Automatic Verification of non-silent Population Protocols Masters - PowerPoint PPT Presentation

Automatic Verification of non-silent Population Protocols Master’s Thesis Martin Helfrich Technical University of Munich September 2019 Martin Helfrich (TUM) Verification of non-silent PP September 2019 1 / 31

Population Protocols Model of distributed computation → to study systems of identical and anonymous agents : identical anonymous passively mobile tiny computational resources (e.g. sensor networks or chemical systems) Martin Helfrich (TUM) Verification of non-silent PP September 2019 2 / 31

Population Protocols Example Flock of Birds: Question: Goal: Lasting Consensus Martin Helfrich (TUM) Verification of non-silent PP September 2019 3 / 31

Population Protocols Definition (Population Protocol) A population protocol is a tuple P = ( Q , T , Σ , I , O ) such that Q is a finite set of states , 2 ≤ i ≤| Q | Q i × Q i is a set of transitions , T ⊆ � Σ is a non-empty finite input alphabet , I : Σ → Q is the input function and O : Q → { 0 , 1 } is the output function . Definition (Configuration) A configuration of population protocol P = ( Q , T , Σ , I , O ) is a multiset C ∈ N Q where C ( q ) describes the number of agents in state q ∈ Q . The output of configuration C is � b ∈ { 0 , 1 } if for all states C ( q ) > 0 ⇒ O ( q ) = b O ( C ) = ⊥ otherwise Martin Helfrich (TUM) Verification of non-silent PP September 2019 4 / 31

Population Protocols Computing 1 input: x ∈ N Σ ↓ input function I ↓ 2 initial configuration: C 0 ↓ transitions T ↓ 3 fair 1 execution: t 1 t 2 def = C 0 − → C 1 − → C 2 − → · · · σ P computes the predicate ϕ : N Σ − → { 0 , 1 } , if for all inputs x ∈ N Σ and t 1 t 2 corresponding fair executions C 0 − → C 1 − → C 2 − → · · · we reach the correct lasting consensus : ∃ i ∈ N : ϕ ( x ) = O ( C i ) = O ( C i + 1 ) = · · · 1 A fair execution cannot avoid configurations forever. Martin Helfrich (TUM) Verification of non-silent PP September 2019 5 / 31

Population Protocols Example Flock of Birds: def = { 0 , 1 , 2 , 3 , 4 } Q def T = { p , q − → min ( p + q , 4 ) , 0 | p , q ∈ Q } ∪ { p , 4 − → 4 , 4 | p ∈ Q } def Σ = { sick , healthy } � 1 if x = sick def I ( x ) = 0 if x = healthy � 1 if q = 4 def O ( q ) = 0 otherwise Question: Martin Helfrich (TUM) Verification of non-silent PP September 2019 6 / 31

Population Protocols Correctness Problem Question: Is a given protocol correct? → TOWER -hard [1] [2] Goal: Automatic Verification → need lower complexity! → Blondin et al. [3]: (incomplete) approach for silent protocols → Peregrine Definition (Silent Population Protocol) A population protocol is silent if for every fair execution C 0 − → C 1 − → · · · there is a i ∈ N such that: C i = C i + 1 = C i + 2 = · · · Martin Helfrich (TUM) Verification of non-silent PP September 2019 7 / 31

This Work Automatic Verification of non-silent Population Protocols Termination Behaviour silent protocols non-silent protocols → reach terminal configuration → reach lasting consensus vs → all transitions disabled BUT: How to describe "lasting"? → easy description / test → harder! Idea: Group configurations into (infinite) sets → Describe all fair executions at once! Martin Helfrich (TUM) Verification of non-silent PP September 2019 8 / 31

Stage Graphs Stage Graph: A Directed Acyclic Graph (DAG) of B C stages such that: 1 Stages are inductive sets of configurations. D E F G i.e. "can’t leave" 2 Initial configurations are part H of some stage. Venn-Diagram: 3 non-terminal stage: A Executions will enter B C substage. G 4 terminal stage: correct D E F H consensus initial Martin Helfrich (TUM) Verification of non-silent PP September 2019 9 / 31

Stage Graphs Stage graphs are certificates for properties of the form: ϕ pre ⇒ FG ϕ post "If you start in a configuration that satisfies ϕ pre , then you will eventually satisfy ϕ post forever." Theorem Let Λ be a predicate. For b ∈ { 0 , 1 } let = ∃ X ∈ N Σ : (Λ( X ) = b ) ∧ ( I ( X ) = C ) def ϕ init , b ( C ) def ϕ out , b ( C ) = ( O ( C ) = b ) . A population protocol P has a ( ϕ init , 0 , ϕ out , 0 )-stage-graph and a ( ϕ init , 1 , ϕ out , 1 )-stage-graph if and only if it computes the predicate Λ . ⇒ sound and complete Martin Helfrich (TUM) Verification of non-silent PP September 2019 10 / 31

Stage Graphs Proof. " ⇒ ": 1 Executions can’t leave stages. 2 All executions start some stage. 3 Non-terminal & Fairness ⇒ "enter" substage 4 Terminal ⇒ correct consensus " ⇐ ": As protocol computes Λ , there are the needed stage graphs, each with 2 stages: Initial stage: all reachable configurations Terminal stage: all configurations with the correct lasting consensus Martin Helfrich (TUM) Verification of non-silent PP September 2019 11 / 31

