15 research outputs found
Synthesis of asynchronous distributed systems from global specifications
The synthesis problem asks whether there exists an implementation for a given formal specification and derives such an implementation if it exists. This approach enables engineers to think on a more abstract level about what a system should achieve instead of how it should accomplish its goal. The synthesis problem is often represented by a game between system players and environment players. Petri games define the synthesis problem for asynchronous distributed systems with causal memory. So far, decidability results for Petri games are mainly obtained for local winning conditions, which is limiting as global properties like mutual exclusion cannot be expressed. In this thesis, we make two contributions. First, we present decidability and undecidability results for Petri games with global winning conditions. The global safety winning condition of bad markings defines markings that the players have to avoid. We prove that the existence of a winning strategy for the system players in Petri games with a bounded number of system players, at most one environment player, and bad markings is decidable. The global liveness winning condition of good markings defines markings that the players have to reach. We prove that the existence of a winning strategy for the system players in Petri games with at least two system players, at least three environment players, and good markings is undecidable. Second, we present semi-decision procedures to find winning strategies for the system players in Petri games with global winning conditions and without restrictions on the distribution of players. The distributed nature of Petri games is employed by proposing encodings with true concurrency. We implement the semi-decision procedures in a corresponding tool.Das Syntheseproblem stellt die Frage, ob eine Implementierung f ¨ur eine Spezifikation existiert, und generiert eine solche Implementierung, falls sie existiert. Diese Vorgehensweise erlaubt es Programmierenden sich mehr darauf zu konzentrieren, was ein System erreichen soll, und weniger darauf, wie die Spezifikation erf ¨ ullt werden soll. Das Syntheseproblem wird oft als Spiel zwischen einem System- und einem Umgebungsspieler dargestellt. Petri-Spiele definieren das Syntheseproblem f ¨ur asynchrone verteilte Systeme mit kausalem Speicher. Bisher wurden Resultate bez¨uglich der Entscheidbarkeit von Petri-Spiele meist f ¨ur lokale Gewinnbedingungen gefunden. In dieser Arbeit pr¨asentieren wir zuerst Resultate bez¨uglich der Entscheidbarkeit und Unentscheidbarkeit von Petri-Spielen mit globalen Gewinnbedingungen. Wir beweisen, dass die Existenz einer gewinnenden Strategie f ¨ur die Systemspieler in Petri- Spielen mit einer beschr¨ankten Anzahl an Systemspielern, h¨ochstens einem Umgebungsspieler und schlechten Markierungen entscheidbar ist. Wir beweisen ebenfalls, dass die Existenz einer gewinnenden Strategie f ¨ur die Systemspieler in Petri-Spielen mit mindestens zwei Systemspielern, mindestens drei Umgebungsspielern und guten Markierungen unentscheidbar ist. Danach pr¨asentieren wir Semi-Entscheidungsprozeduren, um gewinnende Strategien f ¨ur die Systemspieler in Petri-Spielen mit globalen Gewinnbedingungen und ohne Restriktionen f ¨ur die Verteilung von Spielern zu finden. Wir benutzen die verteilte Natur von Petri-Spielen, indem wir Enkodierungen einf ¨uhren, die Nebenl¨aufigkeit ausnutzen. Die Semi-Entscheidungsprozeduren sind in einem entsprechenden Tool implementiert
Efficient Trace Encodings of Bounded Synthesis for Asynchronous Distributed Systems
The manual implementation of distributed systems is an error-prone task
because of the asynchronous interplay of components and the environment.
Bounded synthesis automatically generates an implementation for the
specification of the distributed system if one exists. So far, bounded
synthesis for distributed systems does not utilize their asynchronous nature.
Instead, concurrent behavior of components is encoded by all interleavings and
only then checked against the specification. We close this gap by identifying
true concurrency in synthesis of asynchronous distributed systems represented
as Petri games. This defines when several interleavings can be subsumed by one
true concurrent trace. Thereby, fewer and shorter verification problems have to
be solved in each iteration of the bounded synthesis algorithm. For Petri
games, experimental results show that our implementation using true concurrency
outperforms the implementation based on checking all interleavings
Translating Asynchronous Games for Distributed Synthesis (Full Version)
In distributed synthesis, we generate a set of process implementations that,
together, accomplish an objective against all possible behaviors of the
environment. A lot of recent work has focussed on systems with causal memory,
i.e., sets of asynchronous processes that exchange their causal histories upon
synchronization. Decidability results for this problem have been stated either
in terms of control games, which extend Zielonka's asynchronous automata by
partitioning the actions into controllable and uncontrollable, or in terms of
Petri games, which extend Petri nets by partitioning the tokens into system and
environment players. The precise connection between these two models was so
far, however, an open question. In this paper, we provide the first formal
connection between control games and Petri games. We establish the equivalence
of the two game models based on weak bisimulations between their strategies.
