Automated Analysis of Fault-Tolerance in Distributed Systems

values alone capture too little information about relationships between concrete values. For example, consider a system containing a majority voter. The voter's outputs depend on equality relationships among its inputs. If two inputs both have abstract value N, denoting the natural numbers, there is no way to tell from this whether they are equal. To more accurately track relationships between values, we introduce a set SVal of symbolic values, which are expressions composed of constants and variables. A constant represents the same value in every concrete run of the system; for example, a constant maj might represent a majority function. A variable represents values that may be di erent in di erent concrete runs of the system. Variables are useful for modeling outputs that are not completely determined by a component's inputs. Such outputs commonly arise with components that interact with an environment that is not modeled explicitly; they also arise when a component's behavior is approximated. Each variable is associated with (\local to") a single component, whose behavior in a given concrete run determines the value of that variable. This allows independent proofs that each I/O function represents the behavior of the corresponding process. Roughly, the reason is that runs do not have canonical forms [Sto97]. For convenience, we include in SVal a special wildcard symbol \ ", which can always represent any value. Finally, we allow a value to contain a set of possibilities; thus, we de ne Val = Set(SVal AVal) n f;g; (9) where Set(S) is the powerset of a set S. Note that I/O functions incorporate a form of symbolic computation, since their inputs and outputs contain symbolic values. Notation. Since abstract values are analogous to types, we sometimes write hs; ai 2 SVal AVal as s :a. We often omit braces around singleton sets; for example, fhX;Nig 2 Val may be written X :N. We sometimes elide the wildcard; thus, fh ;Nig 2 Val may be written N. Example. Consider a two-stage replicated pipeline. The system contains a source S, which sends a value to three components F1; F2; F3, which each apply a function represented by the constant F to their input and send the result to the next stage in the pipeline. The components G1; G2; G3 in the next stage each apply a function represented by the constant G to their input and send the result to a voter. The 3-way voter V waits for an input from each Gi, applies a 3-way majority function, represented by the constant maj , to those inputs, and sends the result to an actuator A. More precisely, maj represents any function of 3 arguments that, when any two of its arguments are equal, returns that repeated value. A run representing the behavior of this system appears in Figure 1. Here, X is a local variable of the source. The run is obtained as a xed-point from I/O functions for the components. Due to space limitations, we only discuss the I/O function for the voter. Brie y, if the voter receives 3 inputs containing symbolic values s1; s2; s3, then in the general case, the voter's output contains the symbolic value maj (s1; s2; s3). If, in addition, two inputs contain the same symbolic value s (other than the wildcard), then a step of symbolic simpli cation can be done, yielding the symbolic value s. For example, maj (X;X; Y ) simpli es to X . Multiplicities. Multiplicities (i.e., numbers of messages) also need to be approximated. Uncertainty in the number of messages sent during a computation may stem from various sources, including non-determinism of components (especially faulty