Presentation is loading. Please wait.

Presentation is loading. Please wait.

Components based systems with Probabilistic choice Doron Peled Bar Ilan University.

Published byAbner Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Components based systems with Probabilistic choice Doron Peled Bar Ilan University."— Presentation transcript:

1 Components based systems with Probabilistic choice Doron Peled Bar Ilan University

2 Structure Development of reliable systems. Implementing components based systems. Components based systems with probabilistic choices.

3 History of (concurrent) software development Early software development: programming [Ada Lovelance]. Testing introduced into the software development cycle (inspection, walkthrough) [Meyer]. Program verification is invented [Floyd, Hoare]. Automatic verification (model checking) is invented [Clarke+Emerson, Quelle+Sifakis]. Automatic synthesis?

4 Why not synthesize the software directly from specification? SpecificationSystem Model checking/ testing Yes!! No + Counterexample Revision Specification Synthesis System

5 A less direct approach SpecificationSystem Model checking/ testing Yes!! No + Counterexample Revision Specification Synthesis System Compilation Intermediate description

6 In fact, synthesis was attempted quite early First model checking paper by [Clark+Emerson] was also about synthesis. Similar idea (different formalism) by [Manna+Wolper]. Translate the specification into an automaton (tableau) that accepts the same executions. Then translate this automaton into code. The code is sequential, or controlled by a centralized scheduler. R::P!4; Q:R!x+5 P::R?y R::Q?z

7 Reactive sequential systems synthesis Problem [Buchi, Rabin]: How to automatically construct an automaton that interacts with an uncontrolled environment and guarantees that together they will satisfy some regular property. [Pnueli+Rosner]: Similar for the allowed executions to satisfy some temporal (LTL) property*. Solution: Translation (LTL  Automata) + Determinization + Game theory construction. *This is a subproblem of the above, as LTL properties are star-free regular.

8 Complexity of sequential synthesis is high 2EXPTIME Complete for LTL specification. … But, there are provable systems where the number of states is doubly exponential. But must the size of a circuit that implements such a system be also doubly exponential? [Fearnly+Peled+Schewe]: If we knew, we could have decided whether EXPSPACE=2EXPTIME or not.

9 Concurrent synthesis Several processes, with some communication architecture. We want the system to satisfy some LTL property. [Pnueli+Rosner]: It is undecidable even to check whether there is a system with the given architecture that satisfies the LTL property. But under some strong assumptions (e.g., hierarchical systems) we can solve this [Pnueli+Rosner], [Finkbeiner+Schewe], [Thiagarajan+Madhusudan], [Kupferman+Vardi].

10 Mostly, negative results about synthesis of concurrent systems. Few positive results: …, it is decidable for some very limited architectures, mostly when there is a hierarchy between the processes. … in these cases, the complexity is very high …

11 Alternative Allow a formalism that is high level but already includes a distribution of the tastks among autonomous components. Provides a simple automatic way to transform the design into implementation.

12 Component based systems A component (process) is an automaton. From the marked state, a and b are enabled locally. d ba f e C1C1

13 Components may share transitions, on which they coordinate. h cb g a k j c a bc m n d ba f e C1C1 C2C2 C3C3

14 Verimag’s BIP (Behavior Interactions Priorities) are component based systems! BIP

15 A global state is a combination of local states h d cb ba g f e a k j c a bc m n C1C1 C2C2 C3C3 From the given global state, d and c are enabled.

16 The local view of a component in a global state is the local state + enabled actions. h d cb ba g f e s4s4 a k j c a b c m n C1C1 C2C2 C3C3 The local view of C3 here is. Assume a mechanism where a component can sense its local view

17 How to implement scheduling? h d cb b a g f e a k j c a bc m n C1C1 C2C2 C3C3 C 1 may pick up a, while C 2 may pick up b, but C 3 will pick up c. Not working..

18 How to implement scheduling? h d cb b a g f e a k j c a bc m n C1C1 C2C2 C3C3 So C 1 picks up b, C 2 picks up c and C 3 picks up a. Not working again…

19 We need some mechanism for decisions Michael Rabin showed that a symmetric non- probabilistic algorithm cannot be given. Synchronizers like α–core, can be used. This is interaction-centric view. Consider the case that we want to guarantee selections by components (e.g., when we need to make some probabilistic choices). This is a component-centric scheduling.

20 Some retrospect Implementing concurrent systems from a simple model of component automata is not as simple as thought. Similar problems exist when implementing multiple choice synchronous communication as in CSP or ADA R::[ P?x [] Q?y] || P::R!3 || Q::R!z

21 Interaction based scheduling using α-core d b a f e a k j c a b c m C1C1 C3C3 C 1 sends OFFER to a-interaction C 2 sends OFFER to a-interaction a-interaction sends LOCK to C 1 a-interaction sends LOCK to C 2 C 1 sends OK to a-interaction C 2 sends OK to a-interaction a-interaction sends START to C 1 a-interaction sends START to C 2 More messages for cancelling communication or finishing it.

