Transcript Parameterized model checking of Resource Reservation Protocol

Parameterized model
checking of Resource
Reservation Protocol
Igor V. Konnov, Vladimir A. Zakharov
Department of Computation
Mathematics and Cybernetics,
Lomonosov Moscow State University
18.07.2015
INTAS meeting, Moscow
Outline







Parameterized Model Checking
Invariants and simulation
ReSource reserVation Protocol
RSVP model in Promela
Checking properties on small-size instances
of RSVP
Finding an invariant and building simulations
Open questions and conclusions
18.07.2015
Moscow INTAS meeting
Parameterized Model Checking



We study the verification problem for families
of distributed systems {Mn}, n >= 1
Every system Mn is composed of some
distinguished process Q and a number of
isomorphic processes that are instances of
the same prototype process P:
Mn = Q || P || P || … || P.
In general, there may be several prototypes
18.07.2015
Moscow INTAS meeting
PMC by invariants
 We use framework of network invariants by Clarke,
Grumberg and Jha omitting the step of abstraction
 We introduced a quasi-block simulation < which is:

conservative under ACTL*-X.
For any formula 
if A < B and B |=  then A |= 

monotonic.
If A < B and C < D then A || B < C || D.
 Then to check that Mn |= S holds for every n it is
sufficient to find LTS I (invariant) such that Q || P < I
and I || P < I hold, and check that I |= 
18.07.2015
Moscow INTAS meeting
Resource Reservation Protocol



RFC 2205 defines RSVP protocol, which
allows to reserve bandwidth capacity on a
route between sender (producer) and
receiver (consumer of resources).
RSVP may be used to deliver audio or video
traffic without visible delay.
Models of RSVP were already been partially
checked by Creese and Reed, Villapol.
18.07.2015
Moscow INTAS meeting
RSVP: execution example
P
P
P
Sender
(Producer)
R
R
Router
R
R
R
C
Receiver
(Consumer)
18.07.2015
C
C
C
Moscow INTAS meeting
C
C
C
Previous works on RSVP

Villapol (2003) partially described RSVP in
Petri nets:


The model was focused on a communication
between fixed number of processes (sender,
receiver and several routers).
Creese and Reed (1999) described a model
independent of process count using process
algebra

18.07.2015
However, their model was designed to preserve
the only property: reservation merging.
Moscow INTAS meeting
Building a model in Promela:
problems

Infinite data types:







host address in unicast messaging,
channel capacity in reservation request,
router’s channel capacity.
Unbounded number of outgoing edges in
communication topology.
Simultaneous sessions.
Dynamic network topology.
Failure of hosts.
18.07.2015
Moscow INTAS meeting
Key abstractions





The routers and consumers form a binary
tree (as in [CreeseReed1999])
Producers use multicast messages only
No failures
Routers always have resources enough to
satisfy a reservation request
Only one session is considered (as well as in
[CreeseReed1999] and [Villapol2003])
18.07.2015
Moscow INTAS meeting
Checking
several instances in Spin

Specification 1:


Specification 2:


G ¬ producer!path_tear →
G ¬ producer!path_tear_acknowledge
G (router1.reserved → ¬router1.parent!resv)
Absence of deadlocks and livelocks (it is of
great importance to PMC!)
18.07.2015
Moscow INTAS meeting
Building simulations

First, we concentrated on building a block simulation
between two models not taking divergency (paths
ending by infinite number of invisible transitions) into
account:
R
R
is simulated by
R
C
18.07.2015
C
R
C
C
C
Moscow INTAS meeting
R
C
C
Optimization of block simulation

1
While building block
simulations we found a
criteria on block
simulation that greatly
reduces the number of
states to be checked
(semi-block simulation):
t
6
t
t
3
a
4
18.07.2015
2
Moscow INTAS meeting
7
b
5
a
8
b
9
Finding counter-example that
breaks simulation

If block simulation does not exist between
models that seem to be similar?