Computing Stage Graphs Idea: Protocols designed to work in stages → correspond to non-reversible change in configuration: "death" of a transition Example: t and u are dead q i.e. " t and u can’t be enabled t anymore." u a state becomes "deserted" Example: q is deserted i.e. " q can’t be populated anymore." → automatically find such stages Martin Helfrich (TUM) Verification of non-silent PP September 2019 12 / 31

Computing Stage Graphs Stage Representation Stage S = ( T dead , Q deserted ) where T dead ⊆ T is the set of dead transitions. Q deserted ⊆ Q is the set of deserted states. Configuration C is in stage S if ∗ 1 there is a configuration C 0 | = ϕ pre such that C 0 − → C , and 2 T dead are dead, and 3 Q deserted are deserted. Martin Helfrich (TUM) Verification of non-silent PP September 2019 13 / 31

Computing Stage Graphs Algorithm ✞ ☎ input : p r o t o c o l P = ( Q , T , Σ , I , O ) Presburger p r e d i c a t e ϕ pre Presburger p r e d i c a t e ϕ post S 0 := ( ∅ , ∅ ) Unprocessed := { S 0 } while | Unprocessed | > 0 S := Unprocessed . pop () i f Substages ( P , ϕ pre , ϕ post , S ) f a i l s then abort e l s e Unprocessed := Unprocessed ∪ Substages ( P , ϕ pre , ϕ post , S ) ✝ ✆ Martin Helfrich (TUM) Verification of non-silent PP September 2019 14 / 31

Computing Stage Graphs Algorithm: Find new substages ✞ ☎ Parametric in 3 auxiliary input : p r o t o c o l P = ( Q , T , Σ , I , O ) functions Presburger p r e d i c a t e ϕ pre Presburger p r e d i c a t e ϕ post stage S = ( T dead , Q deserted ) Terminal: Terminal ( P , ϕ pre , S , ϕ post ) i f Try to prove: S is terminal r e t u r n ∅ EventuallyDead: T ′ dead := EventuallyDead ( P , ϕ pre , S ) Find "eventually dead" T ′ i f dead ⊃ T dead transitions r e t u r n { ( T ′ dead , Q deserted ) } i f Split ( P , ϕ pre , S ) f a i l s Split: then abort Split S in substages with r e t u r n Split ( P , ϕ pre , S ) more deserted states. e l s e ✝ ✆ Martin Helfrich (TUM) Verification of non-silent PP September 2019 15 / 31

Computing Stage Graphs Terminal Need to decide: C ∈ S . Problem: "reachable", "dead" and "deserted" are non-trivial Idea: Overapproximate! 1 "reachable": use potential reachability [3] flow equation & siphons & traps 2 "dead": use "disabled" 2 3 "deserted": use "empty" Implementation: Use Z3 to check ∀ C : C | = ¬ PotInStage ( P , ϕ pre , S ) ∨ ϕ post 2 We also use tighter approximations using the backwards coverability algorithm. Martin Helfrich (TUM) Verification of non-silent PP September 2019 16 / 31

Computing Stage Graphs EventuallyDead Goal: Find transitions that will eventually become dead from every configuration C ∈ S . Implementations: Ranking function: → imply eventual death of some transition Layered termination: [3] find "layer" L ⊆ T and ranking function such that L will eventually be disabled, and Disabled ( L ) ⇒ Dead ( L ) Combined: use ranking functions and layered termination Martin Helfrich (TUM) Verification of non-silent PP September 2019 17 / 31

Computing Stage Graphs Split Goal: Split stage into substages with more deserted states. (i.e. "case distinction") Idea: empty siphon ⇒ deserted → find set of siphons R such that � ∀ C : C | = ¬ PotInStage ( P , ϕ pre , S ) ∨ empty ( R i ) R i ∈ R Implementation: Guess siphons using Z3. Martin Helfrich (TUM) Verification of non-silent PP September 2019 18 / 31

Computing Stage Graphs Example Dead: ∅ S init Deserted: ∅ Majority Protocol O ( n 2 log n ) “ A ≤ B ” S 2 S 5 O ( 1 ) O ( 1 ) Dead: { t AB , t Ab } Dead: { t AB , t Ba } t AB : AB − → ab Dead: { t AB } Deserted: { A } Deserted: { B } Deserted: ∅ t Ab : Ab − → Aa O ( n 2 log n ) S 1 e O ( n log n ) t Ba : Ba − → Bb t ab : ab − → bb Dead: T Dead: { t AB , t Ba , t Ab } Deserted: { A } S 3 S 6 Deserted: { B } O ( n 2 log n ) O ( 1 ) Dead: T Dead: T S 7 Deserted: { A , a } Deserted: { B } ⇒ Consensus true O ( 1 ) O ( 1 ) S 9 S 4 Dead: T Dead: T S 8 Deserted: { B , A , a } Deserted: { B , b } ⇒ Consensus true ⇒ Consensus false Martin Helfrich (TUM) Verification of non-silent PP September 2019 19 / 31