1

Detecting Temporal Logic Predicates onDistributed Computations

Vinit Ogale (ogale@ece.utexas.edu)and Vijay K. Garg (garg@ece.utexas.edu)

Parallel and Distributed Systems Lab

2

Predicate DetectionPredicate: A property expressed using variables

on processes. e.g., more than one process is in critical section

Predicate detection: Determining if an execution trace satisfies the predicate

Predicate detection

trace

predicate

Yes

No

Program

3

Trace Model: Total Order Total order: interleaving of events in a trace

Temporal Rover [Drusinsky 03], Java-MaC [Kim, Kannan, Lee, Sokolsky, and Viswanathan 04], JPaX [Havelund and Rosu 04]

PET [Gunter, Kurshan, Peled 00] Low computational complexity

4

Trace Model: Partial Order Partial order: Lamport’s happened-before

model [Lamport 78] suitable for concurrent and distributed programs encodes exponential number of total orders )

captures bugs that may not be found with a total order

5

{}

Partial Order Traces

Predicate Detection Exponential time algorithm for general predicate [Cooper and Marzullo 91] NP-complete for simple boolean expressions (2-CNF) [Mittal and Garg 01]

{e1} {f1}

{e1, f1}

{e2, e1, f1}

{e2, e1, f2, f1}

{e1, f2, f1}

e1 e2

f1 f2

P1

P2 {e2,e1}

Computation

Corresponding computation lattice

6

Structure of the Computation Lattice Frontier notation for cuts {e2,f3}

instead of {e1,e2,f1,f2,f3} Meet/join of two cuts is their

intersection/union Join irreducible cut: cannot be

expressed as the join of two other cuts

Ideal is a set of cuts: with a unique maximum contains all cuts less than the maximum

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

7

Stable predicate: once it becomes true, it

stays true, e.g., deadlock [Chandy and Lamport 85]

Meet/join closed: global states are closed

under meet/join (intersection/union)

Regular: meet and join closed [Garg

and Mittal 01]

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

Special Classes of Predicates

8

subset of CTL [Clarke and Emerson 81]

Examples:violation of mutual exclusion: EF(critical1 Æ critical2) starvation freedom : : EF(request Æ EG( : granted))resettability, AG(EF(restart))

Specification: Temporal Logic

EF (p) / p

EG (p) AG (p)

p is true

C C C

9

POTA [A. Sen and V.K. Garg 03] Efficient detection of RCTL

predicates EF(), AG, EG, Æ

JMPax (exponential time)[K. Sen, G. Rosu, G. Agha 05]

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

Previous Work: Temporal Predicates

10

BTL (Basis Temporal Logic) A predicate l in BTL is defined recursively as

follows: l AP (AP is the set of atomic propositions, consists of local

predicates) If P and Q are BTL predicates then the following

are BTL predicates P Q , P Q , P P (also called EF(P))

AG(P) can be represented in BTL as P)

11

Basis of a Computation Compact representation of the set of cuts

which satisfy the given predicate

Efficient detection of membership

Computation latticePredicate

Basis

12

Simple Example of Basis Predicate class : Any ideal

in the computational lattice

The basis consists of the maximal element that satisfies the predicate

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

13

Regular Predicates Slice: [Mittal, Garg 01] All

join irreducible cuts of the smallest sublattice satisfying the predicate

For regular predicates the slice is a basis

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

A join irreducible element can not be expressed as the join of any other elements

14

Representing Stable Predicates

P : set of ideals I ´ {C1, C2}

Cut C ² P iff 8 C’ 2 I:

: (C < C’)

Note: This representation is not necessarily a basis

Ideal with max c2

Ideal with max c1

Stable Predicate P

c2

c1

15

Semiregular Predicates Can be expressed as:

regular predicate Æ stable predicate

Generalizes regular and stable predicates

E.g. There is no token and all processes are red

Semiregular Structure Tuple h slice, I i Regular Predicate

Stable Predicate

Predicate is true

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

16

Main Idea of Algorithm A BTL predicate can be represented as a

disjunction of semiregular predicates Basis for BTL predicates consists of a set of

semiregular structures

BTL predicate

Semiregular predicates with efficient representation

17

AlgorithmInputs: Predicate Pin, Computation C

18

Predicate: pa Ç pb

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

S[pa ] = { h slice1 , { [e3,f1], [f2]} i }

S[pb ] = { h slice2 , { [f3 ], [e1, f1]} i }

S[pa Ç pb] = S[pa] S[pb] = { h slice1 , { [e3,f1], [f2]} i , h slice2 , { [f3 ], [e1, f1]} i }

papb

19

Predicate: pa Æ pb

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

S[pa ] = { h slice1 , { [e3,f1], [f2]} i }

S[pb ] = { h slice2 , { [f3 ], [e1, f1 ]} i }

pa pb

S[pa Æ pb] = { h slice1 Å slice2 , { [e3, f1] ,[ f2 ], [f3], [ e1, f1 ] } i }

20

Predicate: }(pa Ç pb )

