+ All Categories

DComp1

Date post: 04-Jun-2018
Category:
Upload: gonzalo-gutierrez
View: 213 times
Download: 0 times
Share this document with a friend

of 243

Transcript
  • 8/13/2019 DComp1

    1/243

    S O B R E L A V E R I F I C A C I N A U T O M T I C A D EA U T M A T A S P R O B A B I L I S T A S D I S T R I B U I D O S C O NI N F O R M A C I N P A R C I A L

    por sergio giro

    Presentado ante la Facultad de Astronoma, Matemtica y Fsicacomo parte de los requerimientos para la obtencin del grado de

    Doctor en Ciencias de la Computacin de la

    U N I V E R S I D A D N A C I O N A L D E C R D O B A

    Marzo, 2010

    FaMAF UNC2010

    Director: Dr. Pedro R. DArgenio

  • 8/13/2019 DComp1

    2/243

    Sergio Giro: On the automatic verification of Distributed Probabilistic Automatawith Partial Information,Computer Science, PhD, March 2010

  • 8/13/2019 DComp1

    3/243

    To my family, according to the (not certainly broad) sense of family: Ohanameans family.

    Family means nobody gets left behind, or forgotten.

    Lilo & Stitch

  • 8/13/2019 DComp1

    4/243

  • 8/13/2019 DComp1

    5/243

    R E S U M E N

    En esta tesis desarrollamos algoritmos y tcnicas de anlisis basadas enmodel checking para analizar la correccin de sistemas distribuidos con car-

    actersticas aleatorias y no-deterministas.Una contribucin importante es la demostracin de que no existe un al-

    goritmo que resuelva el problema de verificacin de forma totalmente au-tomtica, esto es: no existe un algoritmo tal que, dados cualesquiera sistemadistribuido y propiedad, el algoritmo decide si el sistema cumple con lapropidad.

    A pesar de este resultado, presentamos algoritmos que, si bien no puedendeterminar la correccin para todos los sistemas y propiedades, sirven paradetectar que ciertos sistemas son correctos o incorrectos.

    Uno de los impedimentos ms frecuentes a la hora de verificar PDMs es

    elproblema de la explosin de estado. Este problema, bien conocido y atacadoen model checking, se agrava en el mbito de model checking cuantitativo(i.e. model checking de propiedades cuantificadas probabilsticamente). Losalgoritmos de model checking cuantitativo, adems de almacenar los esta-dos en memoria, deben resolver un sistema de optimizacin lineal dondecada variable est asociada a un estado, y cada desigualdad a una tran-sicin probabilstica. Existen trabajos previos que, con el fin de atacar esteproblema, presentan adaptaciones de las tcnicas de reduccin orden parcialpara model checking cualitativo al caso cuantitativo.

    En esta tesis presentamos una nueva adaptacin de la tcnica de reduc-cin de orden parcial. Nuestra adaptacin aprovecha el hecho de que lascomponentes de un sistema concurrente tienen acceso limitado a la informa-cin sobre el estado global del sistema. Usando nuestra tcnica se obtienenreducciones ms efectivas que las existentes para el caso cuantitativo.

    Concluimos la tesis con casos de estudio que muestran las mejoras denuestros algoritmos y nuestra tcnica de orden parcial con respecto a suscontrapartes para PDMs.

    A B S T R A C T

    We study concurrent systems involving probabilities and non-determinism.Specifically, we focus on the automatic verification ofdistributedsystems, inwhich each component can access only a limited portion of the informationin the system.

    Although model checking algorithms for Markov decision processes (MDPs)can be applied to distributed systems, such algorithms assume that all com-ponents in the system have access to all the information. As a consequence,some correct distributed systems are deemed incorrect when we analysethem using algorithms for MDPs.

    In this thesis, we present model checking algorithms for distributed sys-

    tems involving probabilities and nondeterminism.A relevant contribution is the result that there exists no algorithm to solvethe model checking problem in a completely automated fashion. That is,

    v

  • 8/13/2019 DComp1

    6/243

    there exist no algorithm so that, for all distributed systems and properties,the algorithm decides whether the property holds or not.

    Despite of this result, we present two algorithms: one of these algorithmsis able to detect that some systems are correct, while the other detects incor-rect ones.

    In addition, we present a new adaptation of the POR technique. Our adap-tation profits from the fact that a component in a concurrent system has lim-ited access to the information stored by other components. Our techniqueprovides more effective reductions than those obtained using existing tech-niques for MDPs.

    We conclude the thesis by presenting case studies in which our algorithmsyield better results when compared to their counterparts for MDPs.

    vi

  • 8/13/2019 DComp1

    7/243

    P U B L I C A T I O N S

    Several of the results in this thesis appeared in the following publications:

    Sergio Giro and Pedro R. DArgenio. Quantitative model checking revisited:neither Decidable nor Approximable. In J.-F. Raskin and P.S. Thiagarajan,editors,FORMATS, volume 4763ofLecture Notes in Computer Science, pages179194. Springer,2007.

    Sergio Giro. Undecidability results for distributed probabilistic systems. InMarcel Vinicius Medeiros Oliveira and Jim Woodcock, editors, SBMF, vol-ume5902ofLecture Notes in Computer Science, pages220235. Springer,2009.

    Sergio Giro and Pedro R. DArgenio. On the Expressive Power of Sched-ulers in Distributed Probabilistic Systems. Electr. Notes Theor. Comput. Sci.,253(3):4571,2009.

    Sergio Giro and Pedro R. DArgenio. On the verification of probabilisticI/O automata with unspecified rates. In Sung Y. Shin and Sascha Ossowski,editors,SAC, pages582586. ACM,2009.

    Sergio Giro, Pedro R. DArgenio, and Luis Mara Ferrer Fioriti. Partial OrderReduction for Probabilistic Systems: A Revision for Distributed Schedulers.In Mario Bravetti and Gianluigi Zavattaro, editors, CONCUR, volume 5710ofLecture Notes in Computer Science, pages 338353. Springer,2009.

    vii

  • 8/13/2019 DComp1

    8/243

  • 8/13/2019 DComp1

    9/243

  • 8/13/2019 DComp1

    10/243

  • 8/13/2019 DComp1

    11/243

    C O N T E N T S

    0 i nt r od uc t io n 1

    0.1 Motivations 20.1.1 The relevance of probabilities 20.1.2 Probabilities and nondeterminism 30.1.3 The role of information 5

    0.2 A Survey of Related Work 70.3 Outline 9

    i probabilistic systems and schedulers 11

    1 a framework for distributed systems 13

    1.1 Simple Interleaved Probabilistic I/O Automata 131.1.1 Input/Output Transitions 131.1.2 Modelling symmetric choices 16

    1.1.3 Simple Interleaved Probabilistic I/O Automata 171.1.4 Distributed schedulers 201.2 Extended Interleaved Probabilistic I/O automata 25

    1.2.1 Extended transitions 251.2.2 Global enabledness conditions 261.2.3 Extended systems 27

    1.3 Generalized projections and schedulers 281.3.1 Projections 281.3.2 Schedulers 32

    1.4 Comparison with existing approaches 372 restrictions on the interleaving scheduler 39

    2.1 Strongly distributed schedulers 392.2 Rate schedulers 462.3 Total order-based schedulers 492.4 Comparison with existing approaches 50

    3 l i mi t s c h ed u le r s 53

    3.1 Limit schedulers 533.2 Finitely falsifiable sets and closure under limits 563.3 Distributed schedulers are closed under limits 583.4 Discussion and further work 60

    4 on the expressive power of different classes of sched-

    ulers 614.1 Non-randomized distributed schedulers 624.2 Non-randomized strongly distributed schedulers 73

    4.2.1 Randomization adds power to strongly distributed sched-ulers 74

    4.2.2 Expressive non-randomized strongly distributed sched-ulers 75

    4.2.3 Full-communication version of a projection 794.2.4 Proof of Theorem4.3 81

    4.3 Inexistence of a scheduler yielding the supremum probabil-

    ity 874.4 Finite-memory (and Markovian) schedulers 884.5 Discussion 91

    xi

  • 8/13/2019 DComp1

    12/243

    xii contents

    5 u n d ec i d ab i li t y 93

    5.1 Quantitative case 935.2 Finite memory schedulers 965.3 Qualitative case 98

    5.3.1 Distributed schedulers 985.3.2 Strongly distributed schedulers 101

    5.4 Comparison with existing results 102

    ii techniques and algorithms 105

    6 a lg o ri th ms 107

    6.1 From IPIOA to MDPs 1076.2 An overestimation for total order-based schedulers 1096.3 Underestimation of probabilities under distributed schedulers 1156.4 Further work 118

    7 p a r ti a l o r d er r e d uc t i on 121

    7.1 Partial Order Reduction and Restricted Schedulers 1217.2 An improvement for restricted schedulers 124

    7.3 Correctness of our techniques 1257.3.1 Overview of the proof 1257.3.2 Proof of the correctness theorems 127

    7.4 Using our technique with existing model checking algorithms 1397.5 Related work 140

    iii applications and conclusions 141

    8 a n o ny m ou s f a i r s e rv i c e 143

    8.1 The specification of the protocol 1438.2 Analysis 1468.3 Further work 148

    9 partial order reduction in practice 149

    9.1 Partial Order Reduction for PRISM modules 1499.2 Analysing the dining cryptographers 1579.3 Analysing the binary exponential backoff protocol 1589.4 Discussion and further work 160

    10 concluding remarks 161

    10.1 Contributions 16110.2 Future research directions 16310.3 A conclusions conclusion 164

    iv a pp en d ix 165a p r o of s o f c h a pt e r 4 169

    Theorem4.7 169Lemma4.10 171

    b p r o of s o f c h a pt e r 6 175

    c p r o of s o f c h a pt e r 7 177

    Lemma7.1 177Lemma7.2 180Lemma7.3 188Lemma7.4 192Lemma7.5 193Lemma7.6 194Lemma7.7 200

