Verification and Synthesis of Symmetric Uni-Rings for Leads-To Properties
Ali Ebnenasir

TL;DR
This paper explores the verification and synthesis of symmetric uni-ring protocols satisfying leadsto properties, revealing undecidability in verification but decidability and polynomial-time synthesis methods for protocol generation.
Contribution
It establishes the undecidability of verification and introduces a decidable, polynomial-time synthesis approach for symmetric uni-ring protocols satisfying leadsto properties.
Findings
Verification of leadsto properties is undecidable.
Synthesis of protocols satisfying leadsto is decidable and efficient.
Synthesized protocols include agreement and parity protocols.
Abstract
This paper investigates the verification and synthesis of parameterized protocols that satisfy leadsto properties on symmetric unidirectional rings (a.k.a. uni-rings) of deterministic and constant-space processes under no fairness and interleaving semantics, where and are global state predicates. First, we show that verifying for parameterized protocols on symmetric uni-rings is undecidable, even for deterministic and constant-space processes, and conjunctive state predicates. Then, we show that surprisingly synthesizing symmetric uni-ring protocols that satisfy is actually decidable. We identify necessary and sufficient conditions for the decidability of synthesis based on which we devise a sound and complete polynomial-time algorithm that takes the predicates and , and automatically generates a parameterized protocol that…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\newaliascnt
lemmatheorem \aliascntresetthelemma
\newaliascntcorollarytheorem \aliascntresetthecorollary
\newaliascntexampletheorem \aliascntresettheexample
\newaliascntproblemtheorem \aliascntresettheproblem
\newaliascntdefinitiontheorem \aliascntresetthedefinition
\newaliascntremarktheorem \aliascntresettheremark
\newaliascntobservationtheorem \aliascntresettheobservation
Verification and Synthesis of Symmetric Uni-Rings for Leads-To Properties
Ali Ebnenasir
Department of Computer Science
Michigan Technological University
Houghton MI 49931
(May 2019)
Abstract
This paper investigates the verification and synthesis of parameterized protocols that satisfy leadsto properties on symmetric unidirectional rings (a.k.a. uni-rings) of deterministic and constant-space processes under no fairness and interleaving semantics, where and are global state predicates. First, we show that verifying for parameterized protocols on symmetric uni-rings is undecidable, even for deterministic and constant-space processes, and conjunctive state predicates. Then, we show that surprisingly synthesizing symmetric uni-ring protocols that satisfy is actually decidable. We identify necessary and sufficient conditions for the decidability of synthesis based on which we devise a sound and complete polynomial-time algorithm that takes the predicates and , and automatically generates a parameterized protocol that satisfies for unbounded (but finite) ring sizes. Moreover, we present some decidability results for cases where leadsto is required from multiple distinct predicates to different predicates. To demonstrate the practicality of our synthesis method, we synthesize some parameterized protocols, including agreement and parity protocols.
1 Introduction
This paper investigates the verification and synthesis of parameterized protocols that satisfy leadsto properties on symmetric unidirectional rings (a.k.a. uni-rings) of deterministic and constant-space processes under no fairness and interleaving semantics, where and represent global state predicates. The significance of this problem is two-fold. First, ring is a simple, but important topology for distributed systems whose underlying communication graph includes cycles (which is the case in many practical domains). Second, the leadsto property is a critical liveness requirement in numerous contexts where system executions should guarantee eventual response (i.e., reaching the set of states ) to specific stimuli (i.e., being in the set of states ). In a symmetric ring, the code of each process is generated from the code of a template/representative process by a simple variable renaming. Moreover, the number of processes in the ring is unbounded (but finite). In this paper, we first extend Suzuki’s undecidability results of verifying Linear Temporal Logic (LTL) properties of uni-rings [56] to the special case of verifying leadsto properties for symmetric uni-rings of deterministic and constant-space processes, and show that the verification problem remains undecidable. We then present a surprising result that, despite the undecidability of verification, synthesizing uni-rings that satisfy leadsto properties is actually decidable. This is a counterintuitive result as it is believed [47] that the synthesis of distributed systems is harder than their verification.
Most existing synthesis methods for parameterized protocols are extensions/variants of bounded and parameterized synthesis with a focus on Temporal Logic (TL) properties [20] for general communication topologies and under fairness assumptions. For example, Finkbeiner and Schewe [27] formulate the synthesis of fixed-size protocols as a set of constraints, and use Satisfiability Modulo Theory (SMT) solvers [14] to find a protocol that is accepted by a Universal Co-Buchi Tree (UCT) automaton generated from TL specifications. The search for a protocol is conducted up to a certain bound in the state space of processes and/or their automata-theoretic product; i.e., bounded synthesis. Jacobs and Bloem [37] extend bounded synthesis to parameterized protocols by identifying cutoff bounds, where a solution exists for a protocol with cutoff number of processes iff (if and only if) a solution exists for the parameterized protocol with unbounded number of processes (a.k.a. parameterized synthesis). Then, they apply the SMT-based bounded synthesis for an instance of the problem with at most cutoff processes. QBF-based bounded synthesis [29] takes an incomplete design (a.k.a. sketch) of a protocol and uses bounded synthesis towards generating fault-tolerant protocols in a bounded space. While methods for verification and synthesis of parameterized programs inspire our work, they (1) are mainly based on bounded/parameterized synthesis from temporal logic specifications; (2) make assumptions about synchrony, weak/strong fairness and complete knowledge of the network for each process; (3) the iterative nature of bounded and parameterized synthesis makes them computationally expensive and sensitive to their input (in part due to using SMT solvers), and (4) mostly focus on safety and local liveness properties that are specified in terms of the neighborhood of a proper subset of processes (e.g., progress of each process).