How to find the difference in behaviour?
It will be great to build a counter-example formula
or a path
We have build a tool to find witness paths:


18.07.2015
It is mostly an ad hoc solution
It finds a lot of junk (false-negative paths)
Moscow INTAS meeting
Inconsistencies in our model

Following inconsistencies were found while
building block simulation (without additional
specifications):



18.07.2015
Routers could close session twice (and receive
tear_down), while receivers could not
Routers could send data after session had been
already closed
Internal cycles in routers that caused livelocks
Moscow INTAS meeting
General inconsistencies in model
that break block simulation




Deadlocks in models with larger number of
processes (w.r.t. invariant)
Livelocks in small models (breaks up
divergency)
Absense of reaction on incoming messages
in processes
Summary (a bit evident): small
instances should be thoroughly
checked before finding an invariant
18.07.2015
Moscow INTAS meeting
Finding an invariant

Parameterized network is described by the following network
grammar:
P  p ||1 T
 T  r ||2 T ||3 T
 T  r ||2 c ||3 c
Using the technique of invariants [CGJ95], we tried to find an
invariant among the models derived from non-terminal T
Model r ||2 c ||3 c is not an invariant
We made an attempt to check the model




r ||2 (r ||2 c ||3 c) ||2 (r ||2 c ||3 c)
18.07.2015
Moscow INTAS meeting
Invariant Model of T

Any model derived from non-terminal T is simulated
(in terms of semi-block and quasi-block simulation)
by the following model:
R
R
C
18.07.2015
R
C
Moscow INTAS meeting
C
C
Models to compare
R
(1)
R
C
R
C
C
C
R
R
C
R
C
R
C
R
C
C
C
R
C
C
(2)
(5)
R
C
(3)
R
C
18.07.2015
R
R
C
R
C
R
R
C
(4)
R
C
C
Moscow INTAS meeting
C
C
C
R
C
C
Results of building
semi-block simulation
#
18.07.2015
# Pairs in rel.
Time
Memory (DFA)
(1)
15902
2 sec
22M
(2)
223304
30 sec
39M
(3)
1425766
7 min
43M
(4)
3.8 * 106
20 min
44M
(5)
3.5 * 108
72 hrs
49M
Moscow INTAS meeting
Positive achievements




The model of RSVP in Promela
Testing of the technique and simulation
checker on a large problem
Semi-block simulation that allows to reduce
the time of computation
Solution to compare smaller models (slide
18)
18.07.2015
Moscow INTAS meeting
Open questions




We did not compare block simulation and
branching bisimulation in practice
The algorithm for computing semi-block
simulation should be improved to cope with
large state-space problems
We need a more decent tool to build counterexamples when block simulation fails
May be the reduction on slide 18 may be
done automatically using theorem prover
18.07.2015
Moscow INTAS meeting
Conclusions


We successfully applied the technique of
network invariants to an interesting protocol
and performed parameterized model
checking.
It would be great:


18.07.2015
to refine our model and make it less abstract,
to deal with conditions on data types on infinite
domains.
Moscow INTAS meeting
References
1.
2.
3.
4.
5.
E.A. Emerson, K.S. Namjoshi. Reasoning about rings. In Proceedings
22th ACM Conf. on Principles of Programming Languages, POPL’95,
1995, p. 85–94.
E.M. Clarke, O. Grumberg, and S. Jha. Verifying parameterized
networks using abstraction and regular languages, In Proceedings of
the 6-the International Conference on Concurrency Theory, 1995.
S.J. Creese and J. Reed. Verifying End-to-End Protocols Using
Induction with CSP/FDR. In IPPS/SPDP Workshop, 1999, p. 1243–
1257.
M. Villapol. Modelling and Analysis of the Resource Reservation
Protocol using Coloured Petri Nets. PhD Thesis, Institute for
Telecommunications Research and Computer Systems Engineering
Centre, University of South Australia, 2003.
R. van Glabbeek, W.P. Weijland. Branching time and abstraction in
bisimulation semantics, Journal of the ACM 43(3), 1996, pp. 555-600.
18.07.2015
Moscow INTAS meeting