  • 8/13/2019 DComp1

    13/243

    d p r oo f s o f c h a pt e r 9 207

    d.1 Theorem9.1 207

    glossary (including symbols and notations) 211

    bibliography 215

    L I S T O F F I G U R E S

    Figure0.1 T tosses a coin and G has to guess 5Figure0.2 Compound model forTandG 6Figure0.3 A fictitious behaviour in the compound model 6Figure1.1 Unrealistic choices in synchronizations 14Figure1.2 Fixing unrealistic choices in synchronizations 14Figure1.3 Generative transitions with several action labels 14Figure1.4 A reactive transition that probabilistically chooses be-

    tween two states 15Figure1.5 Generative and reactive structures 15Figure1.6 Modelling symmetric choices using input/output la-

    bels 16Figure1.7 T tosses a coin and G has to guess 20Figure1.8 Ttosses a coin, Gguesses heads or tails 25Figure1.9 SystemP = TG 25Figure1.10 SchedulerDISTP 25Figure2.1 Motivating strongly distributed schedulers 40Figure2.2 An unrealistic distributed scheduler 40Figure2.3 RegardingAand Bas a single component 41Figure2.4 Inclusion relations among schedulers with restricted

    interleaving 50Figure3.1 A simple example to illustrate limits 54Figure4.1 Example showing that randomization adds power to

    strongly distributed schedulers 75Figure4.2 Projection[[]]is not traceable 76Figure4.3 The projection[[]]is equivalent for the sets B= {Bi}3i=1

    andC = {C1, C2} 78Figure4.4 G has to guess that the coin has landed tails at least

    once 87Figure4.5 AtomAmust leadBto the smiling state 89Figure5.1 From PFA to IPIOA 94Figure7.1 Ttosses a coin, Gguesses heads or tails 124Figure7.2 A total information scheduler 124Figure7.3 SystemP = TG 124Figure7.4 A POR based reduction 124Figure7.5 POR and distributed schedulers 124Figure7.6 A distributed scheduler 127

    Figure7.7 The corresponding scheduler in the reduced system 127Figure7.8 Mapping paths into paths starting with 134

    xiii

  • 8/13/2019 DComp1

    14/243

    Figure7.9 Example showing the need for(A4). 139Figure7.10 Another example showing the need for(A4) 139Figure8.1 PRISM code for an client 144Figure8.2 PRISM code for the 1server 145Figure8.3 PRISM code for the 2server 147Figure8.4 Analysis of 1and 2. 148Figure9.1 PRISM code for an client 150

    L I S T O F T A B L E S

    Table1 Expressive subsets of schedulers 92Table2 Summary of Experimental Results 158Table3 Experimental results for the binary exponential back-

    off protocol 159

    xiv

  • 8/13/2019 DComp1

    15/243

    B A S I C N O T A T I O N

    Here, we introduce the mathematical notation we use throughout the thesis.In particular, the notation here concerns usual mathematical concepts such

    as sequences, equivalences relations, etc.This thesis contains also a glossary in page 211. Such a glossary is in-

    tended to be a reminder for the symbols and notations specific to the thesis. Glossary

    jdenotes the j-th projection:j(a1, , aj, , an) =aj. The cardinality of a set Sis denoted by

    S . The complement ofSis denoted by S.

    {ai}Ni=M (with possibly N =

    ). Sequence aM, , aN. If the index

    and the bound are obvious we may omit them. In some other cases,the index is useful to avoid confusion. For instance, {aij}ni=1 denotes

    the sequencea1j , , anj. {ai}iS, sequence/set indexed by elements in S. For instance, if S =

    {M, , N}, then{ai}iS ={ai}Ni=M. IfaiAfor all i, then{ai}iScanbe seen as the set{f | f: SA}comprising all functions fromSto A.

    s R s , the pair(s, s )is in the relationR.

    sR s , the pair (s, s )is not in the relation R.

    S/R, set whose elements are the equivalence classes ofR. R is assumedto be an equivalence relation on S.

    A -algebraFon S is a set F P(S)such that: (1) SFand (2) AF = S \ AFand (3){An}n=1F =

    n=1 AiF.

    Given a set Sand a -algebra Fon S, a probability distribution on Sis a function p : F R0such that p(S) = 1 and, ifAn Ffor all n,thenp (

    n=1 An) =

    n=1p(An).

    A probability distribution on Sis said to be discreteifF = P(S)andp(A) =

    xAp({x}). We denote byPROB(S)the set of all discrete prob-

    ability distributions over the set S. We adopt the following notation:given p PROB({x1, , xn}), we may write p as p({x1}) : x1+ +

    p({xn}) : xn. Moreover, we may omit the terms in which p(vi) = 0. Forinstance, ifp PROB({x1, x2, x3, x4})and p({x1}) = 1/2, p({x2}) = 1/4,

    p({x3}) =1/4and p({x4}) =0, we write p as 1/2 : x1+ 1/4 : x2+ 1/4 : x3.

    xv

  • 8/13/2019 DComp1

    16/243

  • 8/13/2019 DComp1

    17/243

    0I N T R O D U C T I O N

    Model checking[56, 14] is a well-established technique to verify the correct

    behaviour of systems. Given a specification of the system (that is, a set ofproperties that the system must comply with) and a model of the behaviourof such system, model checking algorithms can be used to automaticallycheck whether the system complies with its specification or not.

    Model checking is a very valuable tool to save time in the developmentprocess, since models of the system can be constructed and checked at earlystages of development. As a consequence, errors can be corrected beforethey affect a larger part of the system.

    The first works on model checking started in the early 80s [53,127]. Morethan twenty years later, we have several available tools implementing model

    checking techniques, such as SPIN [99], BLAST[24], NuSMV [51] and JavaPathfinder [92].In practice, model checking tools are useful in diverse fields such as hard-

    ware design [26], web services [6], biological systems [36] and security proto-cols [55], just to name a few. It was thanks to a model checking tool (namely,SMV) that formal methods could spot an error in an IEEE standard for thefirst time[54].

    As a consequence of the success of model checking, by the mid-90s thistechnique was adapted to deal with systems involving probabilities, thusgiving birth to probabilistic model checking [25, 18, 21]. There are severaltools for model checking of probabilistic systems: notable examples includePRISM [97], LiQuor [50] and MRMC [105]. The use of probabilistic modelchecking also spans several fields such as robotics [148], power manage-ment[112] and communication protocols [72].

    In this thesis, we focus on model checking ofdistributedprobabilistic sys-tems, in which there are several entities that behave in an independent way.The framework we propose allows us to model multiple types of entitiesincluding (but not limited to) nodes in a network, computational processesand user interactions. In general, by entity we mean anything that can bedescribed as a transition system (possibly including probabilities).

    Existing tools for probabilistic model checking assume that all informa-

    tion is available to all entities. In other words, the system is verified under atotal-informationassumption. In case the entities of the system under consid-eration do not share all information, an accurate verification must take intoaccount that each entity has access to a limited portion of the informationin the system [45, 46, 42, 41]. In other words, the system must be verifiedunder partial information. Although algorithms for total information can beapplied to the partial information setting, the total-information assumption

    becomes fictitious. As we shall see, such fictitious availability of informationresults in fictitious behaviours in which the system does not necessarily com-plies with its specification. As a consequence, it is possible that a program isdeemed incorrect by a total-information algorithm, while all the behavioursthat violate the specification according to the algorithm (that is, the coun-

    1

  • 8/13/2019 DComp1

    18/243

  • 8/13/2019 DComp1

    19/243

    0.1 motivation s 3

    computer systems tend to be as small as possible: some years ago, it wasdifficult to imagine a computer device that fits in the pocket and providesall of the functionality that actual mobile phones do. Such quest for compact-ness influenced the problem of the cost: making a portable device is easierin case the cost is not a problem, but developments in which costs are nota problem are hard to imagine. Another challenge related to embedded de-vices is power consumption: tiny devices can carry little power with them.Interoperability is another important aspect: currently, devices must be ableto communicate and exchange information in a reliable way. The interoper-ability of mobile and embedded devices, in turn, introduces new difficulties:a mobile device is always able to leave the network without sending anynotification. Clearly, a protocol that has a high performance penalty in thisscenario is not suitable for mobile devices.

    Many of the solutions to the problems described above are related to prob-abilistic behaviour. For instance, if the size of a device is affected by the sizeof one of its components, we can consider a smaller probabilistically reli-able replacement for this component, such replacement being ensured to

    work correctly at least 95% of the times. The same applies with respectto the cost and the power consumption of components. Of course, the be-haviour of the device under consideration should be acceptable even if somecomponents do not work correctly every time they are required to.

    Probabilities are also a useful tool when designing communication pro-tocols: some fault-tolerant protocols can only be implemented in case ran-domization is introduced. In such implementations, the participants of theprotocol toss coins in order to decide how to continue. In the case of awell-known consensus protocol [49]the validity of the protocol can only beensured in case the possibility of failure does not depend on the outcomeof the coin toss [47]. This is a case in which the availability of informationmakes a significant difference: we must assume that the outcome is hiddenfrom the environment that causes the failure.

    Also in cryptography, anonymity protocols may benefit of the ability oftossing fair coins. In the dining cryptographers protocol [44], anonymityholds only in case we assume that the outcome of the coin remains hiddenfrom every potential adversary.

    Those are just some examples in which the use of probabilities makes asignificant difference. However, as we shall see, probabilities are not suffi-cient, and we also need the notion ofnondeterminismin order to accuratelymodel distributed systems.

    0.1.2 Probabilities and nondeterminism

    Even in case that some of the changes the system exhibits are driven byprobabilistic events, some other changes cannot be correctly described usingprobabilities. This is illustrated in the following example.

    Consider we are analyzing a system Athat receives numbers nrangingfrom1to10from an external sourceS. The goal ofAis to communicate onegiven message to another systemB. SystemAis acceptable only if the prob-ability thatBreceives the message is 0.9. The systemAuses the (potentially

    infinite) sequence provided by S in order to calculate the precise momentto send the message. It is not known how S chooses the numbers in, and

  • 8/13/2019 DComp1

    20/243

    4 i nt ro du cti on

    so the goal must be achieved with an acceptable probability (that is, withprobability greater than or equal to0.9) for all. OnceAdecides to send themessage, it is sent through a channel that fails to deliver the message withprobability0.05. For simplicity, we assume that Asimply stops after sendingthe message, without checking if it got lost.

