Decidability and Complexity Results for Verification
of Asynchronous Broadcast Networks
Giorgio Delzanno
Riccardo Traverso
DIBRIS, Università di Genova, Italy
Bilbao, April 3rd, 2013
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
1/38
Table of Contents
1
Motivations and Background
2
Asynchronous Broadcast Networks
3
Coverability Problem
4
Decidability issues
5
Conclusion
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
2/38
Table of Contents
1
Motivations and Background
2
Asynchronous Broadcast Networks
3
Coverability Problem
4
Decidability issues
5
Conclusion
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
3/38
Ad Hoc Networks: Main features
No fixed infrastructure.
Selective broadcast.
Asynchronous communication.
Time-outs.
...
Protocols are inherently parametric in the number of
participants, e.g.:
Ad hoc On-Demand Distance Vector Routing
Gafni-Bertsekas Link Reversal Routing
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
4/38
Verification Approaches
Process Algebra for timed and untimed broadcast
communication.
[Prasad, Mezzetti-Sangiorgi, Ene-Muntean, Fehnker et al., . . . ]
Model Checking for fixed initial configurations.
[Fehnker-Van Hoesel-Mader, . . . ]
Static Analysis for a fixed set of connection graphs.
[Nanz-Hankin, Nanz-Nielson-Nielson]
Constraint-based Analysis for arbitrary graphs of a given
size.
[Singh-Ramakrishnan-Smolka]
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
5/38
Our Approach to Parameterized Verification
Routing protocols require complex features and data structures
in the model.
We try to add one feature at a time to a basic (synchronous)
model of Ad Hoc Networks,1 investigating how they affect
decidability.
Local clocks (FORMATS 2011)
Dynamic reconfigurations of the network (FSTTCS 2012)
...
1
Delzanno, Sangnier, Zavattaro: Parameterized Verification of Ad Hoc
Networks. CONCUR 2011.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
6/38
In This Work
Explore decidability boundaries for parameterized verification of
asynchronous broadcast models:
semantics for incoming messages;
shape of connection graph;
instruction set to model protocols.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
7/38
Table of Contents
1
Motivations and Background
2
Asynchronous Broadcast Networks
3
Coverability Problem
4
Decidability issues
5
Conclusion
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
8/38
Asynchronous Broadcast Networks (ABN)
A network of finite-state automata distributed on a graph.
Topology-dependent semantics of synchronization.
Nodes communicate via asynchronous broadcast messages
only.
Unread messages are kept in local mailboxes.
We consider different disciplines for handling mailboxes (e.g.
bags, FIFO queues).
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
9/38
ABN: Mailbox
Definition
A mailbox structure is a tuple M = hM, del ?, add , del , []i where:
M is the set of all possible mailbox contents on some fixed
finite alphabet Σ;
for a ∈ Σ and m ∈ M, del ?(a, m), add (a, m), and del (a, m)
are operations over mailboxes;
[] ∈ M is the empty mailbox.
Visibility
a ∈ Σ is said to be visible in m ∈ M when del ?(a, m) is true.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
10/38
ABN: Mailbox
We will consider three mailbox structures:
bags, to model the loss of the order of incoming messages.
lossy FIFO queues, to model the loss of messages;
FIFO queues, to model perfect communication;
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
11/38
ABN: Protocol
Definition
A protocol is defined by a process P = hQ, Σ, R, q0 i, where:
Q is a finite set of control states;
Σ is a finite message alphabet;
Act = {τ } ∪ {!!a, ??a | a ∈ Σ};
R ⊆ Q × Act × Q is the transition relation;
q0 ∈ Q is an initial control state.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
12/38
ABN: Configurations
Definition
A configuration is an undirected graph with labels in Q × M.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
13/38
ABN: Configurations
Definition
A configuration is an undirected graph with labels in Q × M.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
13/38
ABN: Example (with bags)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
14/38
ABN: Example (with bags)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
14/38
ABN: Example (with bags)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
14/38
ABN: Example (with bags)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
14/38
ABN: Example (with bags)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
14/38
ABN: Example (with FIFO queues)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
15/38
ABN: Example (with lossy FIFO queues)
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
16/38
Table of Contents
1
Motivations and Background
2
Asynchronous Broadcast Networks
3
Coverability Problem
4
Decidability issues
5
Conclusion
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
17/38
Coverability Problem
COVER(M): Problem Definition
Given a protocol P, a mailbox structure M and a control state q,
the coverability problem COVER(M) states: is there an initial
configuration of the resulting ABN such that it may evolve into a
configuration exposing the state q?
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
18/38
Coverability Problem
COVER K (M): Fully Connected Graphs
We use COVER K (M) to denote the restriction of COVER(M) to
fully connected configurations only.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
19/38
Table of Contents
1
Motivations and Background
2
Asynchronous Broadcast Networks
3
Coverability Problem
4
Decidability issues
5
Conclusion
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
20/38
ABN: COVER K (Bag )
Bags
The mailbox structure Bag is instantiated in such a way that the
elements of M are multisets over Σ.
COVER K (Bag ) is in PTime
Upper bound: reduction to coverability for Reconfigurable
Broadcast Networks2 .
2
Delzanno, Sangnier, Traverso, Zavattaro: On the Complexity of
Parameterized Reachability in Reconfigurable Broadcast Networks. FSTTCS
2012.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
21/38
ABN: COVER K (Bag )
Algorithm overview
It exploits two key ideas:
we can assume to have as many nodes as we need;
we can pick the messages we want from the mailbox, ignoring
everything else.
Collect reachable states until saturation, starting from initial
one.
