simgrid mc
play

SimGrid MC Verification Support for a Multi-API Simulation Platform - PowerPoint PPT Presentation

SimGrid MC Verification Support for a Multi-API Simulation Platform Stephan Merz 1 Martin Quinson 2 Cristian Rosa 2 1 INRIA Research Center Nancy, France 2 Universit e Henri Poincar e Nancy 1, Nancy, France FORTE 08/06/2011 Merz, Quinson,


  1. SimGrid MC Verification Support for a Multi-API Simulation Platform Stephan Merz 1 Martin Quinson 2 Cristian Rosa 2 1 INRIA Research Center Nancy, France 2 Universit´ e Henri Poincar´ e Nancy 1, Nancy, France FORTE 08/06/2011 Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 1 / 18

  2. Motivation Distributed Systems pose a development challenge: lack of a shared clock lack of a global view of the state non-determinism unadapted programming languages Verfiy distributed message-passing systems We want to study actual implementations Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 2 / 18

  3. Studying Distributed Systems Comparison of methodologies to study distributed systems: Execution Simulation Proofs Model checking Performance Assessment � �� � � Experimental Bias �� � n/a n/a n/a n/a Experimental Control � �� Correctess Verification �� � �� � Ease of use � �� � �� Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 3 / 18

  4. Studying Distributed Systems Comparison of methodologies to study distributed systems: Execution Simulation Proofs Model checking Performance Assessment � �� � � Experimental Bias �� � n/a n/a n/a n/a Experimental Control � �� Correctess Verification �� � �� � Ease of use � �� � �� Simulation and Model Checking complement each other: Simulation to assess the performance Model Checking to verify correctness Both run automatically No expert users Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 3 / 18

  5. Studying Distributed Systems Comparison of methodologies to study distributed systems: Execution Simulation Proofs Model checking Performance Assessment � �� � � Experimental Bias �� � n/a n/a n/a n/a Experimental Control � �� Correctess Verification �� � �� � Ease of use � �� � �� Simulation and Model Checking complement each other: Simulation to assess the performance Model Checking to verify correctness Both run automatically No expert users Simulators and model checkers often use different models Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 3 / 18

  6. Model Checking Vs. Simulation Distributed System State Space Model Checking explores all (relevant) behavior of the model Simulation explores one trace subject to the platform’s restrictions Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 4 / 18

  7. Model Checking Vs. Simulation Distributed System State Space Model Checking explores all (relevant) behavior of the model Simulation explores one trace subject to the platform’s restrictions Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 4 / 18

  8. Model Checking Vs. Simulation Distributed System State Space Model Checking explores all (relevant) behavior of the model Simulation explores one trace subject to the platform’s restrictions Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 4 / 18

  9. Contributions The contributions of this article are: SimGrid MC: an extension of the SimGrid simulation framework for model checking distributed applications. SimGrid MC verify actual implementations We present the integration work: Changes to the simulator main loop Simulation and model checking shares many abstractions We explain how we implemented DPOR to support different communication APIs Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 5 / 18

  10. SimGrid The SimGrid Framework is a collection of tools for the simulation of distributed computer systems. It uses a discrete-event simulation model (simulated time advances triggered by actions) Experimental Work-flow: Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 6 / 18

  11. The SimGrid Framework 2 Simulation Round n Simulation Round n+1 T 2 b SURF (resource models) d T 1 SIMIX (virtualization) a c User code M simulated time t n-1 t n t n+1 Main loop of SimGrid a , b , c , d are communication actions they are intercepted to introduce the delays of the platform they are the only way to affect the shared state Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 7 / 18

  12. The SimGrid Framework 2 Simulation Round n Simulation Round n+1 T 2 b SURF (resource models) d T 1 SIMIX (virtualization) a c User code M simulated time t n-1 t n t n+1 Main loop of SimGrid a , b , c , d are communication actions they are intercepted to introduce the delays of the platform they are the only way to affect the shared state The simulator already provides some needed abstractions: Controlled execution environment (processes, scheduling, etc). Transition detection (communication interception). Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 7 / 18

  13. Introduction 1 Motivation Model Checking The SimGrid Framework 1 Shared Abstractions SimGrid MC 2 Architecture DPOR The Formal Model Evaluation 3 SMPI CHORD Conclusion and Future Work 4 Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 8 / 18

  14. SimGrid MC’s Architecture 1 Main characteristics of SimGrid MC: Explicit-state exploration (with a depth bound) It actually executes the code No visited state storing nor hashing (stateless MC) Replay based roll-backs Properties expressed as assertions (safety only...for now) Dynamic Partial-order Reductions to cope with state space explosion Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 8 / 18