    Since the system under consideration involves probabilities, one might betempted to model the input of a number as a probabilistic choice, in whicheach of the values is chosen with probability 0.1. However, this model isnot a suitable representation of the system. Suppose that Asends the mes-sage when it has received the value 2 after the value 1. In case the inputis modelled as a probabilistic choice, a verification on this model will in-dicate that the system achieves its objective with an acceptable probabilityof0.95: given that the choice is probabilistic, the subsequence 12 eventuallyappears in the sequence with probability 1. Then, the system A sends themessage, which is lost with probability 0.05. However, in the real systemthe probability that the message arrives to Bmight be far less than 0.95: theexternal sourceSmight send the sequence 9876543219876..., or the sequence

    19283746551928..., or only zeroes, or only ones. Moreover, it might be thecase that Schooses the number at random but, if the previous output was1and the chosen value is 2, then Sdoes not output 2, and selects anothernumber instead. Each of these behaviours ofScauses Ato delay the com-munication of the message forever, and so the probability that the goal isachieved under these behaviours is0. Nonetheless, these behaviours are notconsidered if the input is modelled as a probabilistic choice, and this is whya fully probabilistic model is not suitable.

    We refer to choices that cannot be described using probabilities as nonde-terministic choices. For these choices, we must consider that any of the optionscan be taken every time the choice arises. Nondeterministic choices are, thus,analogous to the branches found in the verification of non-probabilistic sys-tems and, in fact, the verification of a system having only nondeterministicchoices reduces to the verification of a conventional transition system.

    Formalisms with probabilistic and nondeterministic choices consider prob-abilistic transitions. Each transition defines a probability distribution on theset of states. Such distribution models the probability with which each stateis reached after the current one in case this transition is executed. In order tomodel nondeterminism, several of these transitions may be enabled in eachstate.

    In this kind of formalism, the verification problem is to find out the small-

    est probability that the system behaves correctly, quantifying over all pos-sible resolutions of the nondeterministic choices. As a concrete instance,suppose we are verifying a networking protocol and the nondeterministicchoices correspond to routing decisions that are not specified. Moreover,suppose that the correct behaviours are those in which no packages are lost,and that we are able to prove that the smallest probability that a package islost is 0.05, no matter how the nondeterministic choices are resolved. Then,we can state that the probability that no package is lost is above the bound0.95no matter how the packages are routed.

    The resolution of nondeterminism is given by the so called schedulers

    (called also adversaries, policies or strategies see e.g. [133,25,126, 38]). Ascheduler is a function mapping paths to transitions (or, in the more generalcase, paths to distributions on transitions). Metaphorically, we can think that

  • 8/13/2019 DComp1

    21/243

    0.1 motivation s 5

    the scheduler chooses to perform one transition out of all transitions en-abled in states. The choice of the scheduler is based on the path that led thesystem to s. This metaphorical meaning also justifies the term adversary,since the scheduler can be seen as an evil player trying to make the system

    behave as bad as possible by choosing the (un)appropriate transitions. Theterm policy is related to planning problems, in which the aim is to find the

    best plan (or the bestpolicy) to accomplish a given goal. The term strategyapplies both to the planning and the verification settings and, in addition,it is used often in game theory [38, 66]. Sometimes our examples have averification flavour, some other times they may have a game-theoreticor planning flavour. The essence of the problems is the same: to find outthe smallest/greatest probability that an event occurs, taking into accountall schedulers/adversaries/policies/strategies.

    There are efficient tools implementing algorithms to perform automaticverification[97,50] on probabilistic and nondeterministic systems. However,the algorithms underlying existing tools do not take into account that theentities in the system might not share all the information. In some cases,

    this causes the tool to deem some correct systems as incorrect, as explainedin the following section.

    0.1.3 The role of information

    If we consider a distributed system as a whole (disregarding the fact that thesystem comprises several independent entities) some schedulers correspondto unrealistic resolutions of the nondeterminism. As a consequence, it may

    be the case that overly pessimistic worst-case probabilities are computedduring the verification. The following example illustrates the problem: a

    man tosses a coin and another one tries to guess heads or tails. We studythe example from the point of view ofT, and so we consider it inconvenientthatGguesses the outcome. Figure0.1depicts models of these men. Man T,who tosses the coin, has only one transition which represents the toss of thecoin: with probability1/2he moves to state headsTand with probability 1/2he moves to state tailsT. Instead, man Ghas two possible transitions, eachone representing his choice:headsGor tailsG.

    initT initG

    1/21/2

    headsT tailsT headsG tailsG

    T G

    t ch ct

    Figure0.1: T tosses a coin and G has to guess

    In the standard compose-and-schedule approach, the verification of thesystem comprisingTand Gconsiders a compound model. The way in whichthe compound model is defined corresponds to the product of labelled tran-sition systems. The compound model comprises all the possible interleav-ings for the executions of the components. In Fig. 0.2 we depict the com-pound model forTand G.

    Following the compose-and-schedule approach, the verification of the com-

    pound model is carried out by considering all of its schedulers. However, ascheduler for the compound model may letGguess the correct answer with

  • 8/13/2019 DComp1

    22/243

    6 i nt ro du cti on

    1/2 1/2

    1/2 1/2ct

    ct

    t

    1/2 1/2t

    ch

    t

    ch

    ch

    ct

    Figure0.2: Compound model forTandG

    probability1according to the following sequence: first, it letsTtoss the coin,and then it chooses for G the transition leading to heads ifTtossed a heador the transition leading to tails ifTtossed a tail. This behaviour is depictedin Fig. 0.3. Therefore, the supremum probability of guessing obtained by

    1/2 1/2t

    ch

    ctch

    Figure0.3: A fictitious behaviour in the compound model

    quantifying over these almighty schedulers is 1, even ifTis a smart playerthat always hides the outcome until Greveals his choice.

    Note that, from the point of view of T, this is a very pessimistic result,since Tloses all the times . If we were analysing a strategy to avoid beingpredicted all the time, and our model checking tool tell us that our choicewill be guessed with probability 1, then we would feel very disappointed

    about our strategy.Our simple example shows that quantitative model checkers based on the

    compose-and-schedule approach, though safe, yield an overestimation ofthe correct value. Since TandGdo not share all information, we would likethat the supremum probability of guessing (i.e., of reaching any of the states(headsT, headsG)or (tailsT, tailsG)) is 12 .

    This observation is fundamental in distributed systems in which enti-ties share little information with each other, as well as in security proto-cols, where the possibility of information hiding is a fundamental assump-tion [40]. The phenomenon we illustrated has been first observed in [133]

    from the point of view of compositionality and studied in [64

    , 46

    , 43

    ] indifferent settings. Distributed schedulers are also related to the partial-infor-mation policies of[63].

    In order to avoid considering these unrealistic behaviours, previous worksintroducedistributedschedulers. Localschedulers for each entity of the sys-tem are defined in the usual way (that is, the choices are based on the com-plete history of the entity) and distributed schedulers are defined to be theschedulers that can be obtained by composing these local schedulers. Weremark that the almighty scheduler of the example would not be a validscheduler in this new setting since the choice forGdepends only on informa-tion which is external to (and not observable by) G. Then, a local scheduler

    Moreover, note that he gets verysad in case he loses

  • 8/13/2019 DComp1

    23/243

  • 8/13/2019 DComp1

    24/243

    8 i nt ro du cti on

    With respect to the verification of probabilistic systems, different researchdirections arose for non-probabilistic systems such as process algebra [10],labeled transition systems [108] and model checking [56,14].

    Several probabilistic algebra were devised [75, 82, 11, 4]. In [96], perfor-mance and process algebra were combined for the first time, giving rise tostochasticprocess algebra. An important class of algebra are Markovian pro-cess algebra. Such algebra were introduced to take advantage of the analyti-cal framework provided by continuous time Markov chains. Some examplesare IMC [93], TIPP [94], PEPA[76] and EMPA [23]. Other works consideredthe case of general (not only markovian) distributions [59,60, 28, 91] (a sur-vey on this topic can be found in [29]). In[42,39,43], an algebraic approachis used to model systems with restricted schedulers.

    Labeled transition systems can be extended with probabilities in severalways. In[133], the model ofprobabilistic automatais defined. In such model,there are several transitions available at each state. Each transition definesthe probabilities of both the label and the next state to be reached. However,most of the results of [133]are restricted tosimpleprobabilistic automata, in

    which a label is assigned to each transition. So, in simple automata, transi-tions assign probabilities to states, while the label is fixed for each transition.The restriction to simple automata is needed to define a suitable compositionoperator. An important improvement over simple probabilistic automata isachieved by the probabilistic I/O automata in [147]. Such automata allowtransitions assigning probabilities to labels, but behaviours are restricted insuch a way that, in every synchronisation, only one of the participating tran-sitions is allowed to assign probabilities to labels. As we shall see in Chap-ter1,this restriction has an intuitive explanation in terms of input and out-put. The probabilistic Input/Output automata in [147]assume exponentialdistributions for the time that entities delay in a given state. Moreover, theexponential distribution is fixed for each state. This mechanism resemblesthe Markovian process algebra mentioned before. The Probabilistic I/O Au-tomata model in [46], introduces a token-based mechanism in which theentity that owns the token is the only one able to perform an output. Inaddition, transitions specify whether or not the owner of the token changesafter the transition, and also specify the next entity that receives the token.The introduction of the token eliminates the need for a delay mechanismbut, as we shall see in Sec. 2.4, nondeterminism cannot be handled in asatisfactory way in all cases. So, we introduce an interleaving schedulerthatdecides the next entity to execute a transition. The introduction of this inter-

    leaving scheduler does not come for free, and we show that the interleavingscheduler needs to be restricted.

    Probabilistic automata can be seen as Markov decision processes [126]in that they are Markov chains extended with the ability to choose amongseveral distributions at a given state. In fact, existing algorithms for modelchecking probabilistic systems use the Bellman equations for Markov deci-sion process [25]. An algorithm to check bisimulation was introduced in [15].Interestingly, bisimulation can be checked also under the so-called demonicschedulers[42].

    In addition to the algorithms to determine correctness, model checking

    also requires techniques to alleviate the state explosion problem. The tech-nique of partial order reduction (POR) [125, 52, 83] was adapted to theprobabilistic setting in [12, 57]. Other techniques adapted include symme-

  • 8/13/2019 DComp1

    25/243

    0.3 outline 9

    try reduction[113] and abstraction [58, 5, 107]. In Chapter 7 we proposeimprovements to the technique of POR. As we shall see, the key ingredientto prove that such improvements are correct is the fact that entities do notshare all information.