This paper puts forward a paradigm shift where we make a step towards developing a topology and property-specific approach. Our long-term objective is to create an extensible library of synthesis algorithms and tools that can efficiently generate parameterized protocols for specific elementary topologies (e.g., ring, tree, mesh, etc.) and basic temporal properties (e.g., leadsto, until, safety, etc.). Another component of this new paradigm includes methods that compose parameterized protocols with elementary topologies while preserving correctness, which is beyond the scope of this work. The core novelty of the proposed approach of this paper lies in identifying local characterizations of global properties (e.g., reachability, livelocks) towards enabling synthesis in the local state space of the template process for global correctness. Such local characterizations would enable more efficient automated reasoning methods, where the time/space complexity of synthesis will be in terms of the size of the local state space of template processes instead of semi-decision procedures that conduct backward/forward reachability analysis [13].
In the case of symmetric uni-rings that satisfy leadsto properties , we first show that verifying remains undecidable even for protocols with constant-space and deterministic processes, and for conjunctive state predicates and , where denotes the number of processes in the ring, represents values modulo , and captures an abstraction of all writeable variables of the template process . (Conjunctive predicates may seem restricted but they have important applications for many systems [60, 33].) We then show some negative results that satisfying by reaching states in where is impossible. Intuitively, this negative result is an outcome of the impossibility of recovery to an -coloring in symmetric uni-rings from any state (due to Bernard et al.’s [8]). Subsequently, we show that synthesizing a parameterized protocol that satisfies is decidable iff (if and only if) there are some distinct values Dom for which and hold. Our necessary and sufficient conditions are based on the intuition that a parameterized protocol on a uni-ring that satisfies exists iff there is a sequence of steps for every process towards satisfying locally, starting from a state that satisfies . We then provide a sound and complete algorithm that takes the state predicates and , and generates the parameterized actions of the template process, if a solution exists. The time complexity of the proposed algorithm is polynomial in the state space of the template process, which is often a small value for constant-space processes. We also show that synthesis remains decidable for cases where leadsto is required from the conjunction/disjunction of a set of predicates , where , to the conjunction/disjunction of two predicates and . To demonstrate the practicality of our algorithm, we present a few case studies including a protocol that ensures reaching agreement in uni-rings when processes of the ring disagree on a value, and a parity protocol that guarantees a common parity amongst the processes. We conjecture that the implementation of our algorithm will provide a highly efficient synthesis tool as our previous work [18] on the synthesis of fault-tolerant parameterized uni-rings confirms our belief.
Organization. Section 2 presents some basic concepts. Section 3 shows that verifying leadsto on uni-rings is undecidable. Section 4 identifies necessary and sufficient conditions for decidability of synthesizing symmetric uni-rings that satisfy leadsto properties. Section 5 presents a few case studies, including an agreement and a parity protocol. Section 6 discusses related work, and Section 7 summarizes our contributions and outlines some future work.
2 Preliminaries
This section presents the definition of parameterized protocols and their representation as action graphs. Wlog, we use the term protocol to refer to finite-state symmetric uni-rings as we conduct our investigation in the context of network protocols. Such rings are parameterized in the number of processes in the ring. A protocol for a computer network includes processes (finite-state machines), where each process has a finite set of readable and writeable variables. Any local state of a process (a.k.a. locality/neighborhood) is determined by a unique valuation of its readable variables. We assume that any writeable variable is also readable. The global state of a protocol is defined by a snapshot of the local states of all processes. The state space of a protocol, denoted by , is the universal set of all global states. A state predicate is a subset of . A process acts (i.e., transitions) when it atomically updates its state based on its locality. The locality of a process is defined by the network topology. For example, in a uni-ring consisting of processes, each process (where , i.e., ) has a neighbor/predecessor , where subtraction and addition are in modulo . We assume that processes act one at a time (i.e., interleaving semantics). Thus, each global transition corresponds to the action of a single process from some global state. An execution/computation of a protocol is a sequence of states where there is a transition from to for every . We consider parameterized protocols that consist of families of symmetric processes. Each family is represented by a template process from which the code of all family members is instantiated by a simple variable renaming/re-indexing. For instance, a symmetric uni-ring includes just one family for which we use triples of the form to denote actions of the template process . An action has two components; a guard, which is a Boolean expression in terms of readable variables and a statement that atomically updates the state (i.e., writeable variables) of the process once the guard evaluates to true; i.e., the action is enabled.
Definition \thedefinition (Transition Function).
Let be any process with a state variable in a uni-ring protocol . We define its transition function as a partial function such that if and only if has an action . In other words, can be used to define all actions of in the form of a single parametric action:
[TABLE]
where checks to see if the current and values are in the preimage of . For other topologies, the same definition of transition function holds except that the preimage of might be specified differently depending on the locality of each process.
Definition \thedefinition (Action Graph).
We depict the set of actions of the template process of a symmetric uni-ring by a labeled directed multigraph , called the action graph, where each vertex represents a value in , where denotes the domain size of and each arc with a label captures an action .
For example, consider the Sum-Not-2 protocol given in [25]. Each process has a variable and actions , , and . This protocol ensures that, from any global state, a state is reached where the sum of each two consecutive values does not equal . The set of such states is formally specified as the state predicate . We can represent this protocol as a graph containing arcs , , and as shown in Figure 1.
