Parameterized verification of networks of many identical processes

Paulin Fournier Université Rennes 1

Supervised by: Nathalie Bertrand, Thierry Jéron, Arnaud Sangnier

17/12/2015

Importance of verification

2

Cost of errors:

AT&T Long distance network crash Estimated cost: more than 60 million $.

Omnipresence of computer

systems:…

Model checking

3

a system

Does satisfy

a specification

?

model formula

�|=model checker

New challenges

4

Unknown parameters

• e.g. size of network

• Standard verification for all instances impossible

p2p applicationswireless sensor

networks cells

Parameterized verification

5

Parameterized systems

View the unknown variable as a parameter

Parameterized verification• Verification for all instances at once • Cutoffs • Parameter synthesis

In our setting: • Networks with many participants • Size of the network as a parameter

Outline

• Introduction • Context and motivations • Broadcast protocol network

• Probabilistic broadcast protocol networks • Local strategies • Conclusion

6

The model

‣ Unbounded number of participants ‣ Each node executes the same finite state protocol ‣ Communication via broadcast (finite message alphabet)

Main characteristics:

7

Broadcast Protocols [DSZ10]

8

Broadcast protocol• Broadcast of message: !!m • Reception of message: ??m • Internal action: "

""

"

!!m

??m!!m

[DSZ10] Giorgio Delzanno, Arnaud Sangnier, and Gianluigi Zavattaro. Parameterized verification of ad hoc networks. In CONCUR 2010

Configurations

9

A configuration is a vector of arbitrary size

Remark:

Size of configurations is not bounded: Infinite state system

Initial configurations: all processes in initial state

mm

mm

Semantics on an example

10

Fix (but parametric) number of processes

""

"

!!m

??m !!m

current configuration:

Execution:

Protocol:

SynchronizationInput: a protocol , a control state Output: Does there exist such that there exists a path:

*

""

!!m

??m!!m

"

Problems and results

11

ReachabilityInput: a protocol , a control state Output: Does there exist such that there exists a path:

*

"

"

!!m

??m!!m

"

?

Theorem:• Reachability is PTime-complete [DSZ10] • Synchronization is in NP [DSTZ12]

[DSZ10] Giorgio Delzanno, Arnaud Sangnier, and Gianluigi Zavattaro. Parameterized verification of ad hoc networks. In CONCUR 2010[DSTZ12] Giorgio Delzanno, Arnaud Sangnier, Riccardo Traverso, and Gianluigi Zavattaro. On the complexity of parameterized reachability in reconfigurable broadcast networks. In FSTTCS’12

?

Outline

• Introduction • Probabilistic broadcast protocol networks

• Probabilistic broadcast protocol • Parity game network • Resolution of the game • From probabilities to games

• Local strategies • Conclusion

12

Probabilities in the model

13

To break the symmetry

To model uncertainty

Probabilistic protocol• Broadcast (!!m) and reception (??m) of message

• Probabilistic internal transitions

Probabilistic Protocols

14

P = (Q, q0,⌃,�)

"

!!m

??m!!m

1/3

2/3

"

[BFS-FoSSaCS14] Nathalie Bertrand, Paulin Fournier, and Arnaud Sangnier. Playing with probabilities in reconfigurable broadcast networks. In FoSSaCS’14

[BFS-FoSSaCS14]

1

"

Configurations

15

A configuration is vector of arbitrary size

Remarks:• Infinite number of states • Probabilities and non-determinism

Infinite Markov decision process

Initial configurations: all vertices in initial state

mm

Semantics on an example

16

The scheduler resolves the non-determinism and gives rise to a Markov chain

current configuration:

Markov chain:

Protocol:mm

"

!!m

??m!!m

1/3

2/3

Scheduler:• Active process• Action• Receiver set…

…

1/3

2/3

"

ReachabilityInput: a protocol , a control state Output: Does there exist such that there exists

*

""

!!m

??m!!m

"

Parameterized probabilistic

17

A family of problems:• All qualitative comparisons: =0; >0; <1; and =1

• Existential and universal quantifiers on schedulers

P� = 1

�

Reach=19

a path:a scheduler :

?

