresponding fault-tolerance How to add fault-tolerance? Design a fault-tolerant program from scratch Incremental addition of fault-tolerance How to ensure correctness? Verification after the fact Automatic synthesis of fault-tolerant programs (correct by construction)

3 3 Motivation (Continued) Synthesis of fault-tolerant programs Start from (Temporal Logic) specification Start from the fault-intolerant program Synthesis of fault-tolerant programs from their fault- intolerant versions has the potential to Reuse the behaviors of the fault-intolerant program Preserve behaviors that are hard to specify (e.g., efficiency) Problem: Complexity of synthesis A polynomial-time non-deterministic algorithm for the synthesis of fault-tolerant distributed programs [FTRTFT00]

4 4 Outline Program and Fault Model Distribution Model Problem Statement Strategy Current Results Future Plan

5 5 Program and Fault Model Program is identified by its state space and set of transitions Finite State space S p Invariant S, fault-span T  S p Program p, Fault f, Safety  { (s 0, s 1 ) | (s 0, s 1 )  S p  S p } Fault-tolerance Satisfy a particular fault-tolerance specification in the presence of faults Failsafe, Nonmasking, Masking S T p/fp f SpSp

6 6 Distribution Model Read/Write restrictions Example A program p with two processes j and k Two Boolean variables a and b Process j cannot read b Can we include the following transition ? a=0,b=0 a=1,b=0 Groups of transitions (instead of individual transitions) must be chosen a=0,b=1 a=1,b=1 Only if we include the transition

7 7 Problem Statement Synthesis Algorithm Fault-intolerant program p Specification Spec Invariant S Fault-tolerant program p' Invariant S' Faults f No new transition here New transitions added here S S'S' p Finite state space Distribution restrictions SpSp f

8 8 Strategy Theoretical issues Develop heuristics Explore polynomial-time boundaries Analyze fault-intolerant programs Develop a synthesis framework for Developers of fault-tolerance Developers of heuristics

9 9 Theoretical Issues - Heuristics Apply heuristics to reduce the exponential complexity [SRDS01] Assign weights to transitions and states based on their usefulness Different approaches for resolving deadlocks and livelocks Identify the applicability of heuristics to the problem at hand Choose different subsets of heuristics Apply in different order

10 10 Theoretical Issues – Polynomial-Time Boundary Find properties of programs/specifications where polynomial-time synthesis is possible Example: Algorithmic synthesis of failsafe fault-tolerant programs is NP-hard [ICDCS02] Polynomial-time synthesis of failsafe fault-tolerance for monotonic programs and specification

11 11 Example for Polynomial-Time Boundary : Monotonicity of Specifications Definition: A specification spec is positive monotonic with respect to variable x iff: For every s 0, s 1, s ’ 0, s ’ 1 : The value of all other variables in s 0 and s ’ 0 are the same. The value of all other variables in s 1 and s ’ 1 are the same. s1s1 s0s0 x = false If Does not violate safety s’0s’0 s’1s’1 x = true Does not violate safety Then

12 12 Example for Polynomial-Time Boundary : Monotonicity of Programs Definition: Program p with invariant S is negative monotonic with respect to variable x iff: For every s 0, s 1, s ’ 0, s ’ 1 : The value of all other variables in s 0 and s ’ 0 are the same. The value of all other variables in s 1 and s ’ 1 are the same. Invariant S s1s1 s0s0 x = true s’0s’0 s’1s’1 x = false

13 13 Example for Polynomial-Time Boundary : Theorem Synthesis of failsafe fault-tolerance can be done in polynomial time if either: Program is negative monotonic, and Spec is positive monotonic; Or Program is positive monotonic, and Spec is negative monotonic. If only one of these conditions is satisfied then synthesizing failsafe fault-tolerance is still NP-hard. For many problems, these requirements are easily met. E.g., Agreement, Consensus, and Commit.

14 14 Example for Polynomial-Time Boundary : Byzantine Agreement Processes: General, g, and three non-generals j, k, and l Variables d.g : {0, 1} d.j, d.k, d.l : {0, 1, ┴ } b.g, b.j, b.k, b.l : {true, false} f.j, f.k, f.l : {0, 1} Fault-intolerant program transitions d.j = ┴ /\ f.j = 0 d.j := d.g d.j ≠ ┴ /\ f.j = 0 f.j := 1 Fault transitions ¬ b.g /\ ¬ b.j /\ ¬ b.k /\ ¬ b.l b.j := true b.j d.j :=0|1 g lkj

15 15 Example for Polynomial-Time Boundary : Byzantine Agreement (Continued) Safety Specification Agreement: No two non-Byzantine non-generals can finalize with different decisions Validity: If g is not Byzantine, each non-Byzantine non-general process should finalize with the same decision as g Read/Write restrictions Readable variables for process j: b.j, d.j, f.j d.g, d.k, d.l Process j can write d.j, f.j