    Several other approaches have been devised to deal with partial infor-mation. Partially Observable Markov Decision Processes (POMDPs [135,35,114]) andDecentralised POMDPs[135] have been heavily used in areas suchas Artificial Intelligence and Planning. However, they have received little at-tention in recent research on verification of probabilistic systems, and so wepreferred to adhere to the trend of Probabilistic I/O Automata. POMDPsuse the notion ofobservation: in addition to the probabilities concerning thenext state to be reached, the transition defines probabilistically how the statelooks like to the observer, by defining a distribution on a set of observa-tions. So, the choices are based on observations of the history of the system,and such observations represent the uncertainty about the actual state affect-ing decision making. We compare our approach to POMDPs more deeplyin Sec.1.4.

    A formalism that considers partial information can also be found in [63].Given a specified relation, two states of the system are meant to be indistin-guishable for the decision maker iff they are related. The choices are thenrestricted to coincide on indistinguishable histories, and so the equivalenceclasses of the relation resemble the observations found in POMDPs.

    Another formalism that deserves attention is the one in [64]. In this paper,the entities execute in a completely synchronous fashion (that is, each timethat the system performs a step, all the entities perform a step). The states ofthe system are modelled as valuations over a set of variables, and the infor-mation available to each entity can be modelled by restricting the variablesthat it is able to read. The model is primarily intended for compositionalreasoning. We preferred the Probabilistic I/O Automata model since it ismore suitable for asynchronous systems.

    0.3 o ut li ne

    Chapter1presents the formalism of Interleaved Probabilistic I/O Automata(IPIOA) used in this thesis. It is based on the Switched PIOA of [45]. Wepresent a general approach to partial information by considering arbitraryprojectionsfor each of the components. A projection is a function restrictingthe information available: two different executions are distinguished only if

    the components projection maps the executions to different observations.Chapter2discusses several restrictions on the interleaving scheduler. This

    scheduler resolves the nondeterminism concerning the different options tointerleave the executions of the components. Given that this scheduler is notrelated to a particular component, it is not obvious how the informationavailable to each of the components relates to information observable by theinterleaving scheduler. The restrictions we propose ensure that the interleav-ing of two executions of components A, B does not depend on informationhidden by another component C.

    In Chapter 3 we show that some sequences of schedulers permit the con-

    struction of limit schedulers. Limits are constructed in such a way that, if allthe schedulers in the sequence comply with a given property, then the limits

  • 8/13/2019 DComp1

    26/243

    10 i nt ro du cti on

    also do. Since this construction (as well as several other properties associatedto limit schedulers) are reused many times along this thesis, we isolated thefundamental results in this chapter.

    Chapter 4compares different sets of schedulers with respect to their ex-pressive power. A set of schedulers S has more expressive power than a setS iff the worst-case probability that the system fails under Sis greater thanthe probability under S . The results in Chapters 3and4are generalizationsof those presented inOn the Expressive Power of Schedulers in Distributed Prob-abilistic Systems(Giro, DArgenio [79]).

    Chapter 5presents several undecidability results concerning the calcula-tion of worst-case probabilities. The maximum probability that a set of statesis reached cannot be calculated. Moreover, there is no algorithm to approxi-mate such probability within an error threshold . Some of the results in thischapter appeared inQuantitative model checking revisited: neither Decidable nor

    Approximable(Giro, DArgenio[78]), while others appeared inUndecidabilityResults for Distributed Probabilistic Systems(Giro [77]).

    Chapter6presents two algorithms. One of them calculates an overestima-

    tion of the maximum probability that the system fails. The other one exhaus-tively explores the set of non-randomized distributed Markovian schedulers,in order to look for schedulers in which the probability of a failure is notacceptable. We present a branch-and-bound technique to elide some subsetsof schedulers during the exploration.

    Chapter 7introduces a variation on the technique of partial order reduc-tion (POR) for probabilistic systems. The assumption that components canobserve only a partial amount of information allows us to improve the tech-nique, thus obtaining smaller systems for which the verification is faster.

    Chapter 8 presents a case study concerning a protocol to anonymouslyserve two clients. One of the algorithms in Chapter 6 is used to analyzewhether or not the protocol ensures that the clients are served in a fair fash-ion. The algorithm and the case study were introduced in On the verificationof probabilistic I/O automata with unspecified rates(Giro, DArgenio[80]).

    Chapter 9 presents an interpretation of models in the PRISM language intoIPIOA. This interpretation allows us to implement our POR technique intoPRISM. We also present two examples showing how our implementationperforms in practice. The POR technique in Chapter 7and the examples inthis chapter were presented inPartial Order Reduction for Probabilistic Systems:

    A Revision for Distributed Schedulers (Giro, DArgenio, Ferrer Fioriti[81]).The conclusion in Chapter 10explores the thesis in a retrospective view

    and proposes further research directions.

  • 8/13/2019 DComp1

    27/243

    Part IP R O B A B I L I S T I C S Y S T E M S A N D S C H E D U L E R S

  • 8/13/2019 DComp1

    28/243

  • 8/13/2019 DComp1

    29/243

    1A F R A M E W O R K F O R D I S T R I B U T E D S Y S T E M S W I T HP R O B A B I L I T I E S A N D N O N D E T E R M I N I S M

    We present a modelling framework based on the Switched Probabilistic I/OAutomata [46]. It is called Interleaved Probabilistic I/O Automata (IPIOA),since we eliminate the switching semantics in [46] (in which the control ofthe outputs is switched using a token-based mechanism) and follow an ap-proach closer to usual interleaving semantics. For the sake of simplicity, wesplit the presentation of our formalism into two sections. Section 1.1startswith a simple framework, which is similar to the one in [46]. These automataare calledsimpleIPIOA. In order to give the semantics of our automata, thissection introduces notions of projections and schedulers, which resemble theones in [46,64]. Section1.2revisits several aspects of the framework, and de-

    fines extendedIPIOA. The simple automata in Sec. 1.1are a particular caseof these ones. We expect that our presentation helps the reader familiar withPIOA, since he will be able to link our extended formalism to the existingone.

    In Section 1.3 we generalize the notions of projections and schedulers.These generalizations apply to simple as well as to extended IPIOA, and wefind them useful when developing algorithms and techniques for verifica-tion.

    1.1 simple interleaved probabilistic i/o automata

    1.1.1 Input/Output Transitions

    In process algebras such as CSP, processes synchronize on common actions.In order to avoid unrealistic behaviours, it may be useful to specify whichentity takes the initiative to perform the action (for instance, which entitydecides to send a message through several channels) and which entities sim-ply react to the action initiated (for instance, the channels react by queuingthe message). This fact is illustrated using the following example.

    E x a m p l e 1.1. Consider a process Pthat sends data messages and controlmessages over the channel C. The channel C may fail during the startup.It fails with probability 0.01 and, in this case, the channel appears to beactive but the messages are not transmitted. Models for PandCare depictedin Fig. 1.1.The label d (label c, resp.) represents the action in which P triesto send a data message (a control message, resp.) We need to model the factthatPis the entity that chooses between sending a control or a data message,otherwise, the model may be misinterpreted as follows: if the channel failsduring startup, then Ctakes the initiative to execute c. Otherwise, Ctakesthe initiative to execute d. Note that, in this behaviour, control messages are

    never transmitted. However, if P

    is not able to see whether or not C

    has

    13

  • 8/13/2019 DComp1

    30/243

    14 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    c c c

    start failed

    transmitControl

    INITP

    d d

    INITC

    0.010.99

    d

    good

    transmitData

    CP

    Figure1.1: Unrealistic choices in synchronizations

    failed during startup, one expects the probability that a message is lost to be0.01, independently of the type of the message.

    We use the symbol ! after a label to indicate that the labels entity choosesto perform the action. We say that the entitygeneratesthe label, and that thelabel isoutput. In addition, we use the symbol ? after a label to indicate thatthe entityreactsto the action. That is, although the action changes the actual

    state of this entity, the decision about whether to execute this action is notup to this entity. In this case, the label indicates an input. Figure1.2shows amodified version of Fig.1.1.

    c! c?

    start! failed

    !transmitControl

    c?d!

    INITC

    0.010.99

    d?

    good

    transmitData!

    CP

    INITP

    d?

    Figure1.2: Fixing unrealistic choices in synchronizations

    If an entity is able to perform several actions, the choice among theseactions may be probabilistic. We can modify the previous example in such away that data messages and control messages are sent with some particularprobability, as illustrated in Fig. 1.3. In this figure, action labels c and d

    c!

    INITP0.8 0.2

    P

    d!

    s1 s2

    Figure1.3: Generative transitions with several action labels.

    occur in the same transition. This transition isenabledin the state INITP, andit specifies that eitherdis output and Pchanges its state tos1, orcis outputandP changes its state to s2. This is an example of a generative transition.

    If an entity reacts to an input, the state of the entity input may changeprobabilistically. Figure 1.4shows a modified version of the channel in Ex-ample 1.1. In this version, an external entity S starts the channel up. The

    probabilistic choices reflect the fact that the channel may fail during startup.This is an example of a reactive transition.

  • 8/13/2019 DComp1

    31/243

    1.1 simple interleaved probabilistic i /o automata 15

    start!c?

    start? failed

    transmitControl!

    c?

    S

    INITC

    0.010.99

    d?

    good

    transmitData!

    C

    d?

    Figure1.4: A reactive transition that probabilistically chooses between two states.

    The component executing a generative transition chooses both a label ato output and a new states according to a given distribution. Reactive tran-sitions specify how a component reacts to a given input. Therefore, reactivetransitions are simply distributions on states.

    D e f i n i t i o n 1.1. Given a set ACTLABof action labels and a set Sof states,the set of generative transitionsTG on (S, ACTLAB)is PROB(ACTLAB

    S), and PROB(

    )is

    introduced in thebasic notation, p.xv.

    the set TRof reactive transitions is PROB(S).

    Generative and reactive structures[82, 136] provide the means to specifythe transitions enabled in each state. Note that, in the presence of nondeter-minism, a state might have several output transitions enabled. In addition,for each state and each label, we allow several input transitions to be en-abled. This flexibility allows to specify that the entity may react to an inputin several different ways. We call these structures local, in contrast to the

    globalones we present later in Sec. 1.2.