  15. SimGrid MC’s Architecture 2 Architecture Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 9 / 18

  16. Exploration Loop b b d MC Stack S 0 S 1 S 2 a b a c c T 2 MC (exploration algorithm) b d User code T 1 Snapshot a c M MC Initialisation Exploration Loop Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 10 / 18

  17. a 0 a 1 a 2 A s a l a b 0 b 1 b 2 s b B l b c 0 c 1 c 2 C r r r l b l b a 0 a 0 a 0 s a a 1 r a 1 l b a 1 l a a 2 s b r b 0 b 1 b 1 b 1 b 1 b 2 b 2 c 0 c 0 c 1 c 1 c 2 c 2 c 2 s a s a l a r s a r l a l b s b r Dynamic Partial-order Reductions 1 a 0 a 1 a 2 A s a l a b 0 b 1 b 2 s b B l b c 0 c 1 c 2 C r r Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 11 / 18

  18. a 0 a 1 a 2 A s a l a b 0 b 1 b 2 s b B l b c 0 c 1 c 2 C r r s a r l a l b s b r Dynamic Partial-order Reductions 1 a 0 a 1 a 2 A s a l a b 0 b 1 b 2 s b B l b c 0 c 1 c 2 C r r Depth-first search state exploration algorithm: r l b l b a 0 a 0 a 0 s a a 1 r a 1 l b a 1 l a a 2 s b r b 0 b 1 b 1 b 1 b 1 b 2 b 2 c 0 c 0 c 1 c 1 c 2 c 2 c 2 s a s a l a r Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 11 / 18

  19. a 0 a 1 a 2 A s a l a b 0 b 1 b 2 s b B l b c 0 c 1 c 2 C r r Dynamic Partial-order Reductions 1 a 0 a 1 a 2 A s a l a b 0 b 1 b 2 s b B l b c 0 c 1 c 2 C r r Depth-first search state exploration algorithm: r l b l b a 0 a 0 a 0 s a a 1 r a 1 l b a 1 l a a 2 s b r b 0 b 1 b 1 b 1 b 1 b 2 b 2 c 0 c 0 c 1 c 1 c 2 c 2 c 2 s a s a l a r s a r l a l b s b r It’s another serialization of the same partial-order! Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 11 / 18

  20. Dynamic Partial-order Reductions 1 a 0 a 1 a 2 a 0 a 1 a 2 A A s a l a s a l a b 0 b 1 b 2 b 0 b 1 b 2 s b s b B l b B l b c 0 c 1 c 2 c 0 c 1 c 2 C C r r r r Depth-first search state exploration algorithm: r l b l b a 0 a 0 a 0 s a a 1 r a 1 l b a 1 l a a 2 s b r b 0 b 1 b 1 b 1 b 1 b 2 b 2 c 0 c 0 c 1 c 1 c 2 c 2 c 2 s a s a l a r s a r l a l b s b r It’s another serialization of the same partial-order! Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 11 / 18

  21. t i t j t j t i Dynamic Partial-order Reductions 2 What are the transitions that we should interleave? or equivalently ... How do we generate a serialization of a different partial-order? Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 12 / 18

  22. Dynamic Partial-order Reductions 2 What are the transitions that we should interleave? or equivalently ... How do we generate a serialization of a different partial-order? Interleaving dependent transitions! D ( t i , t j ) = ¬ I ( t i , t j ) t i t j t j t i Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 12 / 18

  23. Computing D Efficiently How do we get the predicate D ? Using the semantics of the transitions Proof of ”independence theorems” for each pair of transitions The I predicate is the disjunction of these cases I ( t i , t j ) = ( t i = A ∧ t j = B ) ∨ . . . Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 13 / 18

  24. Computing D Efficiently How do we get the predicate D ? Using the semantics of the transitions Proof of ”independence theorems” for each pair of transitions The I predicate is the disjunction of these cases I ( t i , t j ) = ( t i = A ∧ t j = B ) ∨ . . . It can be over-approximated by a D ′ such that D ( A , B ) ⇒ D ′ ( A , B ) If we don’t know if I ( t i , t j ) we assume D ′ ( t i , t j ) (for soundness). Merz, Quinson, Rosa (INRIA,UHP Nancy 1) SimGrid MC FORTE 08/06/2011 13 / 18

Recommend


More recommend