For simplicity, we assume that protocols consist of self-disabling processes. As such, an action cannot coexist with action for any . Moreover, a deterministic process cannot have two actions enabled at the same time; i.e., an action cannot coexist with an action where .
Definition \thedefinition (Leadsto Properties).
The focus of this paper is on leadsto properties that are specified as in Linear Temporal Logic (LTL), also denoted , where and respectively denote the universality and eventuality modalities, and and represent conjunctive state predicates for a uni-ring of processes. A computation of a protocol satisfies iff the state predicate holds in every state , for all . A computation of a protocol satisfies iff there is some such that the state predicate holds in the state . A computation of a protocol satisfies iff implies that there is some such that . A symmetric uni-ring protocol satisfies iff all the computations of satisfy , for unbounded (but finite) ring sizes.
Definition \thedefinition (Fairness).
A strongly fair scheduler ensures that any action that is infinitely often enabled will be executed infinitely often (due to Gouda [31]). A weakly fair scheduler guarantees that if an action is continuously enabled, then it will be executed infinitely often.
Livelock, deadlock, and closure. A global livelock of a protocol is an infinite computation , where is a global state, for all . A local livelock of a process of protocol is an infinite execution , where is a local state of , for all . Unless stated otherwise, we use the terms ‘’livelock” and ‘’global livelock” interchangeably. For satisfying a leadsto property , a reachable livelock that includes at least one state in is acceptable; otherwise, it is considered as a failure towards satisfying . A deadlock of is a state that has no outgoing transition; i.e., no process is enabled to act. A state predicate is closed under iff there is no transition , where but .
Definition \thedefinition (Self-Stabilization and Convergence).
A protocol is self-stabilizing [15] to a state predicate (under no fairness) iff from any state in , every computation of reaches a state in (i.e., convergence) and remains in (i.e., closure). That is, is livelock-free and deadlock-free in , and is closed under . A protocol is silent-stabilizing to iff converges to and has no computation starting in . Notice that, in LTL, convergence to is specified as , which is logically equivalent to true .
Definition \thedefinition (Weak Stabilization).
A weakly stabilizing protocol to ensures that from each state in , there is some computation that reaches a state in (a.k.a., weak convergence) and remains in .
Notice that, any self-stabilizing protocol is also weakly stabilizing but the reverse is not true.
Definition \thedefinition (Locality Graphs).
Consider a state predicate for a uni-ring. The relation captures a set of local states, representing an acceptable relation between each process and its predecessor. The relation must also be locally correctable in that, for any value of , there is always a sequence of steps that can take to establish by updating only. To simplify reasoning, we represent as a digraph , called the locality graph, such that each vertex represents a value in , and an arc is in iff is true.
Figure 2 illustrates the locality graph of the Sum-Not-2 protocol introduced in this section for the state predicate where and represents addition modulo . Each closed walk in the locality graph characterizes a class of global states in the state predicate . For example, the closed walk captures the global states of ring sizes where the value of processes follow a repeated pattern of , and is a positive integer. We now represent one of our previous results [25] on the relation between closed walks in locality graphs and global states of parameterized uni-rings.
Theorem 2.1**.**
Any closed walk of length in the locality graph of a conjunctive predicate of a uni-ring characterizes global states in of ring sizes of , where is a positive integer. (Proof in [25])
A corollary of Theorem 2.1 is as follows:
Corollary \thecorollary.
Any conjunctive state predicate whose locality graph is acyclic specifies an empty set of states in a parameterized symmetric uni-ring.
Next, we represent some of our previous results regarding livelocks (from [25, 39]) that we shall use in this paper.
Propagations and Collisions. When a process acts and enables its successor in a uni-ring, it propagates its ability to act. The successor may enable its own successor by acting, and the pattern may continue indefinitely. Such behaviors can be represented as sequences of actions that are propagated in a ring, called propagations. A propagation is a walk through the action graph. For example, the Sum-Not-2 protocol has a propagation whose actions can be executed in order by processes , , , and from a state . A propagation is periodic with period iff its -th action and -th action are the same for every index . A propagation with period corresponds to a closed walk of length in the action graph. The Sum-Not-2 protocol has such a propagation of period : (see Figure 1). A collision occurs when two consecutive processes, say and , have enabled actions; e.g., and , where . In such a scenario, . A collision occurs when executes and assigns to . If that occurs, will be disabled (because processes are self-disabling), and becomes disabled too because is no longer equal to . As a result, two enabled processes become disabled by one action.
“Leads” Relation. Consider two actions and in a process . We say the action leads iff the value of the variable after executing is the same as the value required for to execute . Formally, this means an action leads iff . Similarly, a propagation leads another iff for every index , its -th action leads the -th action of the other propagation. In the action graph, this corresponds to two walks where the label of the destination node of the -th arc in the first walk matches the arc label of the -th arc in the second walk (for each index ). In [39, 41], we prove the following theorem:
Theorem 2.2**.**
A uni-ring protocol of symmetric, deterministic and self-disabling processes has a livelock for some ring size iff there exist propagations with some period , where the -th propagation leads the -th propagation for each index modulo , for and ; i.e., the propagations successively lead each other modulo .
We have shown [25] that verifying deadlock-freedom in uni-rings is decidable. However, checking livelock-freedom is an undecidable problem for uni-ring protocols (with self-disabling and deterministic processes) [39, 41].
