mapreduce for parallel trace validation of ltl properties
DESCRIPTION
We present an algorithm for the automated verification of Linear Temporal Logic formulae on event traces using an increasingly popular cloud computing framework called MapReduce. The algorithm can process multiple, arbitrary fragments of the trace in parallel, and compute its final result through a cycle of runs of MapReduce instances. Compared to classical, single-instance solutions, a proof-of-concept implementation shows through experimental evaluation how the algorithm reduces by as much as 90% the number of operations that must be performed linearly, resulting in a commensurate speed gain.TRANSCRIPT
MapReduce for ParallelTrace Validation of LTL Properties
Benjamin Barre, Mathieu Klein, Maxime Soucy-Boivin,Pierre-Antoine Ollivier and Sylvain Hallé
Université du Québec à ChicoutimiCANADA
CRSNGNSERC
Fonds de rechercheNature ettechnologies
System
System
System
Instrumentation
System
Instrumentation
System
Instrumentation
Trace
System
Instrumentation
Trace
Events
System
Instrumentation
Trace
Events
System
Instrumentation
Trace
Events
Tracevalidation
Iterator<T>
Iterator<T>
hasNext
next
Iterator<T>
hasNext
next
A call to next must be precededby a call to hasNext
B
A
B
A
No CartCreate request can occurbefore a LoginResponse message
Login
Login
Three successive login attemptsshould trigger an alarm
Receive order
Receive orderReady?
Receive orderReady? Yes
Receive orderReady? Yes
File order
No Ship
Receive orderReady? Yes
File order
No Ship
A received order must eventuallybe shipped
A
0 1 2 3 4 . . .
a a b c b
ℕ
A trace m is a mapping from ℕ tothe set of events :
ALet be a set of event symbols.
A
Groundterms
→¬∧→¬∧
Booleanconnectives
Temporaloperators
XGFU
nextgloballyeventuallyuntil
+ +
= Linear Temporal Logic
A
0 1 2 3 4 . . .
a a b c b
ℕ
ΦLet be the set of all possible LTL formulas.
The function ℒ : Φ → 2 labels each state witha set of LTL formulas
ℕ
a∧b
a∧b
G (a→b)
b∨c
b∨c
a∧b
G (a→b)
ℒ(a∧b) = {0,1,4,...}Example:
ℒ
A
0 1 2 3 4 . . .
a a b c b
ℕ
ΦLet be the set of all possible LTL formulas.
The function ℒ : Φ → 2 labels each state witha set of LTL formulas
ℕ
i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)
i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)
i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and
k ∈ ℒ(φ) for all j ≥ k ≥ i
i ∈ ℒ(a) ⇔ m(i) = a
i ∈ ℒ(φ) exactly when the tracem(i), m(i+1), ... satisfies φ
Theorem
ψφ σ
0 1 2 3 4 . . .
ψφ σ
i ∈ ℒ(φ) exactly when the tracem(i), m(i+1), ... satisfies φ
Theorem
ψφ σ
0 1 2 3 4 . . .
ψφ σ
0 ∈ ℒ(φ) ⇔ m ⊧ φ
Therefore...
A call to next must be followed by a callto hasNext
No CartCreate request can occurbefore a LoginResponse message
A received order must eventuallybe shipped
Three successive login attempts shouldtrigger an alarm
A call to next must be followed by a callto hasNext
No CartCreate request can occurbefore a LoginResponse message
A received order must eventuallybe shipped
Three successive login attempts shouldtrigger an alarm
G (next → X hasNext)
A call to next must be followed by a callto hasNext
No CartCreate request can occurbefore a LoginResponse message
A received order must eventuallybe shipped
Three successive login attempts shouldtrigger an alarm
G (next → X hasNext)
¬ CartCreate U hasNext
A call to next must be followed by a callto hasNext
No CartCreate request can occurbefore a LoginResponse message
A received order must eventuallybe shipped
Three successive login attempts shouldtrigger an alarm
G (next → X hasNext)
¬ CartCreate U hasNext
G (receive → F ship)
A call to next must be followed by a callto hasNext
No CartCreate request can occurbefore a LoginResponse message
A received order must eventuallybe shipped
Three successive login attempts shouldtrigger an alarm
G (next → X hasNext)
¬ CartCreate U hasNext
G (receive → F ship)
G ¬(fail ∧ (X (fail ∧ X fail)))
Iterator<T> Java MOP
21 3 4 5
The trace mustbe read linearly
The algorithm works on asingle process / core / sitex1
�
�
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
1970 1980 1990 2000 2010
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
1970 1980 1990 2000 2010
Transistors (x1000)
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
1970 1980 1990 2000 2010
Transistors (x1000)
CPU Speed
(MHz)
f∞PageRank
a 1
KeyValue
Tuple (baaah){
Data source
Data source
IIInput reader
Data source
IIInput reader
. . .2 7a z
2a. . . 2a
2a. . . 2a M
Mapper
2a. . . 2a M
Mapper
2a. . .6w
a 23 g
a
3b3 b
2a. . . 2a M
Mapper
2a. . .6w
3 aa 2
3a3a
b 9 3 ae 83a
bb
a
ab
Shuffling
3 ae 8
ba
. . .
