The challenges of non-stable predicates

The challenges of non-stable predicates Consider a non-stable predicate Φ encoding, say, a safety property. We want to determine whether Φ holds for our program.

The challenges of non-stable predicates Consider a non-stable predicate Φ encoding, say, a safety property. We want to determine whether Φ holds for our program. Suppose we apply Φ to Σ s

The challenges of non-stable predicates Consider a non-stable predicate Φ encoding, say, a safety property. We want to determine whether Φ holds for our program. Suppose we apply Φ to Σ s Σ s Φ holding in does not preclude the possibility that our program violates safety!

The challenges of non-stable predicates Consider now a different non-stable predicate Φ. We want to determine whether Φ ever holds during a particular computation. Suppose we apply Φ to Σ s

The challenges of non-stable predicates Consider now a different non-stable predicate Φ. We want to determine whether Φ ever holds during a particular computation. Suppose we apply Φ to Σ s Φ holding in Σ s does not imply that Φ ever held during the actual computation!

Example x = 3 x = 4 x = 5 e 1 1 e 2 1 e 3 1 e 4 1 e 5 1 e 6 1 e 1 2 e 2 2 e 3 2 e 4 2 e 5 2 y = 6 y = 4 y = 2 Detect whether the following predicates hold: Assume that initially: x = y x = y 2 x = 0; y = 10

ccc Possibly x = y 2 Σ 41 Σ 31 Σ 42 53 Σ Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 21 Σ 12 Σ 22 Σ 13 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 03 Σ s Σ 31 Σ 41 If is or,. x = y 2 is detected, but it may never have occurred Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

ccc Possibly x = y 2 Σ 41 Σ 63 Σ 31 Σ 42 53 Σ Σ 64 Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 21 Σ 12 Σ 22 Σ 13 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 54 Σ 65 Σ 55 Σ 03 Σ s Σ 31 Σ 41 If is or,. x = y 2 is detected, but it may never have occurred Possibly( Φ) There exists a consistent observation of the computation O such that Φ holds in a global state of O

Definitely Σ 41 Σ 31 Σ 42 53 Σ Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 21 Σ 12 Σ 22 Σ 13 Σ 32 Σ 23 Σ 33 Σ 43 x = y Σ 44 Σ 45 Σ 03 We know that x = y has occurred, but it may not be detected if tested before Σ 32 or after Σ 54 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Definitely Σ 41 Σ 63 Σ 31 Σ 42 53 Σ Σ 64 Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 21 Σ 12 Σ 22 Σ 13 Σ 32 Σ 23 Σ 33 Σ 43 x = y Σ 44 Σ 45 Σ 54 Σ 65 Σ 55 Σ 03 We know that x = y has occurred, but it may not be detected if tested before Σ 32 or after Σ 54 Definitely( Φ) For every consistent observation O of the computation, there exists a global state of O in which Φ holds

Computing Possibly Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Scan lattice, level after level If Φ holds in one global state, then Possibly( Φ) Σ 41 Σ 31 Σ 42 53 Σ Σ 21 Σ 12 Σ 22 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 13 Σ 03 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Computing Possibly Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Scan lattice, level after level If Φ holds in one global state, then Possibly( Φ) Σ 41 Σ 31 Σ 42 53 Σ Σ 21 Σ 12 Σ 22 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 13 Σ 03 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Computing Possibly Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Scan lattice, level after level If Φ holds in one global state, then Possibly( Φ) Σ 41 Σ 31 Σ 42 53 Σ Σ 21 Σ 12 Σ 22 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 13 Σ 03 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Computing Possibly Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Scan lattice, level after level If Φ holds in one global state, then Possibly( Φ) Σ 41 Σ 31 Σ 42 53 Σ Σ 21 Σ 12 Σ 22 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 13 Σ 03 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Computing Possibly Scan lattice, level after level If Φ holds in one global state, then Possibly( Φ) Σ 41 Σ 63 Σ 31 Σ 42 53 Σ Σ 64 Σ 00 Σ 10 Σ 01 Σ 21 Σ 32 Σ 11 Σ 02 Σ 22 Σ 43 Σ 33 Σ 54 Σ 65 Σ 12 Σ 23 Σ 44 Σ 45 Σ 55 Possibly (x = y 2) Σ 13 Σ 03

Computing Definitely Scan lattice, level after level Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 41 Σ 31 Σ 42 53 Σ Σ 21 Σ 12 Σ 22 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 13 Σ 03 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Computing Definitely Scan lattice, level after level Given a level, only expand nodes that correspond to states for which Φ Σ 41 Σ 31 Σ 42 53 Σ Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 21 Σ 12 Σ 22 Σ 13 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 03 Σ 63 Σ 64 Σ 54 Σ 55 Σ 65

Computing Definitely Scan lattice, level after level Given a level, only expand nodes that correspond to states for which Φ If no such state, then Definitely( Φ) Σ l If reached last state, and Φ(Σ l ), then Definitely( Φ) Σ 41 Σ 63 Σ 31 Σ 42 53 Σ Σ 64 Σ 00 Σ 10 Σ 01 Σ 11 Σ 02 Σ 21 Σ 12 Σ 22 Σ 13 Σ 32 Σ 23 Σ 33 Σ 43 Σ 44 Σ 45 Σ 54 Σ 65 Σ 55 Σ 03