Theorem 2.3**.**
Verifying livelock-freedom in a symmetric uni-ring protocol (with self-disabling and deterministic processes) is undecidable [39, 41].
We have also shown that verifying livelock-freedom remains undecidable even for a special type of livelocks, where exactly one process is enabled in every state of the livelocked computation; i.e., deterministic livelocks [39].
Theorem 2.4**.**
Verifying livelock-freedom in a symmetric uni-ring protocol (with self-disabling and deterministic processes) remains undecidable even for deterministic livelocks [39].
Since in every state of a deterministic livelock there is exactly one enabled process, the choice of fairness policy has no impact on which process will be executed in each state because the scheduler has only one enabled process to select.
Corollary \thecorollary.
Verifying livelock-freedom in a symmetric uni-ring protocol (with self-disabling and deterministic processes) remains undecidable regardless of the fairness assumption (i.e., scheduling policy) [39].
The above results imply the undecidability of verifying self-stabilization for symmetric uni-rings.
Theorem 2.5**.**
Verifying silent-stabilization (and self-stabilization) for a symmetric uni-ring protocol (with self-disabling and deterministic processes) is undecidable [39].
While verifying self-stabilization for uni-rings is undecidable, we have shown that synthesis of self-stabilizing uni-rings is surprisingly decidable.
Theorem 2.6**.**
Synthesizing silent-stabilization for a parameterized uni-ring protocol (with self-disabling, deterministic and constant-space processes) is decidable [42, 18].
Theorem 2.7**.**
Let denote a variable representing the local state space of each process in a symmetric uni-ring of processes (where ), and the domain size of be a fixed value regardless of . Then, there is a protocol that self-stabilizes to a state predicate for unbounded (but finite) ring size iff there is a vertex in the locality graph of , where has a self-loop (i.e., holds) that can be reached from another vertex.
3 Undecidability of Verification
This section presents some impossibility results for the verification and synthesis of symmetric uni-ring protocols that satisfy leads-to properties. Throughout the rest of the paper, and represent conjunctive state predicates. First, we formulate the verification problem as follows:
Problem \theproblem (Verification of LeadsTo).
Let be a symmetric parameterized protocol on a uni-ring, and and represent conjunctive state predicates. Does satisfy for unbounded (but finite) ring sizes?
Theorem 3.1**.**
Problem 3 is undecidable for uni-rings of self-disabling, constant-space and deterministic processes.
Proof.
For a symmetric protocol to satisfy on a uni-ring, should ensure that starting in , its computations will eventually reach some state in under no fairness and interleaving semantics. This requires deadlock and livelock-freedom of computations of that start in . Due to undecidability of verifying livelock-freedom on symmetric uni-rings (Theorem 2.3), Problem 3 is also undecidable. ∎
Problem \theproblem (Synthesis of LeadsTo).
Let and be conjunctive state predicates. Consider a symmetric uni-ring of self-disabling, constant-space and deterministic processes. Does there exist a symmetric protocol on the ring that satisfies for unbounded (but finite) ring sizes?
To investigate Problem 3, we first consider a special case of this problem where =true.
Problem \theproblem (Synthesis of Convergence).
Let be a conjunctive state predicate. Consider a symmetric uni-ring of self-disabling, constant-space and deterministic processes. Does there exist a symmetric protocol on the ring that satisfies for unbounded (but finite) ring sizes?
Converging to a state where holds in a uni-ring can be achieved in two ways. First, there may be some value such that holds. Such values represent themselves as self-loops in the locality graph of . Second, values satisfy in a circular fashion, where hold and . Such values form a cycle of length in the locality graph of . A cycle like that represents a family of rings that include global states where holds through an ordered placement of the values that appear in the cycle. The sizes of such rings are multiples of ; i.e., ring sizes of , where is a positive integer (Theorem 2.1). To design a parameterized symmetric protocol that satisfies from some initial states captured by a state predicate , developers should design in such a way that it ensures convergence to one of the aforementioned scenarios (under no fairness and interleaving semantics). We first show that, there is no protocol that can ensure convergence through the second scenario.
Definition \thedefinition (Ordered -coloring).
Consider a set of distinct colors and a permutation function (i.e., a bijective function from to ) that takes a color and returns a color where . An ordered -coloring of a uni-ring is an -coloring where , denotes the number of processes in the ring, and represents subtraction modulo .
Theorem 3.2**.**
No protocol exists that converges to an ordered -coloring on symmetric uni-rings for rings of processes.
Proof.
Bernard et al.’s [8] show that no converging -coloring protocol exists on symmetric uni-rings for rings of processes. By contradiction, assume there is a converging protocol that ensures an ordered -coloring for some uni-ring with size . Such an ordered -coloring is a legitimate -coloring. Thus, converges to an -coloring, which is a contradiction with [8]. ∎
Corollary \thecorollary.
Theorem 3.2 holds under any fairness assumption, including strong fairness. In other words, Theorem 3.2 holds for weak convergence too.
Proof.