b
. . .
b
aa
bd
a
a
a 2
3a
b
b 9
aa2a 2 3a
b9b
aa2a 2 3a
b9b
Ra
Rb
Reducer
aa2a 2 3a
b9b
Ra
Rb
Reducer
. . .z 8 x 2
e 7 i 0
a b a a b a
a b a a b a
ab
ba
a a
a b a a b a
ab
ba
a a I
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
Ra
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
Ra 〈a,4〉
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
Ra 〈a,4〉
〈b,2〉Rb
a b a a b a
ab
ba
a a I〈a,1〉
〈a,1〉
〈b,1〉
〈a,1〉I
I〈a,1〉
〈b,1〉
Ra 〈a,4〉
〈b,2〉Rb
GG ∧∧
Subformula
Superformula
Formula
Subformula Subformula
Superformula
1
0
2
3
∧
a c b
¬ F
G
1
0
2
4Height
→3
1
0
2
3
∧
a c b
¬ F
G
1
0
2
4Height
→3
¬c has height 1G ((a ∧¬c) → F b) has height 4
i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)
i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)
i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and
k ∈ ℒ(φ) for all j ≥ k ≥ i
i ∈ ℒ(a) ⇔ m(i) = a
The labelling of a formula depends onlyon labellings of formulas of strictly lower height
i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)
i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)
i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and
k ∈ ℒ(φ) for all j ≥ k ≥ i
i ∈ ℒ(a) ⇔ m(i) = a
The labelling of a formula depends onlyon labellings of formulas of strictly lower height
All labellings of formulas of same height are independent
⇒
i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)
i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)
i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and
k ∈ ℒ(φ) for all j ≥ k ≥ i
i ∈ ℒ(a) ⇔ m(i) = a
The labelling of a formula depends onlyon labellings of formulas of strictly lower height
All labellings of formulas of same height are independent
⇒
⇒ They can be computed in parallel
i ∈ ℒ(φ∨ψ) ⇔ i ∈ ℒ(φ) or i ∈ ℒ(ψ)i ∈ ℒ(φ∧ψ) ⇔ i ∈ ℒ(φ) and i ∈ ℒ(ψ)i ∈ ℒ(¬φ) ⇔ i ∉ ℒ(φ)
i ∈ ℒ(G φ) ⇔ j ∈ ℒ(φ) for all j ≥ ii ∈ ℒ(X φ) ⇔ i+1 ∈ ℒ(φ)
i ∈ ℒ(F φ) ⇔ j ∈ ℒ(φ) for some j ≥ ii ∈ ℒ(φ U ψ) ⇔ j ∈ ℒ(ψ) for some j ≥ i and
k ∈ ℒ(φ) for all j ≥ k ≥ i
i ∈ ℒ(a) ⇔ m(i) = a
M
Input: tuples 〈φ,(n,i)〉
M
Input: tuples 〈φ,(n,i)〉
“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”
M
Input: tuples 〈φ,(n,i)〉
“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”
M “Lift” ℒ(φ) to superformulas of φ
Input: tuples 〈φ,(n,i)〉
“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”
M “Lift” ℒ(φ) to superformulas of φ
Output: tuples 〈ψ,(φ,n,i)〉
“ n ∈ ℒ(φ), the last cycle has evaluatedlabellings for formulas of height i, andφ is a subformula of ψ ”
Input: tuples 〈φ,(n,i)〉
“ n ∈ ℒ(φ), and the last cycle has evaluatedlabellings for formulas of height i ”
M “Lift” ℒ(φ) to superformulas of φ
Output: tuples 〈ψ,(φ,n,i)〉
Rψ
Rψ
Input:〈ψ,(φ,n,i)〉
Rψ
Input:〈ψ,(φ,n,i)〉
“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”
Rψ
Input:〈ψ,(φ,n,i)〉
Compute ℒ(ψ)
“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”
Rψ
Input:〈ψ,(φ,n,i)〉
Compute ℒ(ψ)
“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”
Output:〈ψ,(n,i+1)〉
Rψ
Input:〈ψ,(φ,n,i)〉
Compute ℒ(ψ)
“ n ∈ ℒ(φ), the last cyclehas evaluated labellings forformulas of height i, andφ is a subformula of ψ ”
Output:〈ψ,(n,i+1)〉
“ n ∈ ℒ(ψ), and the lastcycle has evaluatedlabellings for formulas of height i+1
I
I
Input: events (a,n)
I
Input: events (a,n)
Output: tuples 〈ψ,(a,n,0)〉
. . .
