Knowledge Based Synthesis of Control for Distributed Systems

Knowledge Based Knowledge Based Synthesis of Control for Synthesis of Control for Distributed SystemsDistributed Systems

Doron PeledDoron Peled

Formal methods

Specification System

Model checking

Yes!!No +

Counterexample

Revision

Specification

Synthesis

System

Synthesizing software

Given a specification, say in LTL, can we automatically construct a program that satisfies it?

Sequential and closed system one can translated the specification to an automaton [MW81,CE81].

What about the case where the program has to interact with uncontrolled inputs? or consists of several processes, with limited view of each other (and some uncontrolled choices)?

What about controlling (restricting) existing programs to admit additional properties?

Classical software synthesis

Synthesizing sequential program (automata) of an open (interactive) system is in 2EXPTIME [PR88]. One converts the LTL formula into a deterministic tree automaton that checks that finite memory is sufficient to enforce a strategy that will guarantee to satisfy the specification.

Synthesizing concurrent programs is undecidable [PR89]. Same for synthesizing a controller that will restrict the system [T].

Synthesizing controller

Specification

Code Synthesis

System

Additional

Specification

Controller Synthesis

System

System

Supervisor

33 trains: TGV, regular, trains: TGV, regular, freight, compete on freight, compete on tracks to enter the tracks to enter the station.station.

We want to implement We want to implement the system such that the system such that each track decides each track decides ““locallylocally””, without a , without a centralized controlcentralized control..

Main problemMain problem

Controlling a concurrent system that needs to Controlling a concurrent system that needs to satisfy some global restrictions.satisfy some global restrictions.

In general this is an In general this is an undecidableundecidable problem [T]. problem [T]. Decidable alternativeDecidable alternative: allow synchronizing : allow synchronizing actions as needed by the analysis (at the limit actions as needed by the analysis (at the limit it becomes a sequential control problem).it becomes a sequential control problem).

Actions are controlled based on the Actions are controlled based on the knowledgeknowledge of being in a certain collection of global states.of being in a certain collection of global states.

This “knowledge” is calculated in advance This “knowledge” is calculated in advance ((model checkingmodel checking), and then the program is ), and then the program is transformed to exploit it.transformed to exploit it.

For the train tracks system

Trains, when approaching tracks, may not decide independently: allow trains (or tracks) to synchronize in order to make a joint decision.

Minimize synchronization: while synchronizing (costly!), trains are not progressing.

Imposed invariantImposed invariant

We are given a transition system, e.g., a Petri We are given a transition system, e.g., a Petri Net.Net.

We want to We want to imposeimpose that each pair (s, that each pair (s, ) of a state ) of a state and transition fired from it must be from a given and transition fired from it must be from a given allowed set allowed set ..

Running exampleRunning example: : PrioritiesPriorities - a partial order between the - a partial order between the transitions. transitions. At each global state, we can execute a transition At each global state, we can execute a transition that has a maximal priority among the enabled that has a maximal priority among the enabled transitions.transitions.

A (safe) Petri NetA (safe) Petri Net

p1

p7

p3

t1

t1 – a transition. With input places p1 and p7, and output place p3.

A transition fires (i.e., executes) if the input transition have tokens and the output transitions do not have tokens (is empty).

A Petri Net is safe if when the input places to a transition have tokens, the output transitions do not have tokens.


p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

A state is a set of places, e.g., {p1, p2, p7}.

Can be written as p1 /\ p2 /\ ¬ p3 /\ ¬ p4 /\ ¬ p5 /\ ¬ p6 /\ p7.


p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1


p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

p7 is a

“semaphore”!


p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1


p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

Transitions are independent (concurrent) if they do not share input and out places

A (safe) Petri Net with priorities:A (safe) Petri Net with priorities:Partial order between transitionsPartial order between transitions..

p1

t4

p6p5

p4p3

p2

t2

t3

t1

t1<<t4, t2<<t3

A (safe) Petri Net with priorities. A (safe) Petri Net with priorities. Partial order between transitionsPartial order between transitions..

p1

t4

p6p5

p4p3

p2

t2

t3

t1

t1<<t4, t2<<t3

A (safe) Petri Net with priorities. A (safe) Petri Net with priorities. Partial order between transitionsPartial order between transitions..

p1

t4

p6p5

p4p3

p2

t2

t3

t1

t1<<t4, t2<<t3

Transitions are independent (concurrent) if they do not share input and out places

Problem: how to guarantee Problem: how to guarantee execution according to prioritiesexecution according to priorities??