By contradiction, suppose Theorem 3.2 is falsified assuming strong fairness. That is, there is a weakly converging protocol that guarantees -coloring on uni-rings of processes. This means that from any arbitrary state, there is at least a computation that reaches a valid -coloring of the uni-ring for any . Wlog, consider the case where ; i.e., the number of colors is one unit less than the number of processes, and processes that have a similar color to their predecessor simply choose the next color available by incrementing their value. Bernard et al. [8] show that the executions of any deterministic coloring protocol are isomorphic to a coloring protocol where all processes follow the rule of incrementing their value (i.e., choosing the next color in order). Now, consider an example state for the uni-ring of size . In this state, only the second process is enabled to change its color because it is the only processes that has the same color as that of its predecessor’s. The execution of the second process would get the protocol to the state , where the third process is now enabled. Following the same pattern, the uni-ring reaches the state , where the fourth process is the only process that is enabled. This sequence of states forms the livelock , , , , , . Notice that, the last state is actually the same as the initial state of this execution of the symmetric uni-ring. Moreover, this livelock is deterministic. Thus, by Corollary 2, even strong fairness will not resolve this deterministic livelock, which prevents convergence to -coloring. A similar argument holds for weak fairness. ∎
Theorem 3.3**.**
Let be a conjunctive state predicate . No symmetric uni-ring protocol exists that can converge to states where holds through cyclic satisfaction of , for rings of processes and . This result holds under any fairness assumption.
Proof.
By contradiction, let be a parameterized protocol that converges to states in (under any fairness assumption) where hold for some values , where . Thus, the locality graph of must include a cycle whose vertices are labeled with in order. As a results, such states of represent an ordered -coloring. That is, converges to an ordered -coloring protocol for . This is a contradiction with Theorem 3.2 and Corollary 3. ∎
Theorem 3.4**.**
Let and be non-empty conjunctive state predicates, and . No symmetric protocol exists on uni-rings that can satisfy by reaching states where holds through cyclic satisfaction of , for rings of processes.
Proof.
By contradiction, let be such a protocol whose computations reach states in from states in through cyclic satisfaction of . Using the decidability of synthesizing self-stabilizing protocols (Theorem 2.7), we design a silent stabilizing protocol that converges to from any state, and once in , becomes disabled. However, the actions of and may interfere by creating livelocks outside . Such livelocks include states where and both have enabled processes that can take some action. Thus, such livelocks are not deterministic livelocks. To ensure recovery from such livelocks, we assume strong fairness. As a result, we guarantee that will eventually converge to , and from , protocol can guarantee that we reach states in through cyclic satisfaction of . Therefore, the net result is a protocol that converges to through cyclic satisfaction of under strong fairness. This is a contradiction with Theorem 3.3. ∎
4 Decidability of Synthesis
This section proves the decidability of synthesizing symmetric uni-ring protocols that satisfy the leads-to property , where and denote non-empty conjunctive state predicates. We first establish a relation between self-stabilization and leads-to by the following lemma:
Lemma \thelemma.
Let and be conjunctive state predicates specified on uni-rings. There is a symmetric protocol that satisfies for unbounded (but finite) ring sizes iff there is a symmetric protocol that stabilizes to for unbounded (but finite) ring sizes.
Proof.
Any protocol that is self-stabilizing to ensures convergence to ; i.e., . Since , it follows that protocol satisfies . Now, if there is no protocol that stabilizes to , then Theorem 2.7 implies that there is no value in the domain of for which holds. Thus, for a protocol to satisfy , must converge to states where holds through cyclic satisfaction of , which is impossible due to Theorem 3.4. ∎
Theorem 4.1**.**
Synthesizing a symmetric protocol on uni-rings that satisfies (for unbounded ring sizes) is decidable.
To prove Theorem 4.1, we present a synthesis algorithm that takes two non-empty and disjoint conjunctive state predicates and , and generates a parameterized protocol that satisfies on symmetric uni-rings, for unbounded ring sizes. Wlog, we assume that ; even if and intersect, , the synthesis problem is formulated for , where . (Note that is vacuously true in .) We later show that Algorithm 1 is sound and complete.
For a specific , Algorithm 1 performs Steps 3 to 8 in order to determine if there is a solution for that . In Steps 3 to 8, Algorithm 1 constructs the underlying structure of an action graph that will form the synthesized protocol after the labeling steps of 9 and 10. A correct protocol must meet certain constraints that are the minimum requirements for a protocol that satisfies . For instance, should only guarantee starting in . That is why Step 5 calculates the set of values in that do not appear in any state of , and Step 6 removes them from the spanning tree of . Moreover, since we assume , the cycles of and are arc-disjoint (due to Theorem 2.1). Thus, any correct protocol cannot include an arc for which holds and . Otherwise, the processes will include an action , for some where . Such an action would set the locality of each process to a state (i.e., ) where holds, thereby preventing reachability to . That is why Step 7 excludes such arcs. After eliminating such vertices and arcs through Steps 3 to 8, if we have a tree-like structure that has no leaves in common with the cycles in , then we move to Step 2 and repeat the same process for a different . Algorithm 1 exits only if no valid action graph can be built for any .
Theorem 4.2** (Soundness).**
Algorithm 1 is sound.
Proof.
We show that if Algorithm 1 generates a parameterized protocol for two disjoint predicates and , then satisfies for unbounded ring sizes. To prove this, we show that any computation of starting in a state will be deadlock-free and livelock-free outside and will eventually reach a state in .
Deadlock-freedom: Since the synthesized action graph, denoted , is a tree with a self-loop on its root , must have some leaves. Step 8 of the algorithm ensures that any vertex that participate in a cycle in the locality graph of the state predicate appears as a leaf in the tree. The labeling method of Step 9 guarantees that any leaf of has an outgoing arc (to some vertex ) with a label such that holds. Step 11 would translate each labeled arcs to a parameterized action . By Theorem 2.1, we also know that cycles in locality graphs characterize global states of uni-rings. Thus, the guard condition of such an action evaluates to true in a state in because holds. Thus, starting in , there is at least one enabled action; i.e., deadlock-freedom in . We now show that the computations of the synthesized protocol remain deadlock-free until reaching a state in . The only values in that are excluded from the synthesized action graph include those values that do not participate in any cycle in ; i.e., those values do not appear in states in . If computations of reach a state outside , the labeling method of Step 10 ensures that there is some enabled action; hence deadlock-freedom.