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

pa pb

S[}(pa Æ pb)] = { h slice (}pa),{} i , h slice (}pb),{}i }

} pa

} pb

Algorithm to compute slice[pa] by Sen and Garg 03

21

Predicate: :(pc Ç pd) max(slice[pd]) max(slice[pc])

slice[pc] slice[pd]

S[(pc pd )] ={ slice[original computation], { max(slice[pc], max(slice[pd] } }

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

S[pc pd] ={slice[pc], {} , slice[pd], {} }

22

Important Results

Theorem 1: The basis for a BTL predicate has at most 2k semiregular structures

Theorem 2: The total number of ideals in the basis is at most 2k

Time Space Complexity: O(2k |E|n) |E| is the total number of events n is the number of processes

Where k is the size of the predicate

23

Experimental ResultsBasis-based Trace Verifier (BTV) Offline trace verifier implemented in Java

Dining Philosophers

BTV (Basis based trace verifier)POTA(with SPIN)

Number of processes

Time(in seconds)

24

Conclusion Polynomial time predicate detection on

partially ordered traces Properties composed of the following (nested)

operators: Æ , Ç , : , . Implemented and tested on Java programs

and hardware system level designs (SystemC)

25

Extra Slides

26

Properties of Semiregular Predicates All regular and stable predicates are

semiregular Join-closed Closed under conjunction Closed under } and

27

Basis of a Computation Given a computational lattice C, corresponding

to a computation E, and a predicate P, a subset S[P] of C is a basis of P is (Compactness) The size of S[P] is polynomial in the

size of the computation (Efficient membership) Given any cut C C, there

exists a polynomial time algorithm that takes S[P], E and C as inputs and determines if (C,E) ² P

28

Riv73 , Riv74 Any co-regular predicate can be expressed as

an union of intervals, each interval defined by a join-irreducible element and a meet-irreducible element

29

Predicate: pb Ç pc

pc pb e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

Computation

Lattice

e1 Process 1 e2 e3

f1 f2 f3 Process 2

OriginalComputati

on

30

Predicate: pb Ç pc

slice[pb] slice[pc]

e3, f2

e3, f3

e3,f1 e2, f2

e2, f3

e2,f1 e1, f2

e1, f3

e1,f1 f2

f3

f1

{}

S[pb] ={ slice[pb], {} }

S[pc] ={ slice[pc], {} }

S[pb pc] ={slice[pb], {} , slice[pc], {} }

31

AlgorithmInputs: Predicate Pin, Computation C

32

Slicer Module : Big Picture

trace

slice

state explosion

keep all red consistent cutsslicing

33

Slice: Definitionslice: a sub-trace such that: it contains all consistent cuts of the trace

satisfying the given predicate it contains the least number of consistent

cuts[Garg and Mittal 01, Mittal and Garg 01] predicate

trace

sliceSlicer

34

x=2 x=1

y=3 y=4

x=0

y=0>

x=2 x=1

y=3 y=4

x=0

y=0>

Slice: More Edges Less States

x=2,y=0

x=0,y=0

x=0,y=3

x=2,y=3x=1,y=0

x=1,y=3

x=1,y=4

x=2,y=4

x=2,y=0 x=0,y=3

x=2,y=3

x=1,y=4

x=2,y=4

C

C

C

x=1,y=3

x=0,y=0

Observation: edges in G µ edges in H iff cuts in H µ cuts in G.

Idea: To obtain the slice, add edges to the trace.

?

?

Trace G

Trace H : ( (x = 1) Æ (y = 0) )slicing

35

x=2 x=1

y=3 y=4

x=0

y=0>

x=2 x=1

y=3 y=4

x=0

y=0>

Slice: Example

no message in transit

x=2,y=0

x=0,y=0

x=0,y=3

x=2,y=3x=1,y=0

x=1,y=3

x=1,y=4

x=2,y=4

slicing

x=2,y=0

x=0,y=0

x=0,y=3

x=2,y=3x=1,y=0

x=1,y=3

x=1,y=4

x=2,y=4

?

?

D

D

D

36

Detect Bugs from Successful Tracesf2e1

: ordering, dependency CS2 CS1

f1 e2

Process 1

Process 2

Partial Order Trace

CS2

CS1

e1 e2

f1 f2

e2e1

CS1CS2

f1 f2

Trace

Specification:CS1 Æ CS2

: CS2: CS1

: CS1

: CS2

: CS1 : CS2

37

Trace Model: Partial OrderPartial Order Trace

e1, f0

e0, f0

e0, f1

e1, f1e2, f0

e2, f1

e2, f2

e1, f2

State Space

1 Partial Order Tracecaptures

5 Total Order Traces

Total Order Trace ´Path in the State Space

Process 1

Process 2 CS2

CS1

e1 e2

f1 f2

Initiallye0, f0

CS1 Æ CS2

38

Characterizing PredicatesPredicates are generally characterized in terms

of The computation (e.g. local predicates) or The computational lattice (e.g. semiregular

predicates)

39

Characterizing Predicates We aim to relate these two characterizations

E.g. Our algorithm for predicate detection can support any atomic proposition that is regular as well as co-regular. This is a more general class than local predicates and precisely characterizing such a class will automatically make the algorithm more general.

Focus on locality, co-regularity, co-semiregularity and observer independence