Problem Statement - Synthesis Of Distributed Protocols From Scenarios And Specifications

We are givenA₁,A₂, . . . ,An, where eachAiis either anesmor anesm-sk, over a set of types

TBand a function vocabularyF. We are also given a set of safety monitorsMs1,Ms2, . . . ,Msm,

and a set of liveness monitorsM_l₁,M_l₂, . . . ,M_lk. The objective is to find an interpretationI such that (1) the productA_,A₁|A₂|· · ·|A_nis deadlock free under the interpretationI, (2) eachesm-skA∈{A_i},i∈[1,n]is_{deterministic}under the interpretationI, (3) for each

Msi,i∈[1,m],A _I Msi, (4) for eachMlj,j∈[1,k],A _I Mlj, and (5)Iis symmetric with

respect toTB.

Note that we require that the interpretationIis such that eachesm-skunderIis deterministic. This is based on our observation that typically, theesms which cooperate to achieve the goals of a distributed protocol are deterministic individually. The non-determinism in such protocols arises out of (1) non-determinism in the scheduler, and (2) non-determinism in the environmentesms. We assume that environmentesms are completely specified, and we will therefore never be required to complete environmentesm-sks.

The next chapter presents an elegant symbolic algorithm to obtainall interpretationsI

which satisfy the requirements set forth in the problem statement. Unfortunately, this algorithm is not effective in practice. We describe the reasons why this is so, and also elaborate on the insights obtained by implementing the algorithm and experimenting with a simple cache coherence protocol. These insights also explain some of the choices made in the rest of the work that this dissertation describes.

3

A Symbolic Strategy via Parametrized Transitions

Given that the problem defined in Chapter 2 only involves finite types, thereby rendering the space of solutions finite, one can immediately imagine an elegant symbolic solution to findall

interpretations which satisfy the requirements set forth in Section 2.3. Such a solution would have the following high level outline:

1. Translate the descriptions of theesms andesm-sks into a parameterized symbolic transition system, which could be represented using Reduced Ordered Binary Decision Diagrams (henceforth referred to as ROBDDs or BDDs) [Bry85, Bry86, BRB90]. The values of the parameters determine the interpretationIwhich is chosen. The set of all interpretations is finite, given that the domains and ranges of all the function symbolsf∈Fare finite, and thus the introduced parameters can only take on a finite number of values, since every value corresponds to a distinct interpretation. The values for these parameters are encoded symbolically as well, and are initially left unconstrained,i.e.,anyinterpretation is allowed.

2. Translate the requirements expressed inltlinto atestertransition system as described in

the work by Kesten et. al. [KPRS06]

3. Interleave the symbolic model-checking algorithm described in the work by Kesten et. al. [KPRS06] with steps to (symbolically) prune parameter valuations which result in incorrect interpretations being chosen, until the model-checking succeeds. At this point, the parameter valuations that we are left with correspond toallinterpretations that satisfy

the requirements set forth in Section 2.3.

This strategy only handles requirements expressible inltl, whereas the problem statement outlined in Section 2.3 handles requirements expressed as arbitrary Büchi monitors. Given that there exist Büchi monitors which do not have an equivalentltlformula, this strategy solves

a restricted version of the problem defined in Section 2.3. The strategy can be extended to handle arbitrary Büchi monitors in a relatively straightforward manner. However, the objective of presenting this solution strategy here is to highlight the complexity of distributed protocol completion and glean insights that lead to developing more effective algorithmic strategies. So, we will focus only onltlrequirements and a slightly simplified version of the original problem in this chapter enabling us to leverage the proofs of correctness from earlier work [KPRS06].

3.1 A Simplified, Finite Version of the Problem

Consider the following simplified version of the problem defined in Section 2.3: Eachesm

oresm-skhas no state variables,i.e.,V =∅. Further, we assume that messages do not have

a payload,i.e.,mtype(m) =unitfor all messagesm∈Σ. Essentially, the state machines are

now simply finite-state machines or finite-state machine sketches, and we will refer to them asfsms orfsm-sks respectively. Each transitiont∈Rof such anfsmorfsm-skwill have the formt _, hl,m,guard,l0i_{. With no state variables and message payloads, the} updates component of a transition is no longer relevant. Theguardin this setting is always the Boolean constanttruein the case of anfsm, but is allowed to be a propositional variable in the case of anfsm-sk, where setting the propositional variable totrueindicates thatt∈Rand setting to falseindicates that t /∈ R. An _{interpretation}I in this simplified setting is then simply a valuation for these unknownguards. Note that even in this simplified setting, the rest of the definitions regarding composition, symmetry, executions and fairness remain unchanged. Thus anfsmorfsm-skAis the tupleA_,hLA,lA0,IA,OA,FAs,FAwi. We assume that the

specification is provided as a singleltlformulaϕ,5over the single distinguished variableloc, which represents the location of thefsm-skA.

We now briefly outline each of these steps of the symbolic solution strategy for this simplified version of the problem. We then explain why this strategy is not satisfactory, even for this simplified version of the problem, based on empirical observations.

In document Synthesis Of Distributed Protocols From Scenarios And Specifications (Page 50-52)