Livelock-freedom: The only type of propagation included in the synthesized action graph is . Thus, there are no propagations that lead each other circularly. That is, based on Theorem 2.2, the synthesized protocol is livelock-free.
Reachability of : By deadlock-freedom and livelock-freedom, each process will eventually satisfy , which would result in a global state of the ring in . ∎
Theorem 4.3** (Completeness).**
Algorithm 1 is complete.
Proof.
Let be a parameterized protocol that satisfies but Algorithm 1 fails to generate . By Theorem 3.4, cannot satisfy through cyclic satisfaction of some values; i.e., the action graph of , denoted , can include only cycles of length 1; i.e., self-loops. Further, if a node has a self-loop in , then cannot have any other outgoing labeled arc; otherwise, will include either cycles of length greater than one, which contradicts Theorem 3.4, or ends in nodes without any outgoing arcs; i.e., deadlock. Thus, there must be a value for which holds and there is some value , where and holds too. That is, must include as well as another labeled arc for some , where and . This means that Algorithm 1 would actually find such in Step 2. The action graph must also include some source nodes without any incoming arcs. Otherwise, it would include cycles of length greater than one (which again contradicts Theorem 3.4). Such source nodes must also intersect with the vertices of some cycles in and have outgoing labeled arcs such that holds and is a vertex in a cycle in . Otherwise, deadlocks in , which contradicts with satisfying . As such, Algorithm 1 would have included such labeled arcs in Steps 8 and 9, and would have created the action graph sinking towards . ∎
Theorem 4.4**.**
Algorithm 1 has an asymptotic polynomial time complexity in the domain size .
Proof.
Other than Step 3, it is trivial to see that all the other steps would take polynomial amount of time (in DomainSize) to compute. For Step 3, we first remove self-loops. Then, we start eliminating any vertex in the locality graph that has no outgoing arcs. This would result in removing the incoming arcs of too. We continue such vertex/arc removals until all remainig vertices have at least one outgoing arc, or no vertex remains. The remaining sub-graph that contains would be used for subsequent steps of the algorithm. This process takes . Therefore, the asymptotic time complexity of Algorithm 1 is polynomial in . ∎
Theorem 4.5**.**
Let and be conjunctive state predicates, for and . Synthesizing a parameterized protocol on symmetric uni-rings that satisfies is decidable.
Proof.
One can apply Algorithm 1 times for each and decide if there is some for which there is a protocol that satisfies . Any such protocol is also a solution for . ∎
Theorem 4.6**.**
Let be conjunctive state predicates, for and . Synthesizing a parameterized protocol on symmetric uni-rings that satisfies is decidable.
Proof.
Since predicates are conjunctive, we apply Algorithm 1 while identifying cycles in the intersection of the locality graphs of , for . The rest of Algorithm 1 remains the same. ∎
Theorem 4.7**.**
Let and be conjunctive state predicates and . Synthesizing a parameterized protocol on symmetric uni-rings that satisfies is decidable.
Proof.
We use Algorithm 1 by finding a value in the domain of the variable (of the template process ) such that holds. Moreover, it is straightforward to algorithmically find a common cycle in the locality graphs of and that contains (e.g., by running a DFS algorithm starting at ). There is a parameterized protocol that satisfies iff Algorithm 1 generates a protocol (due to its completeness). ∎
Theorem 4.8**.**
Let and be conjunctive state predicates. Synthesizing a parameterized protocol on symmetric uni-rings that satisfies is decidable.
Proof.
It is straightforward to see that a protocol satisfies iff satisfies or . We execute Algorithm 1 once for and another time for in order to decide if a solution for exists. ∎
5 Case Studies
This section presents four case studies of using Algorithm 1 for the synthesis of symmetric uni-rings. Section 5.1 discusses the synthesis of the Sum-Not-2 protocol, and Section 5.2 presents the dual of Sum-Not-2 protocol. Section 5.3 illustrates the synthesis of a symmetric uni-ring for solving the parity problem in distributed computing. Section 5.4 presents the synthesis of an agreement protocol on uni-rings. To increase our confidence in the proposed synthesis method, we have model checked all protocols synthesized in this section using SPIN [35] up to the extent our computational resources permit. The Promela models are available at http://asd.cs.mtu.edu/projects/ProTop/index.html.
5.1 Sum-Not-2
The Sum-Not-2 protocol is a simple but non-trivial example that can clearly demonstrate the complexity of synthesizing parameterized uni-rings that satisfy leadsto properties. In this protocol, we specify the set of initial states for even-size uni-rings where the summation of and is equal to two (modulo ) but . That is, , where , and denotes the number of processes (i.e., ring size). The objective is to synthesize a protocol that eventually reaches states where the summation of and is no longer equal to two (for all processes), and it is not the case that all processes have a value of zero; i.e., , where , and denotes addition modulo . We require that is satisfied from for all even values of .
Step 1: As the first step of Algorithm 1, we construct the locality graphs of and illustrated in Figure 4. Each arc captures the fact that (respectively, ) holds. For example, the only arcs in Figure 4-(a) are between 0 and 2 because does not hold for any other pairs of values in . As another example, Figure 4-(b) lacks any arcs between 0 and 2 because their summation adds up to 2, which violates . Moreover, the only vertex that has a self-loop is 2 because the arc violates the second conjunct of and arcs and violate the first conjunct of (i.e., and ).