22 Problems with the interaction- based scheduling Expensive: requires quite a lot of message passing, and a process for each coordination. Does not support probabilistic decisions. An error is identified in the α-core algoritm and was fixed automatically using a genetic programming tool based on model checking [Katz+Peled].

23 Consider the following situation a – I will write alone a paper to a conference. b – We will write together a paper to a conference. c – You will write alone a paper to a conference. Neither you or me have time to write two papers (but we can write one each, separately). cb b a b C1C1 C2C2

24 Difficult situation: what to do? We can decide separately, but need to decide consistently: cannot be that C 1 decides on working separately and C 2 decides to collaborate. To decide on collaboration, we needs to coordinate. cb b a b C1C1 C2C2

25 Difficult situation: what to do? Perhaps we need to throw a coin. Say we both have a fair coin. So, the chance of collaboration is 50-50? One of us throws the coin faster… c b b a b C1C1 C2C2 0.5

26 How to model this w.r.t. the state space? c b b a b C1C1 C2C2 0.5 a a b c c

27 Markov Process? A graph + a distribution function from each state to the set of states c b b a b C1C1 C2C2 0.5 a a b c c ? ? ?

28 Certainly not… distribution must sums up to 1 !! c b b a b C1C1 C2C2 0.5 a a c c b

29 No, we use fair coins… c b b a b C1C1 C2C2 0.5 a a c c b 0.333

30 Only if the chance of C1 and C2 to throw the coin first is 0.5 each! c b b a b C1C1 C2C2 0.5 a a c c b 0.25

31 A more realistic model: depends on which component throws the coin first. c b b a b C1C1 C2C2 0.5 a a b c c b C1C1 C2C2 C1C1 C2C2

32 What is the chance of a to occur? b to occur? c to occur? c b b a b C1C1 C2C2 0.5 a a b c c b C1C1 C2C2 C1C1 C2C2

33 What is the chance of a to occur? b to occur? c to occur? c b b a b C1C1 C2C2 0.5 a a b c c b C1C1 C2C2 C1C1 C2C2 It really depends on the scheduling of throwing the coin. If we do not have the probabilities for that, we can only provide lower and upper bound.

34 Chance of a (of c) to occur immediately between 0 and 0.5. Chance b to occur 0.5. c b b a b C1C1 C2C2 0.5 a a b c c b C1C1 C2C2 C1C1 C2C2

35 Markov Decision Process a a b c c 0.5 b C1C1 C2C2 C1C1 C2C2 Set of states S. [Initial state s 0.] Actions A. For each state s in S, A(s) is a distribution function on S. I.e., 0≤A(s)[s’]≤1 and Σ s in S A(s)[s’]=1.

36 Markov Decision Process Modeling component based systems a a b c c 0.5 b C1C1 C2C2 C1C1 C2C2 Set of states S. Actions A: in our case, actions are components making a probabilitstic decision. The probability of an action made by a component only depends on its local view: For each state s, s’ in S with the same local view for component A, A(s)=A(s’).

37 A different scenario: The execution of c will allow an alternative choice for a. c b b a b C1C1 C2C2 0.5 a a c c b

38 Reflecting the choices c b b a b C1C1 C2C2 0.5 a a c c b C1C1 C2C2 C1C1 C2C2

39 How to implement a component based system? h d cb ba g f e a k j c a bc m n C1C1 C2C2 C3C3 How to allow at least one component the selection? Avoid a centralized (sequential) solution. Lock the choices of at least one component.

40 The notion of a conflict h d cb ba g f e a k j c a bc m n C1C1 C2C2 C3C3 Transitions of a component are “dependent”, when they share the same component, e.g., a and b, or d and b in C 1. We say that a and b are in conflict and that d and b are sequential. Otherwise they are “independent” or “concurrent”.

41 The notion of a “confusion” h d c b b a g f e a k j c a bc m n C1C1 C2C2 C3C3 Is a pair of transitions of different components (a, c) such that executing c will either add or remove a conflicting choice to a.

42 The notion of a “confusion” h d c b b a g f e b c n C1C1 C2C2 Transitions are in “confusion” if they are independent but the execution of one can change the alternative choices for the other. Symmetric confusion: (a,c) Transitions are independent but the execution of one can decrease the alternative choices for the other. Consider n and c.

43 The notion of a “confusion” h d c b b a g f e a k j c a bc m n C1C1 C2C2 C3C3 Transitions are in “confusion” if they are independent but the execution of one can change the alternative choices for the other. Asymmetric confusion: (n, a) Transitions are independent but the execution of one can increase the alternative choices for the other. Executing n enables b as additional alternative to a.

44 A “micro scheduler” using semaphores First, we need to freeze the local view of components. This includes the local state and enabled transitions. Then a component can make a decision based on the distribution that depends on its local view. What can make a change to the local view? - another component making a different choice about an enabled joined transition. - due to a symmetric confusion, some joint transitions disabled. - due to an asymmetric confusion, some joint transitions enabled.

