Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing...
-
Upload
omari-pruit -
Category
Documents
-
view
216 -
download
2
Transcript of Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing...
![Page 1: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/1.jpg)
Diagnosability under Weak Fairness
Vasileios Germanos1, Stefan Haar2,
Victor Khomenko1, and Stefan Schwoon2
1 School of Computing Science, Newcastle University, UK
2 INRIA & LSV (ENS Cachan & CNRS), France
![Page 2: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/2.jpg)
Diagnosis
2 /23
system
diagnosis
observations
faults
detection, localisation
and identification of faults
actions
![Page 3: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/3.jpg)
Diagnosability
Diagnosability: the possibility of detecting faults by monitoring the visible behaviour of the system, i.e. a system is diagnosable if an occurrence of a fault can be eventually detected by the observer
A verifiable property of a system
3 /23
![Page 4: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/4.jpg)
Witness of diagnosability violation
aaXcdacYddeaaZcc…
XYZ…
ccaXdYfadeaaaZee…
no fault
Infinite executions
4 /23
![Page 5: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/5.jpg)
System model & example
• Labelled Petri net: ℓ : T → O {}• Set of faults F T• Assumptions:
ℓ(F)={} no deadlocks/divergence
5 /23
![Page 6: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/6.jpg)
Witness of undiagnosability
t2t5ω contains a fault, but cannot be distinguished
from t5ω because t3 can be perpetually ignored
Becomes diagnosable if t5 is removedPathology: unrelated concurrent activity makes a
PN undiagnosable!6/23
t5t5 t5t2t5t5 t5
![Page 7: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/7.jpg)
Weak Fairness (WF)Some transitions can be declared WFA WF transition cannot stay perpetually
enabled, it must eventually either fire or become disabled by another transition (c.f. W. Vogler)
Hence some infinite executions (those that perpetually enable some WF transition) are considered invalid and removed from the semantics of PN
7 /23
![Page 8: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/8.jpg)
Fixing diagnosability with WF
WF
The diagnosability violation witness (t2t5ω, t5
ω) is
now invalid because t2t5ω perpetually enables t3
8 /23
![Page 9: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/9.jpg)
Naïve definition of WF diagnosability
Idea: Require that the executions forming a witness of diagnosability violation are WF
The infinite trace aω must be observed for positively concluding that the fault has occurred!
Doesn’t work
9 /23
![Page 10: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/10.jpg)
Weakly fair diagnosabilityDefinition 2 (WF-diagnosability): An LPN is WF-dia-gnosable iff each infinite WF execution σ containing afault has a finite prefix such that every infinite WFexecution ρ with ℓ() ℓ(ρ) contains a fault.
10 /23
∞WF
∞WF
∀1σ
ρ
3
∃2 �̂�
![Page 11: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/11.jpg)
Witness of WF-undiagnosability
11 /23
No natural notion in general caseFor the case of a bounded PN:
∞WF
∞
σ
ρ
∀1 ̂
no fault
∞WF
∃2no fault
not necessarily WF!
![Page 12: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/12.jpg)
Witness of WF-undiagnosability
12/15
![Page 13: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/13.jpg)
Special case for WF-diagnosability
13 /23
Can simplify the notion of witness for non-WF faults:
∞WF
∞
ρ
σ
no fault
not necessarily WF!
![Page 14: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/14.jpg)
Verification of WF-diagnosabilityAssume bounded LPN with non-WF faultsConstruct another bounded LPN called verifier, which consists of the fault tracking net.Check a fixed LTL-X property on WF executions of
verifier
14 /23
![Page 15: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/15.jpg)
Fault tracking net Nft
15 /23
![Page 16: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/16.jpg)
WF-diagnosability of the original net can be formulated as a fixed LTL-X formula on the verifier that has to be checked for WF executions only:
Verifier
16 /23
![Page 17: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/17.jpg)
Advantages of the methodAny PN model checker supporting WF and
LTL-X can be usedCan exploit the modular structure of the
verifier (it is a synchronous product of two nets)
Can easily be extended to high-level PNs
17 /23
![Page 18: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/18.jpg)
COMMBOX benchmark (high-level PN)
18 /23
Commutatorboxes
Inspector
![Page 19: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/19.jpg)
COMMBOX verifier (high-level PN)
19 /23
![Page 20: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/20.jpg)
COMMBOXTECH benchmark (high-level PN)
20 /23
Commutatorboxes
Inspector Technician
![Page 21: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/21.jpg)
Experimental results (MARIA tool)
21 /23
![Page 22: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/22.jpg)
Experimental results: summaryNo benchmarks – had to create our ownNo tools to compare withVerification is feasible and efficientAlso verified that WF is essential here –
dropping WF constraints results in loss of diagnosabilityexcept for skip_reported in CommBoxTech
22 /23
![Page 23: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/23.jpg)
ConclusionsWF helps – more systems become
diagnosable!Corrected the notion of WF-diagnosabilityNotion of a witness for the bounded PN, which
can be simplified for the non-WF faultsMethod for verifying WF-diagnosability by
reduction to LTL-XScalable benchmarks and experimental
evaluation
23 /23
![Page 24: Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.](https://reader036.fdocuments.us/reader036/viewer/2022062511/551abeeb55034656628b581c/html5/thumbnails/24.jpg)
Thank you!Any
questions?24/23