“ n ∈ ℒ(a), the last cycle has evaluatedlabellings for formulas of height 0, anda is a subformula of ψ ”
W
Input: 〈ψ,(n,i)〉
W
Input: 〈ψ,(n,i)〉
W
Output:
True if 〈ψ,(0,i)〉is read
False otherwise
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
InputReaders generate the first tuples fromthe trace chunks
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
The tuples are shuffled to reducers that compute thelabelling ℒ for formulas of height 1
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
Mappers copy the labellings into tuples marked bysuperformulas of height 2
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
Each reducer computes the labelling of a formula ofheight 2 from the labelling of its subformulas
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
Mappers copy the labellings into tuples marked bysuperformulas of height 3
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
Each reducer computes the labelling of a formula ofheight 3 from the labelling of its subformulas
1
2
3
. . .II
RR
R
RR
R
R
RW
. . .
An output writer collects the resulting tuples, andoutputs “true” if it encounters a tuple for state 0
⊨ G (¬a → F b)?
a a b c b a
⊨ G (¬a → F b)?
a a b c b a
(a,0)
(a,1)
(a,5)
(b,2)
(c,3)
(b,4)
0HEIGHT
⊨ G (¬a → F b)?
a a b c b a
(a,0)
(a,1)
(a,5)
(b,2)
(c,3)
(b,4)
0HEIGHT
I
I
I
⊨ G (¬a → F b)?
a a b c b a
(a,0)
(a,1)
(a,5)
(b,2)
(c,3)
(b,4)
0HEIGHT
I
I
I
〈¬a,(a,0)〉
〈¬a,(a,1)〉
〈¬a,(a,5)〉
〈F b,(b,4)〉
〈F b,(b,2)〉
1HEIGHT
⊨ G (¬a → F b)?
a a b c b a
(a,0)
(a,1)
(a,5)
(b,2)
(c,3)
(b,4)
0HEIGHT
I
I
I
〈¬a,(a,0)〉
〈¬a,(a,1)〉
〈¬a,(a,5)〉
〈F b,(b,4)〉
〈F b,(b,2)〉
1HEIGHT
R¬a
RF b
⊨ G (¬a → F b)?
a a b c b a
(a,0)
(a,1)
(a,5)
(b,2)
(c,3)
(b,4)
0HEIGHT
I
I
I
〈¬a,(a,0)〉
〈¬a,(a,1)〉
〈¬a,(a,5)〉
〈F b,(b,4)〉
〈F b,(b,2)〉
1HEIGHT
R¬a
RF b
〈¬a,2〉〈¬a,3〉〈¬a,4〉
〈F b,0〉
〈F b,1〉
〈F b,2〉
〈F b,3〉
〈F b,4〉
⊨ G (¬a → F b)?
a a b c b a
〈¬a,2〉〈¬a,3〉〈¬a,4〉
〈F b,0〉〈F b,1〉〈F b,2〉
〈F b,3〉〈F b,4〉
M
M
M
2HEIGHT
⊨ G (¬a → F b)?
a a b c b a
〈¬a,2〉〈¬a,3〉〈¬a,4〉
〈F b,0〉〈F b,1〉〈F b,2〉
〈F b,3〉〈F b,4〉
M
M
M
2HEIGHT
〈¬a → F b,(¬a,2)〉〈¬a → F b,(¬a,3)〉〈¬a → F b,(¬a,4)〉
〈¬a → F b,(F b,0)〉〈¬a → F b,(F b,1)〉〈¬a → F b,(F b,2)〉
〈¬a → F b,(F b,3)〉
〈¬a → F b,(F b,4)〉
⊨ G (¬a → F b)?
a a b c b a
〈¬a,2〉〈¬a,3〉〈¬a,4〉
〈F b,0〉〈F b,1〉〈F b,2〉
〈F b,3〉〈F b,4〉
M
M
M
2HEIGHT
〈¬a → F b,(¬a,2)〉〈¬a → F b,(¬a,3)〉〈¬a → F b,(¬a,4)〉
〈¬a → F b,(F b,0)〉〈¬a → F b,(F b,1)〉〈¬a → F b,(F b,2)〉
〈¬a → F b,(F b,3)〉
〈¬a → F b,(F b,4)〉
R¬a →
F b
⊨ G (¬a → F b)?