45 A “micro scheduler” using semaphores Provide semaphores per each component. Provide semaphores per each confusion. In order to make a decision about some choice, a component needs to catch the relevant semaphores. Check local view. Catch the semaphores related to components and confusions invovled in view. Check that the view has not changed. To prevent deadlocks, number the semaphores and catch them in ascending order, release in descending order [Dijkstra].

46 A “micro scheduler” using semaphores Optimization: we do no need semaphores for symmetric confusions: case would be eliminated by capturing semaphore for components. Could alternatively catch semaphores for the components that share the locally but not globally enabled transitions. Then do not need semaphores for asymmetric confusion. But this will reduce concurrency.

47 For C 2 to move… h d cb ba g f e a k j c a bc m n C1C1 C2C2 C3C3 c is enabeld. Catches semaphores on C 2, on C 3 and on the confusion (d, c). Why?

48 Implementation Components serve in a master – slave mechanism. A slave offers updates on locally enabled transitions through shared variables and execute its part in a selected transition. Also solves a long-lasting problem on modeling and implementing concurrent systems with probabilistic choices [Katoen+Peled]. Allows parallelism. No deadlocks. Previous solutions involved allowing only one transition to fire in the entire system. Simple to implement (implemented by Ayoub Nouri) using standard semaphore operations. If probabilistic choice is not necessary, we can remove semaphores for asymmetric confusion.

49 Implementation Allows parallelism. Transitions are not necessarily small or simple. Behaves as if atomic; linerarizability. No deadlocks. Previous solutions involved allowing only one transition to fire in the entire system [Lynch et al]. Simple to implement (implemented with Verimag) using standard semaphore operations. If probabilistic choice is not necessary, we can remove semaphores for asymmetric confusion.

50 Shared transitions Each component sets up a shared flag to indicate when a shared transition a is locally enabled (and resets when it becomes disabled). To check its view, a component needs to check which other components that share its locally enabled transitions have set up their shared flags. Can we eliminate these expensive checks?

51 How to eliminate repeated checks for enabledness of shared transitions? Can use a synchronizer like α-core (not cheap…). Can use « knowledge » to eliminate some of the checks;

52 What is knowledge? A component X “knows” a property p about the system if every (global) state of the system that includes the current local state of X, p holds. Joint knowledge of components: when combining their local states. More components know together more. Calculate the reachable states that have the same current local state of component X. Then check whether these states satisfy p. Can be done using model checking techniques, e.g., based on BDDs.

53 When the left component is in local state s, it knows that the middle component cannot be in state t. s h d cb ba g f e a k j c a bc m n t q C1C1 C3C3 C2C2

54 How to use precalculated knowledge? Make a table that tells each component in which of their local states the enabledness in other components is known. Knowledge is not complete (and often sparse).

55 History preserving knowledge Can use memory to remember information about the history of the system. Then we may « know » much more about what happens in other components, as different histories diffrentiate between cases. This is expensive. Essentially we need to remember the set of global states where the system can be, given its local history (a subset construction of the global state space) in each component.

56 Retrospect If probabilistic choice is not necessary, we can remove semaphores for asymmetric confusion. In each one of the scheduling mechanisms, there are some internal choice that happen. After these choices, the set of possibilities available for the system is limited; if the system is coupled with some observer, it would be able to sense the change from the theoretical branching structure.

57 Conclusions Components based systems can be used as at an intermediate design level. Implementing them involves a scheduling mechanisms that depends on architecture. For making a probabilistic choices, we need to protect the choices by each component. Solves a long-lasting problem on modeling and implementing concurrent systems with probabilistic choices [Katoen+Peled]. The goal is to provide a complete system that can be compiled directly on hardware. Scheduling is part of the compiled code.

Download ppt "Components based systems with Probabilistic choice Doron Peled Bar Ilan University."

Similar presentations

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Reversible Gates in various realization technologies

Reversible Gates in various realization technologies
ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS

ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.

Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.

Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.
Methods for Knowledge Based Controlling of Distributed Systems Saddek Bensalem, Marius Bozga, Susanne Graf, Doron Peled, Sophie Quinton.

Methods for Knowledge Based Controlling of Distributed Systems Saddek Bensalem, Marius Bozga, Susanne Graf, Doron Peled, Sophie Quinton.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.

CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.
Timed Automata.

Timed Automata.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
Concurrency The need for speed. Why concurrency? Moore’s law: 1. The number of components on a chip doubles about every 18 months 2. The speed of computation.

Concurrency The need for speed. Why concurrency? Moore’s law: 1. The number of components on a chip doubles about every 18 months 2. The speed of computation.
Dynamic Bayesian Networks (DBNs)

Dynamic Bayesian Networks (DBNs)

Similar presentations

Ads by Google