Step 2: Since holds in (see Figure 4-(b)), we set to 2.
Step 3: Figure 5-(a) illustrates the induced subgraph including simple cycles of that contain (e.g., the simple cycle ).
Step 4: Figure 5-(b) illustrates a spanning tree rooted at , where each arc denotes that is the parent of in . Notice that, there may be several spanning trees; i.e., the solution is not unique.
Step 5: Figure 4-(a) illustrates that vertices 1 and 3 do not participate in any cycles; hence .
Step 6: Since is the only vertex of that is also a leaf of the spanning tree , we eliminate its outgoing arc to , illustrated by the dashed arrow in Figure 5-(b).
Step 7: Since , Step 7 does not make any changes.
Step 8: The only leaf of the tree for which holds is [math]. Thus, we include just the self-loop to generate the tree in Figure 6-(a).
Steps 9 and 10: Consider the arc . The candidate labels of this arc include and . We exclude because it is equal to the parent vertex of . Since and are true and is false, the only acceptable label for the arc is (see Figure 6-(a)). The arc has the label because holds. Likewise, the self-loop on gets [math] as its label.
Step 11: Figure 6-(b) illustrates the synthesized parameterized actions for any even-size uni-ring that satisfies .
5.2 SumTwo Protocol
We consider the dual of the previous example, which provides another interesting case. Let be , and be , where denotes the number of processes (i.e., ring size), and represents addition modulo . (Addition and subtraction in subscripts are done modulo .) We would like to synthesize a protocol that eventually reaches states where the summation of and is equal to two (for all processes), and it is not the case that all processes have a value . We require that is satisfied from for all even values of .
Step 1: Figure 7 illustrates the locality graphs of the predicates and .
Steps 2, 3, 4: Since , we have (see Figure 7-(b)). The induced subgraph includes the vertex . Thus, the resulting spanning tree would include a single vertex; i.e., .
Steps 5, 6: Since all vertices of participate in a cycle (Figure 7-(a)), we have . As such, there is nothing to be done in Step 6.
Steps 7 and 8: Including arcs from vertices that are in to would result in the spanning tree in Figure 8-(a). Since holds, would look like the tree in Figure 8-(b) excluding the dashed arc and the self-loop. Including an arc from 0 to the leaf 1 as well as the self-loop would generate the tree in Figure 8-(b).
Steps 9, 10, 11: The remaining steps of Algorithm 1 would generate the action graph of Figure 9-(a), which would be translated to the parameterized actions of the synthesized SumTwo protocol in Figure 9-(b).
5.3 Parity Protocol
The Parity protocol solves the problem of identifying a common parity amongst the nodes of a distributed system without a central coordinator dictating what the parity should be. In this case study, we synthesize a parameterized protocol for symmetric uni-rings that ensures reachability to an even parity in the entire ring from states where there is an odd parity. In fact, the synthesized protocol provides an algorithm for switching from odd to even parity amongst the nodes of a uni-ring. More precisely, we would like the protocol to satisfy , where , , and denotes subtraction modulo 4.
Steps 1 and 2: We first construct the locality graphs and (illustrated in Figure 10). Notice that both 0 and 2 can be considered as ; we let .
Steps 3 and 4: We induce the subgraph from by considering the simple cycle between 0 and 2. We then compute the spanning tree of rooted at .
Steps 5, 6: The set includes vertices 0 and 2, and the only vertex that is a leaf in is 0; hence . Removing the outgoing arc will create the tree with the single vertex 2.
Steps 7 and 8: We now compute , which is equal to . Thus, we include the arcs and to generate the tree . We also include the self-loop in to generate the structure of the action graph of the synthesized protocol in Figure 12-(a). Notice that, and do not hold. Since the only leaf in is vertex 2, arc cannot be included in .
Steps 9, 10, 11: The remaining steps of the algorithm labels (Figure 12-(a)), which would result in the action graph in Figure 12-(b). The synthesized parameterized actions of the parity protocol are as follows:
5.4 Agreement Protocol
Agreement is a fundamental problem in distributed computing. This section demonstrates how Algorithm 1 synthesizes a parameterized protocol on symmetric uni-rings that ensures agreement from a set of initial states. Specifically, we synthesize a protocol that meets , where , and .
Steps 1 and 2: Figure 13 illustrates the locality graphs and , respectively for predicates and . We have four possible values for . Wlog, we let be 1.
Steps 3 and 4: Since has only self-loops on its vertices, would include just Vertex 1. Correspondingly, the spanning tree includes just a single vertex (i.e., 1).
Steps 5, 6: Since is empty, becomes empty too.
Steps 7 and 8: We have . As a result, would include arcs and , but excludes because holds (see Figure 14-(a)). Executing Step 8 would result in including arcs and , resulting in tree (Figure 14-(b)).
Steps 9, 10, 11: The remaining steps of the algorithm labels (Figure 14-(b)), which would result in the action graph in Figure 15.