Execute only Execute only maximallymaximally enabled transitions. enabled transitions. Some transitions may be Some transitions may be uncontrollableuncontrollable, i.e., if , i.e., if

enabled, one cannot or must not stop them.enabled, one cannot or must not stop them. Make a distributed (local) decision.Make a distributed (local) decision. Is it even possible?Is it even possible? Can we check when it is possible? Can we check when it is possible?

(Decidable?)(Decidable?) What if we cannot make the distributed What if we cannot make the distributed

decision?decision?

Architecture

Additional

Specification


System

Supervisor

System

Each process has its own controller.

Based on knowledge calculated in

advance, transitions can be permitted or

blocked (uncontrolled transitions cannot be

blocked!).

Each transition must be “supported” in this

way by at least one of the controllers of the

participating processes (disjunctive

controller).

So, what can we doSo, what can we do??

What do we What do we knowknow in each local state? in each local state? Use Use logic of knowledgelogic of knowledge to express (and check) to express (and check)

if a process knows that its enabled transition if a process knows that its enabled transition has maximal priority.has maximal priority.

Transform the program to Transform the program to actact based on the based on the knowledge.knowledge.

There are variations of knowledge (based on There are variations of knowledge (based on the ability to recall our local history); tradeoff on the ability to recall our local history); tradeoff on price of transformation.price of transformation.

Some definitionsSome definitions A A processprocess is a is a set ofset of

transitionstransitions.[No two .[No two transitions of a process transitions of a process can execute can execute iindependentlyndependently at any at any moment].moment]. The The processes cover all the processes cover all the transitions (there can be transitions (there can be additional constraints).additional constraints).

The The neighborhoodneighborhood of a of a process is the set of all process is the set of all input and output places input and output places of its transitions.of its transitions.

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

The local information of a process in a state, is the state limited to the neighborhood of the process. E.g., for the left process, in state { p1, p2, p7}, it is {p1,p7}. (=“local state”).

We are ready to define We are ready to define ““knowledgeknowledge””

Given a “local information” Given a “local information” as a process, a process as a process, a process knows everything that is knows everything that is consistent with it.consistent with it.

Easy to calculate what a Easy to calculate what a process knows.process knows.

That is: it knows of any That is: it knows of any property that holds in all property that holds in all global states with the same global states with the same “local information”.“local information”.

This is a standard definitions This is a standard definitions (e.g., [FMHV]).(e.g., [FMHV]).

Later: “knowledge with Later: “knowledge with perfect recall”.perfect recall”.

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

When left process is given that p1 /\ p7, it knows that p4.(p1 /\ p7) Kl p4

Calculating what a process knows Calculating what a process knows given some local informationgiven some local information

We can write (and calculate) a formula that We can write (and calculate) a formula that represents “all reachable states”: represents “all reachable states”: reachreach

We can write a formula that represents “a given We can write a formula that represents “a given local information x”: local information x”: xx

Intersect the above two formulas, and obtain Intersect the above two formulas, and obtain “the states given some local information”:“the states given some local information”: reach reach /\/\ xx..

We We knowknow, when x holds, whatever is implied , when x holds, whatever is implied from this intersection (from this intersection (reach reach /\/\ x x ) ) ..

The standard notation is KThe standard notation is K and we can embed and we can embed this within temporal logic.this within temporal logic.

Combined knowledge of Combined knowledge of several processesseveral processes

The The jointjoint knowledge knowledge of several processes of several processes is is the properties that hold in all the global the properties that hold in all the global states consistent with the combined local states consistent with the combined local information of these processes. information of these processes.

Since we combine the local information, Since we combine the local information, there are fewer consistent states. So, there are fewer consistent states. So, together, the processes know more.together, the processes know more.

However, to utilize this combined However, to utilize this combined knowledge, the processes need to knowledge, the processes need to coordinate with each other.coordinate with each other.

What is known, during execution What is known, during execution can be model checkedcan be model checked::

11 Each process knows Each process knows whichwhich of its enabled of its enabled

transitions have maximal priorities.transitions have maximal priorities.