Solving parametric qualitative

18

Positive probability is equivalent to reachability

Reach>09

• Schedulers without communications • Holds for all N if and only if it holds for N=1 • Reachability in network of size 1

Reach=18 Reach>0

8 Reach=08 Reach<1

8

Challenging cases: Reach<19 Reach=1

9Reach=09

Theorem

are decidable in PTIMEReach>0

9 , Reach=18 , Reach>0

8 , Reach=08 , and Reach<1

8

Challenging cases

19

Difficulties

• Infinite MDP: - Classical approach impossible - Ad hoc algorithms (pLCS [BBS07], recursive MDP [EY05]) are not applicable

Proposal: transformation into parity game• Adapt the methodology (designed for finite MDP [CdAFL09]) to probabilistic

networks • Define parity game networks • Solve parity game networks

[BBS07] Christel Baier, Nathalie Bertrand, and Philippe Schnoebelen. Verifying nondeterministic probabilistic channel systems against ω-regular linear- time properties. ACM Transactions on Computational Logic, 9(1), 2007. [EY05] Kousha Etessami and Mihalis Yannakakis. Recursive Markov decision processes and recursive stochastic games. In ICALP’05 [CdAFL09] Krishnendu Chatterjee, Luca de Alfaro, Marco Faella, and Axel Legay. Qualitative logics and equivalences for probabilistic systems. Logical Meth- ods in Computer Science, 5(2), 2009

Solve reachability

20

Probabilistic protocols

Parity protocols

translationgame

resolution

answer qualitative reachability questions

Parity Protocols

21

""

"!!m

??m!!m

"

1

2

1 1

4

1

3

Parity protocol

• States belonging to player 1: • States belonging to player 2: • Broadcast (!!m) and reception (??m) of message • Parities on transitions

Semantics on an example

22

""

"

!!m

??m !!m current configuration:

Run :

Protocol:

mm"2 4

1

316 2

1 1 2 6 …

Player 1 chooses:

Player 2 chooses:

processaction

reception set

action

2"

/

/

4"

/

/

2

//

"

2

{3,6}

/

!!m

⇢(�,�)

�

�

Winning condition:• A run is winning for player 1 if the maximal parity seen

infinitely often is even.

The parameterized game problem

23

• A strategy of player 1 is winning if, for all strategies of player 2, is winning.

�⇢(�,�)

�

Parameterized game problemInput: a parity protocol

Output: Does there exist such that player 1 has a winning strategy from ?

""

"

!

? !"

11 1

413

game resolution

Solve reachability

24

Probabilistic protocols

Parity protocols

translation

answer qualitative reachability questions

Solving parameterized games 1/2

25

State-based strategies for player 2• Choose one (and only one) action for each state of player 2 • Only finitely many state-based strategies

LemmaThere exists a winning strategy for player 1 if and only if there is a winning strategy for player 1 against all state-based strategies of player 2

State-based strategies for player 2 are enough

"

!!m

??m

!!m

1

2

11

4 1

3

"

" "

1

"2 " !!m

??m

!!m1

2

1

4 1"

1

2"

" "

!!m

??m

!!m1

2

1

4

3

"

1

2"

"

"

!!m

??m

!!m1

2

11

1

"

1

2"

" "

!!m

??m

!!m1

2

11 "

1

2"

"

" 3

A protocol:

4 state-based strategies:

Solving parameterized games 2/2

26

• Given a state-based strategy, one obtains a broadcast protocol • Translation to VASS with parameterized initial configuration • Detecting positive cycles in VASS is in PTime [KS88]

LemmaDeciding the existence of a winning strategy for player 1 against a fixed state-based strategy for player 2 is in PTime

sketch of proof:

Detecting cycle in broadcast protocol networks:

Solving parameterized games

27

Theorem

Deciding the existence of a winning strategy is in co-NP

sketch of proof: 1. Guess a state-based strategy for player 2 2. Check that it is indeed a counter strategy

LemmaThere exists a winning strategy for player 1 if and only if there is a winning strategy for player 1 against all state-based strategies of player 2

LemmaDeciding the existence of a winning strategy for player 1 against a fixed state-based strategy for player 2 is in PTime

Solve reachability

28

Probabilistic protocols

Parity protocols

translationgame

resolution

answer qualitative reachability questions

From parities to probabilities

29

• There exists a scheduler reaching almost surely • i.e. from every reachable configuration there is a path to

Idea: translation to a parity protocol

Reach=19

"

!!m

??m!!m

1

1

1 2

21

1↵ "

!!m

??m !!m1/3

2/3

1

11

2"

• Ensure fairness with parities, allow player 2 to give up the choice.

• Winning state• Leave probabilistic choices to player 2

Winning if the maximal parity seen infinitely often is even

Conclusion on probabilistic broadcast

30

coNP-complete

coNP-complete

coNP-complete PTime PTime PTime PTime PTime

Reach>09 Reach=1

8Reach>08 Reach=0

8 Reach<18Reach<1

9Reach=19 Reach=0

9

• model: probabilistic broadcast protocol networks • properties: parameterized qualitative reachability • resolution: via parity game networks, yet another model

Outline

• Introduction • Broadcast protocol network • Probabilistic broadcast protocol networks • Local strategies

• Local strategies • Strategy patterns • Solving reachability

• Conclusion

31

Local executions: motivations

32

‣ No « local » execution reaching • From , processes either move to or

Processes do not behave the same!• They all follow the same protocol, yet … • Because of non-determinism, each process can take different choices.