The synthesized parameterized actions of the agreement protocol are as follows:
6 Related Work
There is a diverse set of methods for the synthesis of fixed-size and parameterized programs/protocols. For example, program sketching [55, 54] aims to automatically fill the holes in an incomplete program. Example-based synthesis [53] generates a program from a table of inputs and expected outputs. Syntax-guided program synthesis [3] constrains the search space of synthesis using a syntactic template of a program. Counterexample guided inductive synthesis [48, 1] generates abstract programs and a verifier provides counterexamples for refining the synthesized abstract programs. Techniques for automated completion of distributed protocols [59, 4, 58, 5] mainly extend program sketching and synthesis-by-examples for distributed programs under strong/weak fairness. Existing automated techniques [6, 43, 32, 17, 11, 19, 24, 22, 40, 23] for the addition of fault tolerance mainly enable the synthesis of fixed-size fault-tolerant protocols from their fault-intolerant versions.
Most existing methods for the verification of parameterized programs can be classified into abstraction methods [9, 36, 21], SMT-based verification [30, 13], parameterized visual diagrams [52], network invariants [61, 38, 34], compositional model checking [46], logic program transformations and inductive verification methods [49, 50, 51, 28], regular model checking [12, 57, 2], proof spaces [26] and topology-specific verification [45].
There are a variety of methods for the synthesis of parameterized programs. For example, Attie and Emerson [7] compose a pair of representative processes (under weak fairness) to reason about the global safety and local leads-to properties of a symmetric parameterized system. Some researchers [16, 10] present methods for generating parameterized protocols for specific problems (e.g., counting) on specific topologies (e.g., clique [16]). Verification and synthesis methods based on threshold automata [44] take a sketch automaton (whose transitions have incomplete guard conditions capturing the number of received messages), and complete the guards towards satisfying program specifications.
The closest work to this paper includes our previous work on the synthesis of self-stabilizing parameterized uni-rings [18], where a protocol is expected to recover to a set of states from any state. In the synthesis of self-stabilization, and captures a set of legitimate states to which recovery is required. As such, we construct a spanning tree of the locality graph of rooted at some . Such a spanning tree should include all values in the domain of . By having just a self-loop on , we ensure that starting from any state in , no livelocks will be reached (due to Theorem 2.2). However, when , it is not trivial how the synthesis should be conducted so global computations of a parameterized ring guarantee reachability of only from global states in . To address this challenge, we would need to identify local characterization of states that are reachable from as well as ensuring livelock-freedom only in states reachable from . Algorithm 1 succeeds in tackling these challenges. It is noteworthy to mention that a self-stabilizing solution may not be the best solution for in cases where multiple leadsto properties must be satisfied. For example, consider the case of two leadsto properties and , where . If one synthesizes a self-stabilizing protocol that recovers to , then certainly satisfies too. However, all hopes for revising towards satisfying are lost because instead satisfies . Using Algorithm 1, we ensure that is satisfied only from , and not from states outside . We are currently investigating conditions under which synthesis of parameterized uni-rings that satisfy two leadsto properties and becomes possible.
7 Conclusions and Future Work
We investigated the problems of verifying and synthesizing parameterized protocols on symmetric unidirectional rings for leadsto properties . We showed that the verification problem remains undecidable even for constant-space and deterministic processes and for global state predicates and that are formed by the conjunction of symmetric local state predicates; i.e., conjunctive predicates. We then presented a somewhat surprising result that, synthesizing protocols that satisfy on uni-rings is actually decidable! This is a significant result as both ring and leadsto are important aspects of distributed protocols. We are currently working on the implementation of our synthesis algorithm and conducting more interesting case studies such as cache coherence, leader election, etc. Moreover, we plan to study the synthesis of leadsto on bidirectional rings, and other elementary topologies (e.g., mesh, torus).
**Acknowledgment
**The author would like to thank Aly Farahat for fruitful discussions.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. Abate, C. David, P. Kesseli, D. Kroening, and E. Polgreen. Counterexample guided inductive synthesis modulo theories. In International Conference on Computer Aided Verification , pages 270–288. Springer, 2018.
- 2[2] P. A. Abdulla, B. Jonsson, M. Nilsson, and M. Saksena. A survey of regular model checking. In CONCUR , pages 35–48, 2004.
- 3[3] R. Alur, R. Bodik, G. Juniwal, M. M. Martin, M. Raghothaman, S. A. Seshia, R. Singh, A. Solar-Lezama, E. Torlak, and A. Udupa. Syntax-guided synthesis. In Formal Methods in Computer-Aided Design (FMCAD), 2013 , pages 1–17. IEEE, 2013.
- 4[4] R. Alur, M. Raghothaman, C. Stergiou, S. Tripakis, and A. Udupa. Automatic completion of distributed protocols with symmetry. In International Conference on Computer Aided Verification , pages 395–412. Springer, 2015.
- 5[5] R. Alur and S. Tripakis. Automatic synthesis of distributed protocols. ACM SIGACT News , 48(1):55–90, 2017.
- 6[6] P. C. Attie, anish Arora, and E. A. Emerson. Synthesis of fault-tolerant concurrent programs. ACM Transactions on Programming Languages and Systems (TOPLAS) , 26(1):125–185, 2004.
- 7[7] P. C. Attie and E. A. Emerson. Synthesis of concurrent systems with many similar processes. ACM Transactions on Programming Languages and Systems (TOPLAS) , 20(1):51–115, 1998.
- 8[8] S. Bernard, S. Devismes, M. G. Potop-Butucaru, and S. Tixeuil. Optimal deterministic self-stabilizing vertex coloring in unidirectional anonymous networks. In 23rd IEEE International Symposium on Parallel and Distributed Processing, IPDPS 2009, Rome, Italy, May 23-29, 2009 , pages 1–8. IEEE, 2009.