At each step:
internal actions τ and broadcasts !!a are always fireable;
receive actions ??a can be fired if some !!a can be fired.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
22/38
ABN: COVER(Bag )
COVER(Bag ) is PTime-complete
Upper bound: it can reduced to the fully connected case.
Lower bound: reduction from the Circuit Value Problem.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
23/38
ABN: COVER K (LFIFO)
Lossy FIFO queues
The mailbox structure LFIFO handles incoming messages with
FIFO queues that may lose data arbitrarily.
COVER K (LFIFO) is in PTime
As in the Bag case, we can build a reduction to coverability for
Reconfigurable Broadcast Networks.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
24/38
ABN: COVER K (LFIFO)
Lossy FIFO queues
The mailbox structure LFIFO handles incoming messages with
FIFO queues that may lose data arbitrarily.
COVER K (LFIFO) is in PTime
As in the Bag case, we can build a reduction to coverability for
Reconfigurable Broadcast Networks.
Algorithm overview
The algorithm is the same.
Messages we do not want to receive may be deleted through
lossy steps, instead of ignored as with bags.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
24/38
ABN: COVER(LFIFO)
COVER(LFIFO) is PTime-complete
Lower bound: reduction from COVER(LFIFO) to
COVER K (LFIFO).
Lower bound: reduction from the Circuit Value Problem.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
25/38
ABN: COVER K (FIFO) and COVER(FIFO)
FIFO queues
The mailbox structure FIFO makes local mailboxes behave like
(perfect) FIFO queues.
COVER K (FIFO) and COVER(FIFO ) are undecidable
We can build a reduction from the halting problem for two-counter
machines. The same construction works for both problems: it does
not assume anything about the underlying topology.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
26/38
ABN with Emptiness Test (ABNǫ)
We enrich the ABN model in order to enable individual processes to
check whether the local mailbox is empty.
ABNǫ Model
The set of actions Act is extended to {τ, ǫ} ∪ {!!a, ??a | a ∈ Σ},
and the semantics is modified accordingly, i.e. such that a
ǫ-transitions can be fired if and only if the local mailbox is empty.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
27/38
ABNǫ: FIFO and LFIFO
COVER K (FIFO) and COVER(FIFO ) are undecidable
The possibility to test the emptiness of the mailbox does not affect
the reduction from two-counter machines.
COVER K (LFIFO) and COVER(LFIFO ) are PTime-complete
The previous reduction can be adapted to this case.
Proof idea: ǫ-transitions are somewhat like internal transitions,
because we can always empty the local mailbox to pass the
emptiness test.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
28/38
ABNǫ: COVER K (Bag) and COVER(Bag)
COVER K (Bag ) and COVER(Bag ) are undecidable
Reduction from halting problem for two-counter machines.
Proof idea: The emptiness test can be exploited both for
zero-testing and interference detection.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
29/38
ABNǫ: From two-counter machines to COVER(Bag )
Two-counter machines
A two-counter machine is defined by a set of control locations, a
set of instructions Inst ⊆ Loc × Op × Loc over two natual counters
(increment, decrement, zero-test), and an initial location.
The encoded protocol is split in two phases: election and
simulation.
During the election processes choose their role.
The simulation requires a leader process directly connected to
two slaves (one per counter).
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
30/38
ABNǫ: From two-counter machines to COVER(Bag )
Election
Each node chooses a role and searches for appropriate
neighbors accordingly.
Election only tests for the presence of the required links
between nodes with the various roles.
Messages exchanged during the election can never be
consumed afterwards.
A successful election ends leaving empty mailboxes in the
involved nodes.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
31/38
ABNǫ: From two-counter machines to COVER(Bag )
Simulation
Counters are encoded (in unary) through messages in the
mailboxes.
For increment it is sufficient to send a broadcast with a unit.
A decrement forces the removal of a unit from the mailbox of
the slave.
Tests for zero are performed by exploiting ǫ-transitions.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
32/38
ABNǫ: From two-counter machines to COVER(Bag )
Warning
What if other neighbors wake up and start a simulation leading to
interferences with the current one?
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
33/38
ABNǫ: From two-counter machines to COVER(Bag )
Warning
What if other neighbors wake up and start a simulation leading to
interferences with the current one?
Finalization
Reminder: we cannot consume messages from the election
during the simulation.
After reaching the target control state, we reset both counters
to zero in order to try to empty all mailboxes.
If all mailboxes are empty the simulation ends successfully,
otherwise it blocks just before completing.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
33/38
Table of Contents
1
Motivations and Background
2
Asynchronous Broadcast Networks
3
Coverability Problem
4
Decidability issues
5
Conclusion
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
34/38
Summary of our results
COVER K (M)
ABN
ABNǫ
COVER(M)
ABN
ABNǫ
LFIFO PTime PTime PTime PTime
Bag
PTime undec. PTime undec.
FIFO undec. undec. undec. undec.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
35/38
Comparison w.r.t. (synchronous) Ad Hoc Networks
ABN / ABNǫ
AHN3 LFIFO Bag
FIFO
Fully connected graphs X
PTime PTime/undec. undec.
Arbitrary graphs
undec. PTime PTime/undec. undec.
3
Delzanno, Sangnier, Zavattaro: Parameterized Verification of Ad Hoc
Networks. CONCUR 2011.
Delzanno, Sangnier, Zavattaro: On the Power of Cliques in the Parameterized
Verification of Ad Hoc Networks. FOSSACS 2011.
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
36/38
Future and Ongoing Work
Extend the model with a notion of process identifiers.
Useful to model routing protocols.
Coverability seems to be decidable, under some restrictions.
Extend the model with clocks (local + message age).
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
37/38
Thank you for your attention!
Giorgio Delzanno, Riccardo Traverso
LATA 2013 – Asynch. Broadcast Networks
38/38