State Space Abstraction for Parameterized SelfStabilizing Embedded Systems

1
State Space Abstraction for Parameterized
Self-Stabilizing Embedded Systems

• Nikolaos Liveris Northwestern University
• Prof. Hai Zhou Northwestern University
• Prof. Robert Dick Northwestern University
• Dr. Prith Banerjee HP Labs

2
Outline

• Motivation and systems we consider
• Abstraction technique
• Soundness and completeness
• Case studies
• Conclusions

3
Parameterized Systems

• Parameterized Systems Systems specified for an
  arbitrary number of processes
• Possible number of instances infinite
• We are interested in verifying the correctness of
  a parameterized system for any number of processes

4
Parameterized Self-Stabilizing Systems

• Self-stabilizing systems Systems that can
  recover from any transient fault
• Reasoning by considering the initial state as the
  first state after a transient fault
• Every state can be an initial state
• Correctness conditions are expressed as liveness
  conditions

5
Control Abstraction
6
Control Abstraction with Parameterized Observable
State Space
7
Overview of Abstraction Methodology
8
Assumptions

• Asynchronous parallel composition for processes
  (interleaving model)
• Actions can either read or write at most one
  shared variable in each atomic step
• Each shared variable svj can be written only by
  P(j)
• Preconditions of the actions are not evaluated
  over shared variables
• Different actions cannot have the same effect in
  any state
• Correctness conditions expressed over the
  variables of one process (e.g., P1)

9
Intuition behind Transformation
Interleaving model (only one action executed at
any time)
Only one shared variable and its value are
important before each step
Each action can read or write at most one shared
variable
10
Transformation

• State space
• Replace shared variables sv2, , svN with
  sva2
• Variable sv1 is renamed sva1

• Actions
• Replace each occurrence of sv2, , svN with
  sva2 in the description
• of actions that read a shared variable
• Replace each occurrence of sv2, , svN
  with sva2 in the description
• of actions that change the value of a shared
  variable
• Actions that do not read or write shared
  variables remain unchanged
• An action is added for each process that copies
  the local copy of its shared
• variable to sva2. Precondition of the action
  is true.

11
Examples of Action Transformation
Actions of process P(i) with i ? 2..N
there exists j ? 2..N x-action(j)
lcisvj
x-action lcisva2
y-action /\ lci ? 1 /\ svi lci
/\ lsvi lci
y-action /\ lci ? 1 /\ sva2 lci
/\ lsvi lci
new-action sva2 lsvi
12
Behavior in the Concrete System
Actions of process P(i) with i ? 2..N
there exists j ? 2..N x-action(j)
lcisvj
y-action /\ lci ? 1 /\ svi lci
/\ lsvi lci
P(2).x(3)
lsv1 sv1 1 lsv2 sv2 1 lsv3
sv3 0
P(2).y
lc2 0
lsv2 sv2 0
13
Behavior in the Abstract System
Actions of process P(i) with i ? 2..N
new-action sva2 lsvi
x-action lcisva2
y-action /\ lci ? 1 /\ sva2 lci
/\ lsvi lci
P(2).x
lsv1 1 sva1 1 lsv2 1 sva2
1 lsv3 0
P(3).new-action
P(2).y
lc2 0
lsv2 sva2 0
sva2 0
14
Transformation

• Initial Condition
• Variable sva2 is equal to one of the local
  lsvj variables (j ? 2..N)
• All other variables have the same initial
  conditions

• Liveness
• Each action inherits the fairness condition of
  the action it is obtained from
• If the action can be obtained from a set of
  actions, it inherits the strongest
• fairness condition of the set
• New actions do not have any fairness conditions

15
Soundness Refinement Mappings

• Preserves observable state component
• Takes initial states into initial states
• State transition allowed by first system is
• mapped into a transition in the second
• system or a stuttering step
• Maps behaviors allowed by Sa to
• behaviors that satisfy the liveness
• property of Sb

16
Prophecy Variables

• Prophecy variable predicts future information
• Some non-deterministic decisions are made earlier
  and their result is recorded in the prophecy
  variable
• Abadi and Lamport (1988) If Sp is obtained from
  S by adding a prophecy variable, then the two
  specifications define the same observable behavior

17
Prophecy Variable for the Concrete System
Interleaving model (only one action executed at
any time)
Only one shared variable and its value are
important before each step. Therefore, we replace
sv2,,svN with sva2.
Each action can read or write at most one shared
variable

• Prophecy variable p ? 2..N guesses the shared
  variable that will be read or written in the
  future
• Refinement mapping from Sp to S, by mapping svp
  to sva2

18
Completeness Conditions

• System is self-stabilizing
• Read actions form equivalence classes, whose size
  increases as N increases
• Number of processes is not bounded from above
• Liveness constraints are independent of N
• Read actions do not have fairness constraints

19
Completeness Example

• Starting with the counterexample for the
  abstract system
• Each action we execute the corresponding action
  in the concrete system
• For read actions this may not be always
  successful and, therefore, we
• need to extend the system with more processes
  in some cases

20
Completeness Example Solution
21
Case Studies

• Leader Election, Coloring, Spanning-Tree
  Construction
• States lt 500K
• Model-Checking lt 22 minutes (TLA/TLC,TLV)
• Property was proved for all case studies

22
Conclusions

• Presented an abstraction technique that reduces
  the observable state space enabling the use of
  control abstraction
• Case studies show that technique is not trivial
• Technique targets self-stabilizing parameterized
  systems
• Technique can be used as part of an abstraction
  methodology for those systems

23

• Thank you!