16 16 Example for Polynomial-Time Boundary : Byzantine Agreement (Continued) Observation 1: Positive monotonicity of specification with respect to b.j Observation 2: Negative monotonicity of program, consisting of the transitions of j, with respect to b.k Observation 3: Negative monotonicity of specification with respect to f.j Observation 4: Positive monotonicity of program, consisting of the transitions of j, with respect to f.k

17 17 Example for Polynomial-Time Boundary : Byzantine Agreement (Continued) Failsafe fault-tolerant program. d.j = ┴ /\ f.j = 0 d.j := d.g d.j ≠ ┴ /\ ((d.j = d.k) \/ (d.j = d.l)) /\ f.j = 0 f.j := 1

18 18 Theoretical Issues – Analysis of Fault-Intolerant Programs Analyze the behavior and the structure of the fault- intolerant program. Example: Reasoning about the program in high atomicity; i.e., no distribution restrictions. Enhancement of fault-tolerance [ICDCS03]. Take advantage of model checkers.

19 19 Theoretical Issues – Analysis of Fault-Intolerant Programs Synthesis Framework The SPIN Model Checker Fault-tolerant program Intermediate program in Promela Fault-intolerant program Counterexample

20 20 Theoretical Issues: Current Results Intolerant Program Masking fault-tolerant [FTRTFT00] Failsafe fault-tolerant [ICDCS02] Nonmasking fault-tolerant [ICDCS03]

21 21 Synthesis Framework Goals: Algorithmic synthesis of fault-tolerant programs from their fault- intolerant versions. Easy to integrate new heuristics. Easy to change its implementation. Users: Developers of fault-tolerance. Developers of heuristics. Examples: A canonical version of Byzantine agreement. An agreement program that is subject to Byzantine and failstop faults (1.3 million states). A token ring program perturbed by state-corruption faults.

22 22 Related Work E.A. Emerson and E.M. Clarke, Using branching time temporal logic to synthesize synchronization skeletons, 1982. Z. Manna and P. Wolper, Synthesis of communicating processes from temporal logic specifications, 1984. A. Arora, P.C. Attie, and E.A. Emerson, Synthesis of fault-tolerant concurrent programs, 1998. P.C. Attie, and E.A. Emerson, Synthesis of concurrent programs for an atomic read/write model of computation, 1996. O. Kupferman and M. Vardi, Synthesis with incomplete information, 1997.

23 23 Future Plan Theoretical issues Develop more intelligent heuristics to reduce the chance of failure in the synthesis Find polynomial-time boundary for other levels of fault- tolerance Synthesis framework issues Scalability of the synthesis framework for larger programs Implement the synthesis algorithm on a distributed platform

24 24 Future Plan - Continued Synthesis framework issues Use model checkers for behavioral analysis Query Intermediate program Reachability analysis from a given state Result set Deadlock states Non-progress cycles Finite sequence of states

25 25 Publications [ICDCS02] Sandeep S. Kulkarni and Ali Ebnenasir. The Complexity of Adding Failsafe Fault-Tolerance. The 22nd International Conference on Distributed Computing Systems, July 2-5, 2002 - Vienna, Austria. [ICDCS03] Sandeep S. Kulkarni and Ali Ebnenasir. Enhancing The Fault-Tolerance of Nonmasking Programs. Accepted in the 23rd International Conference on Distributed Computing Systems, May 19- 22, 2003 - Providence, Rhode Island USA. [SRDS03] Sandeep S. Kulkarni and Ali Ebnenasir. A Framework for Automatic Synthesis of Fault-Tolerance. Submitted to The 22 nd Symposium on Reliable Distributed Systems 6 th -8 th /October, 2003 - Florence, Italy. The implementation of the synthesis framework: http://www.cse.msu.edu/~sandeep/software/Code/synthesis-framework/

26 26 Thank You! Questions and Comments?

27 27 Reduction from 3-SAT Included iff x 0 is false Included iff x 0 is true Included iff x j is false Included iff x k is true Included iff x l is false c j = x j \/ x k \/ x l _ a n = a 0 a0a0 x0x0 x1x1 x’0x’0 x’1x’1 x’nx’n xnxn

Download ppt "Synthesis of Fault-Tolerant Distributed Programs Ali Ebnenasir Department of Computer Science and Engineering Michigan State University East Lansing MI."

Similar presentations

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
The Theory of NP-Completeness

The Theory of NP-Completeness
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Byzantine Generals Problem: Solution using signed messages.

Byzantine Generals Problem: Solution using signed messages.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

Similar presentations

Ads by Google