"

??a

??a

!!a

"??b

??a

!!b

??a

"

Local strategies

33

A local strategy is a pair of functions

Local strategies dictate to processes what to do given their (local) history

Two processes with the same history behave the same !

[BFS-CONCUR15] Nathalie Bertrand, Paulin Fournier, and Arnaud Sangnier. Distributed local strategies in broadcast networks. In CONCUR’15

[BFS-CONCUR15]

�a : Paths(P ) ! Active actions

�r : Paths(P ) ! Receptions

Local executions on an example

34

"

??a

??a

!!a

"??b

??a

!!b

‣ Example of a local execution reaching :

"

??a

??a

!!a

"??b

??a

!!b

??a

"

Strategy patterns

35

"

??a

??a

!!a

"??b

??a

!!b

??a

"

??b""

??a!!a

??a

!!b ??a

Strategy patterns

36

Strategy pattern

• Unfolding of the protocol such that for every node: • At most one active action • At most one reception

• Underspecified local strategy • Represent several local strategies

??b""

??a!!a

??a

!!b ??a

Admissible patterns

37

Admissible strategy pattern• A strategy pattern + a total order on edges:

• compatible with tree order • each reception is preceded by a broadcast

Checking whether there exists an order such that a pattern is admissible can be done in polynomial time

Not admissibleAdmissible

??b""

??a!!a

??a

!!b ??a

Reducing strategy patterns

38

Important nodes:

• Target state • First broadcast for each message

Remove branches without important nodesShorten long branches

|⌃|+ 1

(|⌃|+ 1)⇥Q

??b""

??a!!a

??a

!!b ??a

|⌃|+ 1

Solving Reachability

39

Theorem:

Reachability under locality assumption is in NP

Synchronization problem

• Similar proof • Additional order: co-admissibility • Minimization of bi-admissible strategy patterns

• A state is reachable iff there exists an admissible strategy pattern • Minimization: strategy patterns of polynomial size are enough • Guess an admissible strategy pattern of polynomial size

Sketch of proof:

NP-hardness

40

• Reduction from 3-SAT • over variables

• A local strategy corresponds to a valuation • reachable under iff satisfies the formula

{x1 . . . xn}� =^

j

(yj1 _ yj2 _ yj3)

… …??y11

??y12

??y13 ??ym3

??ym2

??ym1!!x1!!xn

!!x̄n !!x̄1

� v�v��

variables clauses

Conclusion on local strategies

41

Reachability and synchronization under locality assumption• All processes behave the same • Representation of strategies with polynomial strategy patterns:

• Reachability and synchronization are NP-complete • Polynomial cutoffs on the number of processes

Outline

• Introduction • Probabilistic broadcast protocol networks • Local strategies • Conclusion

42

Other contributions

43

Clique networksAll messages received by every process

Probabilities[BF-FSTTCS13]

Locality[BFS-CONCUR15]

[BF-FSTTCS13] Nathalie Bertrand and Paulin Fournier. Parameterized verification of many identical probabilistic timed processes. In FSTTCS’13. [BFS-CONCUR15] Nathalie Bertrand, Paulin Fournier, and Arnaud Sangnier. Distributed local strategies in broadcast networks. In CONCUR’15

UndecidabilityReduction from 2-counter machines

Probabilistic creations and deletions of processes

Restriction to complete protocols (i.e input enabled)

DecidabilityWell structured transition systems

Contributions

44

Locality assumption• All processes behave the same

[BFS-CONCUR15] • Synchronization and

reachability are NP-complete

Probabilities• Introduction of probabilistic

protocols [BFS-FoSSaCS14] • Parameterized qualitative

reachability problems are PTime and coNP-complete

• Introduction of game networks [BFS-FoSSaCS14]

• Parameterized game problem is coNP-complete

Distributed game

[BFS-FoSSaCS14] Nathalie Bertrand, Paulin Fournier, and Arnaud Sangnier. Playing with probabilities in reconfigurable broadcast networks. In FoSSaCS’14[BFS-CONCUR15] Nathalie Bertrand, Paulin Fournier, and Arnaud Sangnier. Distributed local strategies in broadcast networks. In CONCUR15

Parameterized verification Verification for all network sizes

Future works

45

Probabilities

• Quantitative properties (first step for dynamic clique networks)

• Fair schedulers

• Probabilistic reconfigurations • Constrained reconfigurations • Registers / ids • Classification (as in [E14])

Communicationtopology

• More evolved properties (repeated reachability, …)

• More general parameterized parity games networks

• Distributed algorithms (bounded counters, registers, …)

Other challenges

[E14] Javier Esparza. Keeping a crowd safe: On the complexity of parameterized verification (invited talk). In STACS’14