For both directions, we show that a game of one type can be translated into an
equivalent game of the other type. We provide exponential upper and lower
bounds for the translations. Our translations make it possible to transfer and
combine decidability results between the two types of games. Exemplarily, we
translate decidability in acyclic communication architectures, originally
obtained for control games, to Petri games, and decidability in single-process
systems, originally obtained for Petri games, to control games
Global Winning Conditions in Synthesis of Distributed Systems with Causal Memory
In the synthesis of distributed systems, we automate the development of distributed programs and hardware by automatically deriving correct implementations from formal specifications. For synchronous distributed systems, the synthesis problem is well known to be undecidable. For asynchronous systems, the boundary between decidable and undecidable synthesis problems is a long-standing open question. We study the problem in the setting of Petri games, a framework for distributed systems where asynchronous processes are equipped with causal memory. Petri games extend Petri nets with a distinction between system places and environment places. The components of a distributed system are the players of the game, represented as tokens that exchange information during each synchronization. Previous decidability results for this model are limited to local winning conditions, i.e., conditions that only refer to individual components.
In this paper, we consider global winning conditions such as mutual exclusion, i.e., conditions that refer to the state of all components. We provide decidability and undecidability results for global winning conditions. First, we prove for winning conditions given as bad markings that it is decidable whether a winning strategy for the system players exists in Petri games with a bounded number of system players and one environment player. Second, we prove for winning conditions that refer to both good and bad markings that it is undecidable whether a winning strategy for the system players exists in Petri games with at least two system players and one environment player. Our results thus show that, on the one hand, it is indeed possible to use global safety specifications like mutual exclusion in the synthesis of distributed systems. However, on the other hand, adding global liveness specifications results in an undecidable synthesis problem for almost all Petri games
Formal Runtime Error Detection During Development in the Automotive Industry
Modern automotive software is highly complex and consists of millions lines
of code. For safety-relevant automotive software, it is recommended to use
sound static program analysis to prove the absence of runtime errors. However,
the analysis is often perceived as burdensome by developers because it runs for
a long time and produces many false alarms. If the analysis is performed on the
integrated software system, there is a scalability problem, and the analysis is
only possible at a late stage of development. If the analysis is performed on
individual modules instead, this is possible at an early stage of development,
but the usage context of modules is missing, which leads to too many false
alarms. In this case study, we present how automatically inferred contracts add
context to module-level analysis. Leveraging these contracts with an
off-the-shelf tool for abstract interpretation makes module-level analysis more
precise and more scalable. We evaluate this framework quantitatively on
industrial case studies from different automotive domains. Additionally, we
report on our qualitative experience for the verification of large-scale
embedded software projects.Comment: to be published in VMCAI 202
A Web Interface for Petri Nets with Transits and Petri Games
Developing algorithms for distributed systems is an error-prone task. Formal models like Petri nets with transits and Petri games can prevent errors when developing such algorithms. Petri nets with transits allow us to follow the data flow between components in a distributed system. They can be model checked against specifications in LTL on both the local data flow and the global behavior. Petri games allow the synthesis of local controllers for distributed systems from safety specifications. Modeling problems in these formalisms requires defining extended Petri nets which can be cumbersome when performed textually. In this paper, we present a web interface that allows an intuitive, visual definition of Petri nets with transits and Petri games. The corresponding model checking and synthesis problems are solved directly on a server. In the interface, implementations, counterexamples, and all intermediate steps can be analyzed and simulated. Stepwise simulations and interactive state space generation support the user in detecting modeling errors
Translating Asynchronous Games for Distributed Synthesis
In distributed synthesis, a set of process implementations is generated, which together, accomplish an objective against all possible behaviors of the environment. A lot of recent work has focussed on systems with causal memory, i.e., sets of asynchronous processes that exchange their causal histories upon synchronization. Decidability results for this problem have been stated either in terms of control games, which extend Zielonka's asynchronous automata by partitioning the actions into controllable and uncontrollable, or in terms of Petri games, which extend Petri nets by partitioning the tokens into system and environment players. The precise connection between these two models was so far, however, an open question.
In this paper, we provide the first formal connection between control games and Petri games. We establish the equivalence of the two game types based on weak bisimulations between their strategies. For both directions, we show that a game of one type can be translated into an equivalent game of the other type. We provide exponential upper and lower bounds for the translations. Our translations allow to transfer and combine decidability results between the two types of games. Exemplarily, we translate decidability in acyclic communication architectures, originally obtained for control games, to Petri games, and decidability in single-process systems, originally obtained for Petri games, to control games