    D e f i n i t i o n 1.2. A local generative structure on (S, ACTLAB) is a functionG : S P(TG). A local reactive structure on (S, ACTLAB) is a function R :S ACTLABP(TR). We restrict to finite structures, that is, G(s)and R(s, a)are finite for all s,a.

    Figure1.5depicts an example of local generative/reactive structures.

    A reactive structure with two transitionsA generative structure with two transitions

    1/2

    1/2

    1/2

    1/2

    a?

    2/3

    1/3

    a!

    1/3

    2/3

    a! b?

    b! b!

    s1 s2 s3 s4 s2 s3 s4s1

    s0 s0

    Figure1.5: Generative and reactive structures

    In the example,

    G(s0) ={1/2 : (a, s1) + 1/2 : (b, s2), 2/3 : (b, s3) + 1/3 : (a, s4)}

    and The notationp1 :x1+ +pn :xn is describedin p.xv.

    R(s0, a) ={1/3 : s1 + 2/3 : s2}

    R(s0, b) ={1/2 : s3 + 1/2 : s4} .

    Note that, if a generative transition g is enabled in two different states s1

    and s2, then the probability that g outputs a and reaches a certain s is thesame in both s1 and s2 (namely, it is g(a, s )). In the extended version of

  • 8/13/2019 DComp1

    32/243

    16 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    probabilistic I/O automata presented later in Sec. 1.2, the probability maychange according to the source state. Moreover, in the case of input transi-tions, the probability depends on the source state and label. Then, the fol-lowing notation allows us to treat transitions in both versions in a uniformway.

    N o t a t i o n 1.1. Givensj, s j

    S,a

    ACTLAB, we define

    g(sj, a, s j) = g(a, sj), ifgG(sj)

    = undefined otherwise

    and

    r(sj, a, s j) = r(sj), ifrR(sj, a)

    = undefined otherwise

    1.1.2 Modelling symmetric choices

    The communication mechanism we presented before is based on input/out-put, and thus asymmetric: our synchronizations distinguish the entity thatdecides to output the label from the entities that react to that decision. Some-times synchronizations are fully symmetric, in the sense that, if there areseveral common labels enabled, then the decision concerning the label toexecute is up to all the entities sharing the label.

    Next, we show how symmetric choices can be modelled within our frame-work.

    E x a m p l e 1.2. A boy from Colombia and a girl from Argentina are intro-duced in an informal meeting. In both countries it is usual to give a littlekiss to a girl being introduced. However, they are not sure that in the otherones country such a kiss is usual, and they think that maybe they shouldshake their hands. On the other hand, shaking hands may seem very formalfor this meeting... Note that in this example both the boy and the girl arechoosing what to do, and that both need to synchronize to do it. Figure 1.6illustrates how this choice can be modelled using input/output labels. In

    Boy Girl

    kiss!

    shake?kiss?

    shake! kiss!

    shake?kiss?

    shake!

    Figure1.6: Modelling symmetric choices using input/output labels

    these cases, we can abstract away the input/output qualifiers and simplyconsider the fact that they can kiss or shake hands with any probability.For instance, consider the behaviour in which they kiss with probability 1/2.This behaviour corresponds to several behaviours of our model. One of such

    behaviours is the one in which the boy decides first and he chooses to kisswith probability 1/2. Note that, in this case, the choice of the girl is irrele-vant. In the converse case, the girl decides first and the choice of the boy is

  • 8/13/2019 DComp1

    33/243

    1.1 simple interleaved probabilistic i /o automata 17

    irrelevant. Note that, in this example, we also deal with the nondetermin-ism concerning the one that decides first. Such nondeterminism can bealso resolved probabilistically. In fact, it may be the case that they note eachother indecision and the boy says: OK, lets flip a fair coin. If the coin landsheads, then I decide . Moreover, suppose that, if the boy decides, then hechooses to kiss with probability 1, while the girl, in case the coin lands tails,chooses to shake hands. The probability that they kiss is the probability thatthe boy decidesandhe chooses to kiss, that is, 1/2 1 = 1/2.

    In the next section, we present a framework of probabilistic automata thatuses the input/output mechanism we have described.

    1.1.3 Simple Interleaved Probabilistic I/O Automata

    In our framework, a system is obtained by composing severalprobabilistic I/Oatoms. Each atom is a probabilistic automaton having reactive and generativetransitions.

    D e f i n i t i o n 1.3. A simple probabilistic I/O atom is a tuple

    (S, ACTLAB, G, R, INIT),

    where

    Sis a finite set of states,

    ACTLABis a finite set of actions labels,

    Gis a generative structure on (S, ACTLAB), Gi

    Ris a reactive structure on (S, ACTLAB)and Ri

    INITSis the initial state.We require atoms to beinput-enabled:

    sS, aACTLAB : R(s, a)=. (1.1)

    We writeSito denote the set of states of an atomAiand similarly for theother elements of the tuple. In addition, we write TGi (TRi , resp.) for the set TGi

    TRiof generative (reactive, resp.) transitions on (Si, ACTLABi)(Def.1.1).

    The input-enabledness requirement is standard, and it is already presentin the first works introducing I/O automata[117].

    A path of an atom Aiis a sequence s1i .a1. .an1.sni such that ski Si, Path in an atom

    ak ACTLABiand g(ski , a, sk+1i )> 0for somegGi(ski ). The set of paths inAiis denoted byAPATHS(Ai). APATHS(Ai)

    An interleaved probabilistic I/O system P is a set ATOMS(P) of probabilisticI/O atoms A1, , AN. The set of states of the system is SP =

    iSi, and

    the initial state of the system is INIT = (INIT1, , INITN). During this thesiswe useNto denote the number of atoms in the system under consideration. NTheparallel compositionof two systemsP,Q(denoted byPQ) is the system havingATOMS(PQ) =ATOMS(P) ATOMS(Q). Given two atomsAandB, we

    OK, I pushed the example too far. It cannot be such a case.

  • 8/13/2019 DComp1

    34/243

  • 8/13/2019 DComp1

    35/243

    1.1 simple interleaved probabilistic i /o automata 19

    = =

    s i

    gi(si, a, si)

    s j1

    rj1 (sj1 , a, sj1

    ) s jm1

    rjm1 (sjm1 , a, sjm1

    )

    s jm

    rjm (sjm , a, sjm

    )

    = s igi(si, a, s i)

    s j1 rj1 (sj1 , a, sj1

    )

    s jm1 rjm1 (sjm1 , a, sjm1

    )

    1 =

    s i

    gi(si, a, si)

    s j1

    rj1 (sj1 , a, sj1

    ) s jm1

    rjm1 (sjm1 , a, sjm1

    ) = =

    s i

    gi(si, a, si)

    From this calculation, we obtain:

    s

    c(s, s )

    = 1

    s gi(si, a, si)

    s

    gi(si, a, i(s ))

    mk=1

    rjk (sjk , a, jk (s))

    = 1

    s gi(si, a, si)

    s i

    gi(si, a, s i)

    = 1.

    In order to ease some definitions, we introduce a fictitious stutter com-pound transition . Intuitively, this transition is executed iff the system has reached a state in which no atom is able to generate a transition.

    D e f i n i t i o n 1.5. For all statess such thatAi Gi(i(s)) =, we let

    ENABLED(s) ={}.

    The probability (s, s ) of reaching s from s using is 1, if s = s , or 0,otherwise.

    A pathofP is a sequence s1

    .c1

    .s2

    .c2

    cn1

    .sn

    such that

    ci is enabled insi andci(si, si+1)> 0for all i. (1.2)

    A path can be finite or infinite. Paths of the system P are calledglobal paths Global pathto disambiguate them from the paths of the atoms.

    For a finite pathas before, we define:

    (k) =sk, (k)

    k= ck, k

    LAST() =sn

    , LAST()

    LEN() =n LEN()

  • 8/13/2019 DComp1

    36/243

    20 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    k =s1.c1 ck1.sk. Ifkis negative,s1.c1 cLEN()+k1.sLEN()+kk k =sk.c1 cn1.sn.k

    if =kfor some k, =s1.c1 cn1.sn.d2.t2 dm1.tm if =t1.d2.t2 dm1.tm

    and t1 =sn

    the cylinder generated by (denoted by ()) comprises all the infi-()

    nite paths that extend , that is, . It is called also the set ofextensionsto .

    E x a m p l e 1.3(Guess heads or tails). We can use the IPIOA to present thetoy example in Subsection0.1.3in a formal setting. The atoms correspondingtoTandGare depicted in Fig. 1.7.In general, in the

    pictures we omit

    input transitions

    requiredby Eqn. (1.1)if they

    are irrelevant

    T G

    h! t!1/2 1/2

    gh?gt? gt?

    INITT INITGgh? gt?

    gh?

    s1Gs1T

    ch! ct!s2Gs

    2T

    s3T

    gh! gt!

    s3G s4Gs

    4T

    Figure1.7: T tosses a coin and G has to guess

    Actionsghandgtcommunicate the choice ofGtoT. An intuitive meaningis thatG chooses heads or tails using chand ctand then itguesses heads or

    tails accordingly usingghand gt.We have ACTLABT = {h, t, gh, gt}and ACTLABG = {ch, ct, gh, gt}. Later on,we define our semantics in such a way that

    hACTLABG tACTLABG,

    implies that the outcome of the coin toss is not visible to G.The model does not specify the order in which transitions ofTand G are

    interleaved. It may be the case that Tflips the coin immediately, while Gde-lays for some time before deciding. In this case, atomThas some probabilityto lose. IfGwere allowed to see the outcome of the coin, such probability

    would be 1, since G can choose gh! if he observes h, and gt! if he observest. Since G is not allowed to see the outcome of the coin, such probability isthe probability of guessing a random value chosen uniformly among twooptions, that is,1/2.

    1.1.4 Distributed schedulers

    In this subsection, we explain mechanisms to resolve nondeterminism. Al-though the mechanism to resolve nondeterministic choices amongtransitionsare very similar to ones presented before[46,64] (in particular, our input and

    output schedulers are similar to the ones in [46]), the mechanism to resolvechoices among atoms was proposed by us [79].