Computing Definitely Scan lattice, level after level Given a level, only expand nodes that correspond to states for which Φ If no such state, then Definitely( Φ) Σ l If reached last state, and Φ(Σ l ), then Definitely( Φ) Σ 41 Σ 31 Σ 00 Σ 10 Σ 01 Σ 21 Σ 32 Σ 42 Σ 33 Σ 11 Σ 02 Σ 12 Σ 22 Σ 03 Σ 13 Σ 23 Definitely (x = y)

Building the lattice: collecting local states To build the global states in the lattice, collects local states from each process. p 0 p 0 keeps the set of local states received from in a FIFO queue p i Key questions: 1. when is it safe for to discard a local state of? σ k i p i p 0 Q i 2. Given level i of the lattice, how does one build level i + 1?

. can Garbage-collecting local states For each local state σ k i, we need to determine: Σ min (σi k )), the earliest consistent state that can belong to σ k i Σ max (σi k )), the latest consistent state that belong to σ k i

Defining earliest and latest Consistent Global State

Defining earliest and latest Consistent Global State Consistent Cut

Defining earliest and latest Consistent Global State Consistent Cut Frontier

Defining earliest and latest Consistent Global State Consistent Cut Frontier Vector Clock

Defining earliest and latest Consistent Global State Consistent Cut Frontier Vector Clock Associate a vector clock with each consistent global state Σ min (σi k )) is the consistent global state with the lowest vector clock that has on its frontier σ k i Σ max (σi k )) is the one with the highest

Computing Σ min [1,0,0] [2,0,0] [3,4,1] [4,4,1] [5,5,5] σ k i [1,3,1] [1,5,1] [1,6,1] [1,0,0] [1,2,0] [1,4,1] [0,0,1] [0,0,2] [1,5,3] [4,5,4] [4,5,5] Label σi k with VC(e k i ) Σ min (σ k i ) = (σ c 1 1, σc 2 2,..., σc n n ) : j : c j = VC(σ k i )[j] Σ min (σ k i ) and σ k i have the same vector clock!

Computing Σ max [1,0,0] [2,0,0] [3,4,1] [4,4,1] [5,5,5] [1,3,1] [1,5,1] σ k i [1,6,1] [1,0,0] [1,2,0] [1,4,1] [0,0,1] [0,0,2] [1,5,3] [4,5,4] [4,5,5] Σ max (σ k i ) = (σ c 1 1, σc 2 2,... σc n n ) : j : VC(σ c j j )[i] VC(σk i )[i] ((σ c j j = σ c f j ) VC(σc j+1 j )[i] > VC(σi k )[i]))

Computing Σ max [1,0,0] [2,0,0] [3,4,1] [4,4,1] [5,5,5] [1,3,1] [1,5,1] σ k i [1,6,1] [1,0,0] [1,2,0] [1,4,1] [0,0,1] [0,0,2] [1,5,3] [4,5,4] [4,5,5] Σ max (σ k i ) = (σ c 1 1, σc 2 2,... σc n n ) : j : VC(σ c j j )[i] VC(σk i )[i] ((σ c j j set of local states one for each process, s.t. = σ c f j ) VC(σc j+1 j )[i] > VC(σi k )[i]))

Computing Σ max [1,0,0] [2,0,0] [3,4,1] [4,4,1] [5,5,5] [1,3,1] [1,5,1] σ k i [1,6,1] [1,0,0] [1,2,0] [1,4,1] [0,0,1] [0,0,2] [1,5,3] [4,5,4] [4,5,5] Σ max (σ k i ) = (σ c 1 1, σc 2 2,... σc n n ) : j : VC(σ c j j )[i] VC(σk i )[i] ((σ c j j = σ c f j ) VC(σc j+1 j )[i] > VC(σi k )[i])) set of local states one for each process, s.t. all local states are pairwise consistent with σ k i

Computing Σ max [1,0,0] [2,0,0] [3,4,1] [4,4,1] [5,5,5] [1,3,1] [1,5,1] σ k i [1,6,1] [1,0,0] [1,2,0] [1,4,1] [0,0,1] [0,0,2] [1,5,3] [4,5,4] [4,5,5] Σ max (σ k i ) = (σ c 1 1, σc 2 2,... σc n n ) : j : VC(σ c j j )[i] VC(σk i )[i] ((σ c j j = σ c f j ) VC(σc j+1 j )[i] > VC(σi k )[i])) set of local states one for each process, s.t. all local states are pairwise consistent with σ k i and they are the last such state

Assembling the levels To build level l wait until each Q i contains a local state for whose vector clock: n i=1 VC[i] l To build level l + 1 For each global state i1,i 2,...,i n on level l, build i1 +1,i 2,...,i n, i 1,i 2 +1,...,i n,..., i 1,i 2,...,i n +1 Using VC s, check whether these global states are consistent