22 Each process knows about Each process knows about at least oneat least one of its of its

enabled transitions that has a maximal priority.enabled transitions that has a maximal priority.

33 In each non-deadlock state, In each non-deadlock state, at least one at least one

process knowsprocess knows about at least one enabled about at least one enabled maximal priority transition.maximal priority transition.

Maybe even Maybe even 33 does not hold… does not hold…

The The supporting process supporting process policypolicy

A transition can belong to multiple processes A transition can belong to multiple processes (e.g., communication). (e.g., communication).

If If enabledenabled, , andand at leastat least one process knows of it one process knows of it having maximal priorityhaving maximal priority, , then it can firethen it can fire..

Related to a problem in Related to a problem in control theorycontrol theory::we are seeking a distributed disjunctive we are seeking a distributed disjunctive controller with limited observability (this is, in controller with limited observability (this is, in general: undecideable).general: undecideable).

Build for each process a “support table”: for Build for each process a “support table”: for each local information, which transition, if any, each local information, which transition, if any, is supported.is supported.

Some important pointsSome important points::

The knowledge is calculated based on the The knowledge is calculated based on the states of the original (priorityless) program.states of the original (priorityless) program.

Then transitions are being controlled, which Then transitions are being controlled, which generates a different program.generates a different program.

The transformation adds constraints to the The transformation adds constraints to the enabledness conditions, based on the support enabledness conditions, based on the support table.table.

Monotonicity: Knowledge about the original Monotonicity: Knowledge about the original program remains known in the transformed program remains known in the transformed program, since the reachable states can only program, since the reachable states can only reduce reachable states and executions!reduce reachable states and executions!

And what if neither of And what if neither of these invariants holdthese invariants hold?? CombineCombine knowledge of processes. The knowledge of processes. The

“knowledge of several processes” is bigger “knowledge of several processes” is bigger than of single processes.than of single processes.

CompromiseCompromise, and allow transitions that are not , and allow transitions that are not maximal, to complete support table, such that maximal, to complete support table, such that in any reachable state, at least one transition is in any reachable state, at least one transition is enabled. Experimentally measure how far is a enabled. Experimentally measure how far is a compromised execution from a perfectly compromised execution from a perfectly prioritized one.prioritized one.

Switch to ”Switch to ”knowledge of perfect recallknowledge of perfect recall”.”.

tt33<<t<<t55<<t<<t44<<t<<t

77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11

Motivation: given local information {p3} for left process:

t3 is enabled, can it be fired?

tt33<<t<<t55<<t<<t44<<t<<t77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11

Motivation: when t3 is enabled, can it be fired?

Now it has a maximal priority.

tt33<<t<<t55<<t<<t44<<t<<t77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11


Continuing the execution…

tt33<<t<<t55<<t<<t44<<t<<t77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11



tt33<<t<<t55<<t<<t44<<t<<t77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11



tt33<<t<<t55<<t<<t44<<t<<t77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11


Same local information as before for left process: {p3}.

Now t5 has maximal priority!

tt33<<t<<t55<<t<<t44<<t<<t77

p1

t4

p7

p6p5

p4p3

p2

t2

t3

t1

t6

t5

t7

p9

p8

p10

p11

Based on this, the left process does not know if t3 has the highest priority at both times. But if we remember how many times t1 fired, we can distinguish between these two cases!

Knowledge of perfect Knowledge of perfect recallrecall

Knowledge is based on the Knowledge is based on the history history that a that a process can sense, up to any point in its process can sense, up to any point in its computation.computation.

A process can sense changes in its A process can sense changes in its neighborhood, including changes to the neighborhood, including changes to the neighborhood by other processes.neighborhood by other processes.

This way we can distinguish between two local This way we can distinguish between two local states (local information) with different states (local information) with different histories. So, we know more!histories. So, we know more!

But don’t we need infinite amount of But don’t we need infinite amount of information?information?

Knowledge of perfect Knowledge of perfect recall: finite informationrecall: finite information..

Ron Van der Meyden showed that finite amount of Ron Van der Meyden showed that finite amount of information is sufficient.information is sufficient.

Given some history of computation, the rest of the system Given some history of computation, the rest of the system can be in a finite number of states consistent with it (a can be in a finite number of states consistent with it (a “subset construction”).“subset construction”).