  • 8/13/2019 DComp1

    37/243

    1.1 simple interleaved probabilistic i /o automata 21

    Although we use the metaphor of games and adversaries in some ex-planations, for the formal definitions we prefer the term scheduler to ad-versary, since scheduler is preferred in recent research in distributedsystems [46,45,42,64].

    In a distributed setting as IPIOA, we need to resolve different kinds ofnondeterministic choices. In the first place, it might be the case that severalatoms have transitions enabled. In addition, each atom might have severaloutput transitions enabled. And there is a third kind: it may be the case thatseveral reactive transitions are enabled for the same label in the same state.These kinds of nondeterminism are resolved by three kinds of schedulers:the interleaving, output and input schedulers, respectively.

    We start by explainingoutputschedulers. For each atomAi, there is an out-put scheduler i. Such a scheduler chooses one of the enabled generativetransitions in Ai. More generally, the scheduler may choose a probabilitydistribution on the enabled generative transitions. We can see this scheduleras an adversary that tosses a (possibly biased) coin to decide which gener-ative transition to pick up. The choice of the transition (or the probability

    distribution) must depend solely on the information available to the out-put scheduler, Given a global path , we model the available informationas the local path traversed by Ai during the execution of . The function[[]]i :PATHS(P)APATHS(Ai)strips a global path to obtain a path ofAi.

    D e f i n i t i o n 1.6. For all atoms Ai, the function [[]]iis defined inductivelyas follows:

    [[(INIT1, , INITN)]]i =INITiand [[.c.(s1, , sN)]]i = [[]]i.LABEL(c).siifLABEL(c)ACTLABiand

    [[.c.(s1, , sN)]]i = [[]]iifLABEL(c)ACTLABi.An output scheduler ifor atomAiis then a function

    i :APATHS(Ai)PROB(TGi ).

    We restrict the schedulers so that they can only choose enabled transitions,and so we require

    i([[]]i)(gi)> 0 = giGi(i(LAST())) (1.3)

    for all such thatGi(i(LAST())) > 0, that is, for all in which Aihas enabled transitions. Because of the way in which we give semantics toschedulers, the value ofiis irrelevant in caseAihas no enabled transitions.

    Theinputscheduler chooses a reactive transition for each state s and actionlabel a. Following the same argument as for output schedulers, an inputscheduleriis a function

    i :APATHS(Ai) ACTLABiPROB(TRi )

    such that

    i([[]]i, a)(ri)> 0 =

    ri

    Ri(i(LAST()), a).

    Notice thatRi(i(LAST()), a) > 0by the input-enabledness condition(1.1).

  • 8/13/2019 DComp1

    38/243

    22 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    We still need to resolve the nondeterministic choice concerning the nextatom to perform an output. We use an interleaving schedulerto resolve suchnondeterminism. Note that, so far, we were using APATHS(Ai)as the argu-ment to schedulers. However, the interleaving scheduler is not related to aparticular atomAi. In our first attempt, we take a permissive approach, andour definition allows the interleaving scheduler to see the global path (lateron, in Sec. 2.1,we introduce restrictions on the interleaving scheduler). Aninterleaving scheduler is thus a function:

    I: PATHS(P)PROB({A1, , AN}) (1.4)such that

    I()(Ai)> 0 = Gi(i(LAST()))=. (1.5)The last restriction ensures that the atoms chosen by the interleaving sched-uler are able to generate a transition.

    A composition of interleaving, output and input schedulers forms a sched-uler for the whole system, as formally defined below.

    D e f i n i t i o n 1.7. A distributed scheduler is a tuple

    (I,{i}Ni=1,{i}Ni=1)

    Iis an interleaving scheduler, iis an output scheduler and iis an inputscheduler for eachAiATOMS(P).

    Given a systemP, we denote byDISTPthe set of all distributed schedulersDISTPforP.

    An important subset of schedulers is that of non-randomized schedulers.

    Intuitively, these schedulers correspond to adversaries that, when facing anondeterministic choice, pick one of the options instead of selecting one ofthem at random.

    D e f i n i t i o n 1.8. We say that a scheduler is non-randomizediffI()(Ai) >Non-randomizedschedulers 0 = I()(Ai) =1, i(i)(gi) > 0 = (i)(gi) =1 and i(i, a)(ri)>

    0 = (i, a)(ri) =1.The set ofnon-randomizeddistributed schedulers is denoted byNRDIST(P).

    Each scheduler defines a probability measure on the set of infinite paths.It does so by defining the probability that a compound transition coccurs,given that the global finite path has occurred. This probability is denoted

    by()(c). After the intuitive explanations, we prove that the function de-fined below is a discrete probability distribution (Lemma 1.2).

    D e f i n i t i o n 1.9. LetCbe the set of all compound transitions for system P.For allDISTP,PATHS(P), the function()() : C[0, 1]is defined as:

    ()(gi, a, rj1 , , rjm ) =I()(Ai) i([[]]i)(gi)

    si

    gi(i(LAST()), a, si)

    m

    k=1

    jk

    ([[]]jk

    , a)(rjk

    )

    ifGi(i(LAST())) > 0for some Ai. Otherwise,()() =1.

  • 8/13/2019 DComp1

    39/243

    1.1 simple interleaved probabilistic i /o automata 23

    Intuitively, the event (gi, a, rj1 , , rjm )occurs is the intersection of theevents:

    the interleaving schedulerIchoosesAi

    ichoosesgi

    gioutputsa

    each of the atoms Ajkchoosesrjk .

    We assume all these events to be independent, and so the probability as-signed to the compound transition(gi, a, rj1 , , rjm )is the product of theevents probabilities.

    Recall that, in the definition of output schedulers, we did not impose therestriction

    i([[]]i)(gi)> 0 = giGi(i(LAST())).

    for the pathssuch thatGi(i(LAST())) = 0, on the basis that, for such ,the value ofi([[]]i)would be irrelevant in our semantics. For all transitionsgiTGinote that, regardless of the value([[]]i), we have()(gi, ) =0,sinceI()(Ai) =0by (1.4).

    Similarly as we did for Def. 1.4, we show that ()() can be seen as adiscrete probability distribution on the set{c | cENABLED(LAST())}.

    L e m m a 1.2.For all distributed schedulers , paths, compound transitionsc, wehave

    cENABLED(LAST())

    ()(c) =1.

    Proof. Lets = (s1, , sN) =LAST().

    (gi,a,rj1 , ,rjm)ENABLED(LAST())

    ()((gi, a, rj1 , , rjm ))

    =

    AiATOMS(P)

    giGi(si)

    aACTLABi

    rj1

    Rj1(sj1 ,a)

    rjmRjm(sjm ,a)

    I()(Ai) i([[]]i)(gi)

    s

    gi(LAST(), a, s) m

    k=1

    jk ([[]]i)(rjk )

    = Ai

    I()(Ai

    )gi

    a

    rj1

    rjm

    i([[]]

    i)(g

    i)

    s

    gi(LAST(), a, s)m

    k=1

    jk ([[]]i)(rjk )

    =Ai

    I()(Ai)

    gi

    i([[]]i)(gi)

    a

    (

    s

    gi(LAST(), a, s))

    rj1

    rjm

    mk=1

    jk ([[]]i)(rjk )

    =Ai

    I()(Ai)

    gi

    i([[]]i)(gi)

    a

    (

    s

    gi(LAST(), a, s))

    rj1

    j1 ([[]]i)(rj1 )

    rj2

    rjm

    mk=2

    jk ([[]]i)(sjk )

  • 8/13/2019 DComp1

    40/243

    24 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    = =

    Ai

    I()(Ai)

    gi

    i([[]]i)(gi)

    a

    (

    s

    gi(LAST(), a, s))

    rj1

    j1 ([[]]i)(rj1 )

    rjm1

    jm1 ([[]]i)(rjm1 )

    rjm

    jm ([[]]i)(sjm

    )

    Ai

    I()(Ai)

    gi

    i([[]]i)(gi)

    a

    (

    s

    gi(LAST(), a, s))

    rj1

    j1 ([[]]i)(rj1 )

    rjm1

    jm1 ([[]]i)(rjm1 )

    1 =

    = Ai

    I()(Ai) gi

    i([[]]i)(gi) a

    (s

    gi(LAST(), a, s)) 1 =

    a

    s g(a, s) =1(definition of generative transition)

    Ai

    I()(Ai)

    gi

    i([[]]i)(gi) 1

    =Ai

    I()(Ai)

    = 1

    The probability distribution in Def. 1.9,induces a probability measure onthe set of paths.

    D e f i n i t i o n 1.10 (Probability of a set of paths). For a cylinder (), theprobability measurePR is inductively defined by:

    PR((INIT)) =1

    PR((.c.s)) =PR(()) ()(c) c(LAST(), s)

    PR uniquely extends to least -field containing all cylinders in the stan-dard way (namely, by resorting to the Carathodory extension theorem [109]).

    Although in the general case we deal with arbitrary measurable sets, forsome results we restrict to reachability sets. Given a set a set of states U, letReachability setREACH(U) denote the set of all in infinite paths such that (k) U forREACH(U)somek.

    E x a m p l e 1.4. Consider again the guess-heads-or-tails example. In Fig. 1.9we present a graphical representation of the system P = T G. Figure 1.10depicts a schedulerDISTP. Given the enabledness restrictions we imposeto schedulers (the interleaving scheduler must choose atoms with enabled

    transitions, etc.) such a scheduler is completely determined by the defini-tions: I(INIT) = 1 : T and G(INITG) = 1 : ch!. As we can see in the graphical

  • 8/13/2019 DComp1

    41/243

    1.2 extended interleaved probabilistic i/o automata 25

    T G

    h! t!1/2 1/2

    gh?gt? gt?

    INITT INITGgh? gt?

    gh?

    s1Gs1T

    ch! ct!s2Gs

    2T

    s3T

    gh! gt!

    s3G s4Gs

    4T

    Figure1.8:Ttosses a coin,Gguesses heads or tails

    1/21/2

    INIT

    h! t!ch! ct!

    ch!ct!

    t!1/2

    h!1/2 t!

    1/2h!

    1/2

    ch! ct !

    gh!

    gh!

    gt !

    gt !

    gt!gh!

    Figure1.9: SystemP = T G

    gh?gh?