a a b c b a
〈¬a,2〉〈¬a,3〉〈¬a,4〉
〈F b,0〉〈F b,1〉〈F b,2〉
〈F b,3〉〈F b,4〉
M
M
M
2HEIGHT
〈¬a → F b,(¬a,2)〉〈¬a → F b,(¬a,3)〉〈¬a → F b,(¬a,4)〉
〈¬a → F b,(F b,0)〉〈¬a → F b,(F b,1)〉〈¬a → F b,(F b,2)〉
〈¬a → F b,(F b,3)〉
〈¬a → F b,(F b,4)〉
R¬a →
F b
〈¬a → F b,2〉〈¬a → F b,1〉〈¬a → F b,0〉
〈¬a → F b,3〉〈¬a → F b,4〉〈¬a → F b,5〉
⊨ G (¬a → F b)?
a a b c b a
M
M
M
〈¬a → F b,2〉
〈¬a → F b,1〉〈¬a → F b,0〉
〈¬a → F b,3〉
〈¬a → F b,4〉〈¬a → F b,5〉
3HEIGHT
⊨ G (¬a → F b)?
a a b c b a
M
M
M
〈¬a → F b,2〉
〈¬a → F b,1〉〈¬a → F b,0〉
〈¬a → F b,3〉
〈¬a → F b,4〉〈¬a → F b,5〉
3HEIGHT
〈G (¬a → F b), (¬a → F b,0)〉
〈G (¬a → F b), (¬a → F b,1)〉
〈G (¬a → F b), (¬a → F b,2)〉
〈G (¬a → F b), (¬a → F b,3)〉
〈G (¬a → F b), (¬a → F b,4)〉
〈G (¬a → F b), (¬a → F b,5)〉
⊨ G (¬a → F b)?
a a b c b a
M
M
M
〈¬a → F b,2〉
〈¬a → F b,1〉〈¬a → F b,0〉
〈¬a → F b,3〉
〈¬a → F b,4〉〈¬a → F b,5〉
3HEIGHT
〈G (¬a → F b), (¬a → F b,0)〉
〈G (¬a → F b), (¬a → F b,1)〉
〈G (¬a → F b), (¬a → F b,2)〉
〈G (¬a → F b), (¬a → F b,3)〉
〈G (¬a → F b), (¬a → F b,4)〉
〈G (¬a → F b), (¬a → F b,5)〉
RG (¬a→ F b)
⊨ G (¬a → F b)?
a a b c b a
M
M
M
〈¬a → F b,2〉
〈¬a → F b,1〉〈¬a → F b,0〉
〈¬a → F b,3〉
〈¬a → F b,4〉〈¬a → F b,5〉
3HEIGHT
〈G (¬a → F b), (¬a → F b,0)〉
〈G (¬a → F b), (¬a → F b,1)〉
〈G (¬a → F b), (¬a → F b,2)〉
〈G (¬a → F b), (¬a → F b,3)〉
〈G (¬a → F b), (¬a → F b,4)〉
〈G (¬a → F b), (¬a → F b,5)〉
RG (¬a→ F b)
〈G (¬a → F b),0〉〈G (¬a → F b),1〉〈G (¬a → F b),2〉〈G (¬a → F b),3〉〈G (¬a → F b),4〉〈G (¬a → F b),5〉
⊨ G (¬a → F b)?
a a b c b a
W〈G (¬a → F b),0〉〈G (¬a → F b),1〉〈G (¬a → F b),2〉〈G (¬a → F b),3〉〈G (¬a → F b),4〉〈G (¬a → F b),5〉
4HEIGHT
⊨ G (¬a → F b)?
a a b c b a
W〈G (¬a → F b),0〉〈G (¬a → F b),1〉〈G (¬a → F b),2〉〈G (¬a → F b),3〉〈G (¬a → F b),4〉〈G (¬a → F b),5〉
4HEIGHT
True
The trace can be stored inseparate (and non-contiguous)chunks
Mappers and reducers of agiven height can operate
in parallel
� (a,0) (b,2)(a,1) (c,3)
(a,5) (b,4)
�R
RR
MM
M
Tests on 500 randomly-generated traces
From 1 to 100,000 events
Each event contains 10 parametersnamed p₀ to p₉ with 10 possible values
G p₀ ≠ 0
G (p₀ = 0 → X p₁ = 0)
∀x ∈ [0,9] : G (p₀ = x → X p₁ = x)
∃m ∈ [0,9] : ∀x ∈ [0,9] : G (p = x → X X p ≠ x)m m
1
2
3
4
Validation of 4 LTL formulas:
PropertyTuples
Time/eventSequential ratio
Inferred time
55 k19 μs100%19 μs
120 k23 μs92%21 μs
600 k75 μs92%14 μs
5 M985 μs
3%30 μs
1 2 3 4
MQuestions?