If a process makes a single transition, or some process If a process makes a single transition, or some process changes the neighborhood, the system can be in any changes the neighborhood, the system can be in any global state that is obtained by making that transition, plus global state that is obtained by making that transition, plus any sequence of (independent) transitions that do not any sequence of (independent) transitions that do not change the neighborhood.change the neighborhood.

For the transformation, we can update the knowledge as For the transformation, we can update the knowledge as an automaton. This can become a gigantic automaton an automaton. This can become a gigantic automaton (2EXP).(2EXP).

Another solutionAnother solution

When there are states where no one knows When there are states where no one knows which transition as higher priority: offer which transition as higher priority: offer interactions between processes that together interactions between processes that together have the knowledge.have the knowledge.

Interaction is offered through a coordinating Interaction is offered through a coordinating algorithm such as algorithm such as -core.-core.

The problem becomes decidable, since at The problem becomes decidable, since at the limit we get a full product that is the limit we get a full product that is controlled globally.controlled globally.

Architecture

Additional

Specification


System

System





blocked!).




controller).

Controllers are allowed to coordinate to

temporary synchronize to obtain joint

knowledge.

The The -core algorithm-core algorithm Perez, Corchuelo, Toro, Perez, Corchuelo, Toro,

Concurrency – Practice and Concurrency – Practice and Experience 16(12):1173-1206, 2004. Experience 16(12):1173-1206, 2004. In fact, corrected by [KP10]In fact, corrected by [KP10]using genetic programming + model using genetic programming + model checking.checking.

There are several kinds of There are several kinds of coordinationscoordinations, each between a set of , each between a set of processes. Each coordination is processes. Each coordination is controlled by a separate process.controlled by a separate process.

A process may have several choices A process may have several choices between coordinations.between coordinations.

Program processes and coordination Program processes and coordination processes exchange messages until processes exchange messages until coordination is established.coordination is established.

P1

P3 P4

P2

C1C2

P4 has multiple choice at some state.

We can mark each local state We can mark each local state of a process of a process pp as follows as follows::

1.1. KK11:: pp knows he has a transition with maximal knows he has a transition with maximal prioritypriority..

2.2. KK22:: p p does not know does not know ……, but knows that some , but knows that some other process knows other process knows …… (not necessarily the (not necessarily the same process for each state consistent with same process for each state consistent with the local state).the local state).

3.3. KK33: Both above cases do not hold.: Both above cases do not hold.

33 : for each global state, there is a local state : for each global state, there is a local state where Kwhere K11 holds holds

Calculating KCalculating K22

We first mark local states by KWe first mark local states by K11 according according

to the previous algorithm.to the previous algorithm. Then KThen K22 holds in a local state, if all the holds in a local state, if all the

global states containing it have a local global states containing it have a local state where Kstate where K11 holds. holds.

If a local state of some process satisfies If a local state of some process satisfies KK22, then the process “shouldn’t worry” – , then the process “shouldn’t worry” –

“someone else will do the job”.“someone else will do the job”.

What if What if 33 does not hold does not hold??

We set up a table that tells us about We set up a table that tells us about combined combined knowledgeknowledge..

Take some Take some tuplestuples of them (start with pairs), and check of them (start with pairs), and check whether they have a combined knowledge of maximal whether they have a combined knowledge of maximal priority.priority.

Make a table of such tuples.Make a table of such tuples. Each tuple is a coordination!Each tuple is a coordination! Add tuples Add tuples untiluntil each global state includes such a each global state includes such a

tuple.tuple. Each tuple suggests a coordination where combined Each tuple suggests a coordination where combined

knowledge about who has maximal priority exists.knowledge about who has maximal priority exists.

Minimize the number of Minimize the number of interactionsinteractions

Minimize the number of Minimize the number of interactions (NP-Complete)interactions (NP-Complete)

More minimizations: Calculate the More minimizations: Calculate the support table according to the support table according to the executions executions satisfyingsatisfying the constraint the constraint propertyproperty!!

a<<{c,d}<<b

Based on the knowledge of the original system:The right process would not execute a since it has a lower priority than c and d.The left process would not execute c since it has a lower priority than b.But the execution (cd) respects the priorities, and based on its reachable states {p1,p4} and {p1,p5}, (and {p2,p4} is not reachable then) the right process has knowledge to support this execution .