    INITh! t!

    ch! ch!

    1/2 1/2

    Figure1.10: SchedulerDISTP

    representation, the choice is not changed according to the outcome of thecoin toss:chis chosen for both s1Tands

    2T.

    Note that, by Def. 1.9, we have()() =1 for all such that 2(LAST()) =s3Gor 2(LAST()) =s

    4G, since in these paths there are no enabled transitions.

    In particular, note that

    , : () = ()

    holds for all, differing only wrt. the value ofG(INITG.ch!.s1G.gh!.s3G).

    1.2 extended interleaved probabilistic i/o automata

    In this section, we present several extensions to the definitions in the previ-ous section. We need these extensions to deal with existing formalisms suchas the PRISM language [97]. Subsections 1.2.1and 1.2.2present extensionsto transitions and structures, resp. Subsection 1.2.3summarizes the link be-tween the systems defined in Sec. 1.1and the ones in this section.

    1.2.1 Extended transitions

    Suppose that a generative transition g is enabled in two states s and s .According to Def. 1.1, the probability of generating aand reachings is the

    same in both sand s

    (namely g(a, s

    )). This definition of transition is notstraightforwardly compatible with guarded command languages, where thestate of the system is given by a valuation over a set of variables. As an

  • 8/13/2019 DComp1

    42/243

    26 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    example, consider a system whose state consists of two variables s and tranging over {0, 1}. Moreover, suppose that we have a command [a]s = 0s = 1, whose intended meaning is ifsis 0, then output aand assign 1tos. Then, in the state (s= 0, t= 0)this command leads to(s= 1, t= 0)withprobability1, and to(s= 1, t= 1)with probability0. Conversely, in the state(s= 0, t= 1), it leads to(s= 1, t= 0)with probability0, and to(s= 1, t= 1)with probability 1. In short, the state reached after the command dependson what the actual state is. Then, we generalize generative transitions sothat the probabilities depend on the actual state. With respect to reactivetransitions, we extend them so that probabilities depend both in the actualstate and the label to which the atom reacts.

    D e f i n i t i o n 1.11. An (extended) generative transition for atom Ai is afunction gi : Si PROB(ACTLABi Si). The set comprising all generativetransitions for atomAiis denoted by TGi . An (extended) reactive transitionin atomAiis a functionri :Si ACTLABiPROB(Si). The set comprising allreactive transitions for atomAiis denoted by TRi .

    Of course, ifgi is not enabled in a given state s, then the value gi(s)isirrelevant. We could have defined the domain of gi as the set of states inwhich gi is enabled, but this makes no difference and we prefer to keepthe definition simple. Note that the definition of TG clashes with that ofthe original definition (Def. 1.1). This causes no harm as long as it is clearwhether the transitions we are considering are extended or not.

    N o t a t i o n 1.2. We write gi(si, a, s i) for gi(si)(a, si) and ri(si, a, s

    i) for

    ri(si, a)(s i).

    Together with Notation1.1,this notation allows us to abstract whether thetransitions are extended or not.

    1.2.2 Global enabledness conditions

    We have defined the generative structure of an atom Ai as a function Gi :Si TGi . Then, it suffices to look to the local state in order to see if atransition is enabled. This is possible since we require input-enabledness(Eqn. (1.1)): otherwise, it might be the case thatgiis enabled insi,gi(a, s i)>0for somea,s andais in the alphabet of an atomAjsuch thatRj(sj, a) =.In other words, gi is enabled, but it generates an action awhile Aj blocks

    this action.As a result, when interpreting languages without input-enabledness into

    IPIOA, our definition of generative structures happens to be inappropriate.In general, if gi(a, s i) > 0, then we would like gi to be enabled only ifRj(sj, a)= for all Aj such that a ACTLABj, Aj = Ai. The followingdefinition helps us to achieve this goal.

    D e f i n i t i o n 1.12. A (global) generative structure for atom Ai is a func-Generative structuretion Gi :

    Ni=1Si P(TGi ). A (global) reactive structure for atom Ai is aReactive structure

    functionRi :N

    i=1Si ACTLABP(TRi ). (For the definition ofTGi and TRi ,

    see Def.1

    .11

    .) We restrict to finite structures, that is,G

    i(s)

    andR

    i(s

    ,a)

    arefinite for all s,a.

  • 8/13/2019 DComp1

    43/243

  • 8/13/2019 DComp1

    44/243

    28 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    ri(si, a, s i) =ri(ti, b, si)for allri,si,a,s

    i,b,ti.

    The first two conditions reflect the fact that the structures inAare as in Def-inition 1.2,while the last two conditions reflect the fact the transitions inAare as in Definition 1.1.

    1.3 generalized projections and schedulers

    In this section, we generalize the projections and schedulers introducedin Subsection 1.1.4. These generalized versions apply to simple as well asto extended IPIOA.

    1.3.1 Projections

    Definition 1.6in Subsection 1.1.4introduces the function [[]]i. It transformsa global path into an local path of atom Ai. This function is used in order toevaluate the scheduler in a local path instead of a global one: when defining

    the probability ()(c) (Def. 1.9), we faced the factor i([[]]i). Since i :APATHS(Ai)PROB(TGi ), we havei([[]]i) =i([[ ]]i)for all, such that[[]]i = [[

    ]]i.The transformation from global to local paths hides information to the

    scheduler. In order to illustrate this, we can consider functions other than[[]]iand, particularly, two extreme cases:

    If we consider the function fi : PATHS(P) {INITi}defined as fi() =INITifor all , then we can define our output schedulers as functionsi : {INITi} PROB(TGi ). In this case, i(fi()) = i(fi())for all , . Here, i has no information about what the global path is, and

    so it is forced to choose the same distribution in all paths (to easeexplanation, we assume all transitions to be enabled in all states, thusdisregarding restriction (1.3)).

    If we consider the identity function ID : PATHS(P) PATHS(P)and theschedulersi :PATHS(P)PROB(TGI ), theni(ID()) =i(). Here, itmay be the case that ichooses a different transition for each globalpath. In other words,ihas perfect information about what the globalpath is, and then ican choose according to the global path.

    These examples motivate the following general definition.

    D e f i n i t i o n 1.13. Given a systemP =Ni=1 Ai, a projection[]is a family offunctions

    []i :PATHS(P)O[]i

    i. The set of all projections for Pis denoted

    byPROJECTIONS(P). For the particular case of[[]]i, we haveO[]i =APATHS(Ai).The range of[]iis denoted byLOCALPATHS[]i .Usually, we do not care too much for the precise definition of the set O[]i ,

    as we can often infer it from the definition of[]i. We have LOCALPATHS[]i O[]i , as thatO[]i is theco-domainof[], whileLOCALPATHS[]i is therange. Then,for all iLOCALPATHS[]i there exists such that []i =i.

    From the two examples above, we can construct two projections []f and[]f

    []ID

    defined by[]fi =INITiand []

    IDi =for all .[]ID When introducing the functionfi, we assumed that all transitions were en-

    abled in all states. We need this assumption in order to ensure that i(fi())

  • 8/13/2019 DComp1

    45/243

    1.3 g en e ra l i ze d p r oj e ct i on s a n d s c he d ul e rs 29

    is well defined, in other words, it must comply with the following analogousof (1.3):

    i(fi())(gi)> 0 = giGi(LAST()). (1.8)

    Next, we look for conditions on the projections and the generative transi-tions so that well-defined schedulers are ensured to exist. In case there are

    two paths , such that []i = [ ]i = i, we require Gi(i(LAST())) =Gi(i(LAST(

    ))). To illustrate this, suppose []i= [ ]i, Gi(i(LAST())) ={gi} and Gi(i(LAST( ))) = {gi}, with gi= g i. In this system, no outputscheduler for Aican be defined, since condition (1.8) fails for either or .In short, the generative transitions enabled at the end of two indistinguish-able paths must coincide: if this restriction does not hold, then the schedulerwould not know whether it can choose a certain transition or not, since itmight be the case that a transition is enabled in some global path, but it isdisabled in other global paths having the same projection as .

    Hence, we require,

    []i = i = Gi(LAST()) =Gi(LAST()). (1.9)Note that we writeGi(LAST()) =Gi(LAST( )), instead ofGi(i(LAST())) =Gi(i(LAST(

    ))), since in the general case we deal with global transitionstructures (see Def. 1.12). The projection [[]]complies with this requirementfor all simple IPIOA: if [[]]i = [[]]i = s1i .a

    1. .ski , then i(LAST()) =i(LAST(

    )) = ski . Since simple IPIOA have local transition structures (thatis, its transitions structures are as in Def. 1.2), we obtain Gi(i(LAST())) =Gi(i(LAST(

    ))) =Gi(ski ), as desired.

    Similarly, we require input schedulers to satisfy:

    []i = i = Ri(LAST(), a) =Ri(LAST(), a) (1.10)for allaACTLABi.

    We postpone the proof that these requirements ensure that a well-definedscheduler exists until we have presented the definition of generalized sched-ulers (Theorem1.1).

    In addition to requirements (1.9)and (1.10), we assume an additional prop-erty. The motivation for this assumption is that the property is very natural,and all the projections we present comply with it (in addition, it is quite tire-some to repeat the property in the hypotheses of all theorems). We assume:

    , : k : LABEL( k)ACTLABi = []i= i . (1.11)This assumption is best explained by showing why it holds for [[]]. Note thatLABEL( k)ACTLABimeans thatAiparticipates in the transition after thek-th state in . W.l.o.g., we consider the least such ak. Leta= LABEL( k).Then,[[ ]]i = [[]]i.a. i= [[]]i, where iis a local path. That is, after the atom is able to see the label in which it synchronized after the k-th stepin . In the general case, the assumption is even weaker since, by requiring[]i= [ ]i, we just enforce that, after participating in a transition, the

    scheduler has a different information than it had previous to the transition.Intuitively, the scheduler notices that something has happened.

  • 8/13/2019 DComp1

    46/243

    30 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    E x a m p l e 1.5. Suppose that a system comprises several components, eachof which is modelled by an atomAi. These components share a common re-source, which is modelled as a separate atom Ar. We assume that the modelof the resource is completely deterministic: the components perform oper-ations on the resource which univocally determine its next state; moreover,the resource receives inputs from the components, and it does not generateany output. Each component is allowed to see its local state, plus the stateof the resource. However, the component is not aware of a change in thestate of the resource until it performs an operation on it: in case the opera-tion changes the state of the resource, the state observed is the updated one.For the atoms Ai modelling components, the projection []i capturing theinformation available to an atom at each point of the execution is:

    [(INIT1, , INITN)]i =INITi [.c.(s1, , sN)]i =[]i .LABEL(c).(si, sr)

    If LABEL(c)

    ACTLABi

    ACTLABr. Here, sr is the local state of atomAr, and LABEL(c) ACTLABi ACTLABr means that c is a compoundtransition involving both the component and the resource.

    [.c.(s1, , sN)]i =[]i .LABEL(c).siIfLABEL(c) ACTLABiand LABEL(c) ACTLABr. In this case, the transi-tion involves the component but not the resource, and so the projectiongives the same information as [[]].

    [.c.(s1, , sN)]i = []iifLABEL(c)ACTLABi.In this case, the atom does not obtain new information from c.

    With respect to atomAr, the projection can be defined arbitrarily: projectionscapture the information used to resolve the nondeterministic choices, andwe assumed that there are no such choices in Ar. For simplicity, let []r =[[]]r.

    The restrictions(1.9) and (1.10) indicate that, if a component other thanAiperforms an operation on the resource, this operation does not affect theenabledness of the transitions in Ai, until the next time Aioperates on theresource.

    In order to give a concrete example, assume there are two componentsmodelled by atoms A1 and A2, while the resource is modelled by Ar. Leta

    ACTLAB1

    ACTLABr,b

    ACTLAB1,b

    ACTLABr,c

    ACTLAB1. Then,

    (s11, s

    12, s

    1r ) . (g

    1, a, r1) . (s21, s12, s

    2r ) . (g

    2, b) . (s31, s12, s

    2r ) . (g

    3, c, r3) . (s31, s22, s

    3r )

    1

    = s11 . a . (s21, s

    2r ) . b . s

    31 .

    Furthermore, suppose that g3(s22, d, s32) > 0for some d ACTLABr. That is,

    by executingg3, atomA2can output not onlyc, but also a label dthat is notan operation onAr. Then,

    (s11, s

    12, s

    1r ) . (g

    1, a, r1) . (s21, s12, s

    2r ) . (g

    2, b) . (s31, s12, s

    2r ) . (g

    3, d) . (s31, s22, s

    2r )

    1

    = s11 . a . (s21, s

    2r ) . b . s

    31 =[]1 .

    The fact that[]1 =[]1reflects that A1is not able to see whether the state

    of the resource has changed since the last operation on it. Atom A1 only

  • 8/13/2019 DComp1

    47/243

    1.3 g en e ra l i ze d p r oj e ct i on s a n d s c he d ul e rs 31

    knows that, after the last time A1 performed an operation, the state of theresource wass2r .

    An order on projections

    We say that a projection [] gives at least the same information as [](written[]

    []

    ) ifAiATOMS(P), , : []i=

    i = []i= [ ] i (1.12)

    that is, all the paths distinguished by []are distinguished by [] as well.As an example, for the projection[]in Example1.5,we have[[]][]. Intu-

    itively, [[]]only allows to see the local state and the action labels inACTLABi,while [] also allows to see the state of the shared resource after a synchro-nization. In order to prove[[]][], we can prove the contrapositive of(1.12),namely

    , : []i = i = [[]]i = [[ ]]i.

    In case Ai = Ar, the result follows trivially from []r = [[]]r. For atomsAi= Ar, the implication can be proven by induction, considering the fourcases in the definition of []i in Example 1.5.A concrete example gives usmore insight: if

    1

    i=INIT1.a1.(s11, s

    1r ).a

    2.s21, then[[1]]i =INIT1.a1.s11.a

    2.s21.In general,[[]]ican be obtained by removing theAr-states from[]i. Hence,for all, such that[]i = [

    ]i, by removing theAr-states in[]iand []i,

    we obtain[[]]i = [[ ]]ias well.We say that two projections are equivalent (denoted by [][] ) iff

    , : []i

    = i [] i= [ ] i.

    Note that[][] iff[][] and[] [].We can obtain more insight on the relations andby considering the

    kernel of the projections. The kernelof a function f (denoted by KERf) is anequivalence relation defined as:

    a KERf b f(a) =f(b).

    Hence,

    [][] Ai : KER[]i =KER[] i (1.13)

    In addition,[][] iff

    Ai :, : KER[] i

    = KER[]i .

    If we see the relation KER[]i as a set of ordered pairs, then

    [][] KER[] i KER[]i (1.14)

    (in terms of relations,KER[]iis coarser than or equal toKER[] i ).The equivalences (1.13) and (1.14) imply that defines a partial order on

    PROJECTIONS(P)/. The results in this thesis do not profit from this property

    of, and we point it out just to justify the notation. The only property ofthe order we use in the thesis is the lemma below, which states that []IDis a top element of the order.

  • 8/13/2019 DComp1

    48/243

  • 8/13/2019 DComp1

    49/243

    1.3 g en e ra l i ze d p r oj e ct i on s a n d s c he d ul e rs 33

    such that

    i(, a)(ai)> 0 = riRi(, a)

    and

    aACTLABi, , :

    []i =

    i = i(, a) =i( , a)

    . (1.19)

    Recall that, when defining projections, we imposed the restrictions (1.9)and (1.10), with the aim to ensure the existence of output and input sched-ulers. Moreover, we can ensure the existence of non-randomized schedulers.

    T h e o r e m 1.1.For all atomsAi, projections[], a non-randomized output (input,resp.) scheduler for Aiexists.

    Proof. We prove the case for output schedulers (the case for input schedulersfollows in the same way). In order to do so, we construct an output scheduleri. For alliLOCALPATHS[]i , letQ(i)be a global path such that [Q(i)]i =

    i, and letT(

    i)be a generative transition enabled in L

    AST(Q(i

    )). For all

    such that[]i =i, define

    i()(T([]i)) =1

    If[]i =[]i, then

    i() =1 : T([]i) =1 : T(

    i) =i(

    )

    as desired.In addition, i()(gi) > 0 = gi = T([]i) and so, by definition of

    T([]i), we obtain gi

    Gi( LAST(Q([]i)) ). Since (by definition ofQ(i)) we

    have[]i =[Q([]i)]i, requirement (1.9) implies

    Gi(LAST()) =Gi( LAST(Q([]i)) ),

    and hencegiGi(LAST()).

    E x a m p l e 1.6. In order to exemplify how schedulers and projections in-teract, we consider the projections []f and []ID presented at the beginningof Subsection 1.3.1. We show that the restriction imposed to schedulersyields the intended meaning we gave to these projections in Subsection1.3.1.

    Again, in order to ease explanation, we assume that all transitions are en-abled in all states. If i is distributed under []f, then it must be i() =i(

    )for all , such that []fi = []fi . Since []

    fi = [

    ]fi =INITi, we havei() =i(

    )for all, . That is, the scheduler chooses the same (distribu-tion on) transition(s) for all, . This corresponds to the intended meaningin Subsection 1.3.1, since we get an output scheduler whose resolution ofnondeterminism is the same in all paths.

    Ifi is distributed under []ID, then the equality is required for all , such that []IDi = [

    ]IDi, that is, for all , such that = . Of course, the

    requirement = : i() = i( ), holds no matter how we define i.

    Then, the schedulers distributed under[]ID

    are not restricted at all. They canbe seen as schedulers that have access to all the information, and are thusable to make any arbitrary decision based on the full history of system.

  • 8/13/2019 DComp1

    50/243

    34 a f r am e wo r k f o r d i st r ib u te d s y st e ms

    Recall the projection[]in Example1.5, and the paths , defined therein.In the example, we have []1 = [

    ]1. The restriction1() = 1()indi-

    cates that the resolution of the nondeterminism inA1cannot be changed ac-cording to whether A2has performed an operation on the shared resource ornot. This constraint on the scheduler captures the fact that, in a distributedsetting,A1is not able to see the operations ofA2until some communicationoccurs via the shared resource.

    So far, we have extended output and input schedulers. The definitionof the interleaving scheduler is almost unchanged with respect to the onein Subsection 1.1.4:an interleaving scheduler is a function

    I: PATHS(P)PROB({A1, , AN})

    such that

    I()(Ai)> 0 = Gi(LAST())=. (1.20)

    Note that the only change wrt. Subsection 1.1.4is that the implication (1.20)concerns LAST(), while the implication (1.5)concerns i(LAST()). The rea-son for this change is that, in the general case, we deal with global transitionstructures (Def.1.12).

    A distributed scheduler under[]is a tuple

    (I,{i}Ni=1,{i}Ni=1)

    iis an output scheduler andiis an input scheduler under []for eachAi,andI is an interleaving scheduler.

    Given a systemP , we denote by DISTP([]) the set of all distributed sched-

    ulers forP under[].The following notation allows us to adapt the definitions and results

    for the projection [[]] (and its respective schedulers introduced in Subsec-tion1.1.4) to generalized projections and schedulers.

    N o t a t i o n 1.3. Given an output scheduleri under [], and a local pathi in LOCALPATHS

    []i (recall Def. 1.13), we define i(i) = i(), where

    is any global path such that []i = i. Equation (1.18) ensures that the ex-istence of several such does not introduce any ambiguity. Similarly, wewritei(i, a)for i(, a)for any input scheduler i.

    This notation is useful in calculations, since it allows us to write

    { | []i=i}

    i() f() =i(i)

    { | []i=i}

    f()

    instead of the more verbose

    { | []i=i}

    i() f() =i()

    { | []i=i}

    f() for some s.t.[]i =i .

    In the light of the notation, we notice that an alternative definition for out-

    put schedulers could be i : LOCALPATHS[]

    i PROB(TGi ). The problem withthis definition is that, given i under [] and i under [] = [], these out-put schedulers are different mathematical entities (since the domain ofiis

  • 8/13/2019 DComp1

    51/243

    1.3 g en e ra l i ze d p r oj e ct i on s a n d s c he d ul e rs 35

    LOCALPATHS[]i , while the domain of

    iis LOCALPATHS

    []

    i ) even if they resolvenondeterminism in the same way for all paths, that is, even if i([]i) = i([]