The ruleThe rule:: It is safe to calculate the knowledge based It is safe to calculate the knowledge based

on the states reachable in executions that on the states reachable in executions that satisfy the needed restriction satisfy the needed restriction ..

Intuition: the knowledge includes the actual Intuition: the knowledge includes the actual state, thus, a transition is only allowed from state, thus, a transition is only allowed from a state such that as a pair they satisfy a state such that as a pair they satisfy . . So it is safe.So it is safe.

One still needs to check that no new One still needs to check that no new deadlocks are introduced.deadlocks are introduced.

Another principle: check Another principle: check reachability of potential deadlocksreachability of potential deadlocks

Analyzing knowledge according to the full Analyzing knowledge according to the full state space, we obtain that in the state state space, we obtain that in the state {{pp44,p,p1010} and in {} and in {pp66,p,p1010}, there is no }, there is no

supported transition! – a potential supported transition! – a potential deadlock.deadlock.

This is because the left process does not This is because the left process does not know whetherknow whether j j, with the higher priority , with the higher priority than than kk, is now enabled., is now enabled.

But But bb is never supported and also is never supported and also cc from from the initial state (since the initial state (since c<<b<<ic<<b<<i). Thus, any ). Thus, any state containing state containing pp1010 is not even reachable. is not even reachable.

A reachability analysis shows that the A reachability analysis shows that the potential problem with the incomplete potential problem with the incomplete table never happens.table never happens. k<<j, c<<b<<i

The principles are The principles are independentindependent

Use just “constrainted” executions.Use just “constrainted” executions. Check for unreachable “deadlocks”.Check for unreachable “deadlocks”. Use knowledge of perfect recall.Use knowledge of perfect recall.

Examples in the papers.Examples in the papers.

Strengthening the safety constraint

It is possible that the safety constraint that we want to impose includes already some unavoidable deadlocks: reachable states from which no transition can be fired, even if we synchronize all the processes.

We may be in a previous state where all enabled transitions, or at least one uncontrolled transition, will lead to such deadlocks.

We may be further in previous states that leads to … that leads to …

In the priorities example, this cannot happen: at any state (not originally deadlocked) there is a transition with maximal priority. But what if the property is that x+y is even?

Strengthening the property

Backwards strategy search: Start from (new) deadlock states and eliminate

them. Eliminate every state with an uncontrolled

enabled transition to a state that was eliminated.

Eliminate every state where all the controlled enabled transitions lead to eliminated states.

We obtain a reduced state space. Calculate knowledge and synthesize w.r.t. it.

Semi-global tie breaking

Coordinating many processes takes a lot of overhead.

Suppose there is a tie-breaking process (or several processes) that can help with acquiring knowledge.

When a process does not know what to do, it logs into that process, and provides its local information.

When the tie breaker has enough joint knowledge, it decides which transition can be fired.

Architecture

Additional

Specification


System

System





blocked!).




controller).

Controllers are allowed to coordinate to

temporary synchronize to obtain joint

knowledge.

Tie breaker

ConclusionsConclusions We can employ We can employ model checkingmodel checking of knowledge properties to of knowledge properties to

implement implement prioritiespriorities in a distributed way in a distributed way. . May apply to other problem of distributed implementation, while solving May apply to other problem of distributed implementation, while solving

some global constraints.some global constraints. Solves a distributed Solves a distributed controllability with limited observabilitycontrollability with limited observability problem. problem. Problem is Problem is decideabledecideable since we allow additional communication. since we allow additional communication. Does not provide a perfect solution (not always the least constrained Does not provide a perfect solution (not always the least constrained

solution)!solution)! Space/performance tradeoff in using logic of perfect recall.Space/performance tradeoff in using logic of perfect recall. Can combine knowledge of several processes temporarily through a Can combine knowledge of several processes temporarily through a

coordination algorithm.coordination algorithm. Apply various Apply various compromisescompromises when knowledge is not enough, e.g., allow when knowledge is not enough, e.g., allow

further synchronization (makes the problem decidable).further synchronization (makes the problem decidable). Analysis should be based on the set of constrained executions, not the Analysis should be based on the set of constrained executions, not the

executions of the original.executions of the original. Game theoreticGame theoretic solution for strengthening enforced invariant. solution for strengthening enforced invariant.

Documents

Knowledge Based Synthesis of Control for Distributed Systems