Adding domain-specific constructs to Event B Adding domain-specific - - PowerPoint PPT Presentation

adding domain specific constructs to event b adding
SMART_READER_LITE
LIVE PREVIEW

Adding domain-specific constructs to Event B Adding domain-specific - - PowerPoint PPT Presentation

Jul 31, 2023 122 likes •362 views

Adding domain-specific constructs to Event B Adding domain-specific constructs to Event B for developing and reasoning about grid for developing and reasoning about grid applications applications Pontus Bostrm and Marina Waldn bo

slide-1
SLIDE 1

Adding domain-specific constructs to Event B Adding domain-specific constructs to Event B for developing and reasoning about grid for developing and reasoning about grid applications applications

Pontus Boström and Marina Waldén Åbo Akademi University

slide-2
SLIDE 2

Grids Grids

  • Used for large-scale distributed systems

– Scientific computing, e.g., in Physics and engineering – Business applications

  • Share information and computational resources over
  • rganizational boundaries
  • Typical grid application needs:

– Virtual Organisation management (who participates, resources contributed, resources used, etc.) – Resource discovery and management – Job management – Security and data management to support all the services

slide-3
SLIDE 3

Open Grid Services Architecture (OGSA) Open Grid Services Architecture (OGSA)

  • Defines the basic services required for grid enabled

applications

  • Service-oriented

– Everything implemented as services with standardised interfaces

  • Based on Web services

– OGSA requires stateful services – Web services traditionally stateless

  • Web Service Resource Framework (WSRF)

– Standard for stateful web services – Standardised by OASIS – Services similar to remote objects in CORBA and RMI

slide-4
SLIDE 4

Web Service Resource Framework Web Service Resource Framework

  • Based on Web Services

– XML – SOAP – WSDL

  • Extends Web services with

– State (WS-Resource) – Potentially transient services (WS-ResourceLifeTime) – Notifications (WS-Notification)

Client Web service Remote operation call (op, resource) Notification Resource Resource

slide-5
SLIDE 5

The Globus Toolkit The Globus Toolkit

  • Toolkit for developing grid applications

– Implements many of the OGSA services – De-facto standard

  • Implements and uses WSRF

– Stateful web services

  • Most services available as WSRF services

– Job management – Resource management and discovery

  • Managing information in the grid, e.g., available services

– Secure file transfer

  • Security infrastructure also available
slide-6
SLIDE 6

Grid implementations Grid implementations

Globus Toolkit High level services adequate for grid applications OGSA web services stateful web services WSRF Implements Implements Meets the requirements of Requires Specifies Extends Implemented on top of (WS Core)

*Figure from The Globus Toolkit 4 programmer tutorial: http://gdp.globus.org/gt4-tutorial

slide-7
SLIDE 7

Need for formal methods Need for formal methods

  • Difficult to implement “correct” Grid applications
  • Formal methods useful in order to develop correct

specifications

– Can be difficult to implement

  • The specification language should take into account

the features of the underlying platform

– Specifications easier to understand, since they can clearly talk about domain-specific concepts – Specifications are potentially easier to implement

slide-8
SLIDE 8

Event B Event B

  • Modification of the B Method for

development of reactive, distributed

  • r concurrent systems
  • Developed by J. R. Abrial
  • Based on Action Systems by Back

and Kurki-Suonio

  • Centered around the notion of

refinement

– Start from a initial specification that takes into account the most important requirements – Develop it stepwise through refinement steps towards a more concrete and implementable model

SYSTEM C SEES C_CTX VARIABLES x INVARIANT I(c,x) EVENTS INITIALISATION = Si(c,x) Evt1 = ANY u WHERE G1(c,u,x) THEN S1(c,u,x) END; Evt2 = WHEN G2(c,x) THEN S2(c,x) END; END

slide-9
SLIDE 9

Formal development of Grid applications Formal development of Grid applications

  • We like to have a formal method suitable for

developing grid applications

  • Difficult to create implementable specifications of grid

applications in Event B

– No grid communication mechanisms such as remote operations and notifications – Difficult to implement due to synchronization issues and the atomicity requirement of events

  • We have extended Event B with constructs for

– Specifying stateful (grid) services – Remote operation calls and notifications

  • Extensions should be introduced in a manner that

simplifies implementation

slide-10
SLIDE 10

Grid extensions to Event B Grid extensions to Event B

  • Provides two new types of B machines

– SERVICE – SERVICE_REFINEMENT

  • Take into account grid specific features

– services with state – Remote operations – Notifications

  • Enables proofs of properties about the entire system
  • Are translated to ordinary (Event) B for verification

– Automatic generation of proof obligations

slide-11
SLIDE 11

Development overview Development overview

Refines C Evt B. Refines C2 Service Ref. Refines A1 Service Ref. A Service A Service A Service A Service

References

Refines

slide-12
SLIDE 12

Grid service machine Grid service machine

  • Abstract specification of a

(WSRF) service

  • A service machine is a template

that clients obtain instances of

– Compare to Classes in OO

  • Remote operations

– Ordinary B operations called from a client

  • Events

– Executed independently of a client

  • Notifications

– Sent when all events have become disabled

Proc(p) ¬(J1 ∨ J2) ∧ Q J2→T2 J1→T1

Service

Remote operations: Events: Notifications:

slide-13
SLIDE 13

Grid refinement machine Grid refinement machine

  • A client that calls remote operations in grid service machine

instances

  • Refines

– Event B machine – Service machine

  • Clause for enabling dynamic management of grid service machine

instances

– Instances are used as variables (cf. OO in B e.g. UML-B)

  • Clause for refining remote procedures
  • Clause for refining events
  • Events for handling notifications

– New events – Enabled when a notification has been sent from a service – Executed once every time a notification is received

slide-14
SLIDE 14

The behaviour of grid components The behaviour of grid components

Proc(p) ¬(J1 ∨ J2) ∧ Q G2→S2 NotifHandler J2→T2 G3→S3 J1→T1

Service Service refinement

G1→S1 Remote operations: Events: Notifications: Notification handlers: Events:

slide-15
SLIDE 15

Service machine Service machine

SERVICE A VARIABLES y INVARIANT Inv_A INITIALISATION y := y0 REMOTE_OPERATIONS Proc(p) = PRE P(p) THEN T END EVENTS A_Evt1 = ANY u WHERE J1(u,y) THEN T1 END; A_Evt2 = WHEN J2 THEN T2 END; NOTIFICATIONS Notif = GUARANTEES Q END END

slide-16
SLIDE 16

Service refinement machine Service refinement machine

GRID_REFINEMENT C2 REFINES C1 REFERENCES A VARIABLES z,x,a_inst INVARIANT a_inst:A & Inv_C INITIALISATION x := x0 || z:=z0 || a_inst::A EVENTS C_Evt1 = WHEN G1’ THEN a_inst.Proc(x) || S1’ END; C_Evt2 = ANY u WHERE G2’(u,x) THEN S2’ END; NOTIFICATION_HANDLERS NotifHandler = NOTIFICATION Notif SOURCE v:A THEN S3 END END

slide-17
SLIDE 17

Proof obligations Proof obligations

  • The following proof obligations need to be generated

in order to show that an event system is a refinement

  • f another:

– Refinement of the initialisation – Refinement of each event – Introduction of new events – Termination of new events – Deadlock freeness

slide-18
SLIDE 18

Verification overview Verification overview

Refines Refines References Translation Translation C2_V Ref A Service C2 Service Ref. C1 Ref

  • The semantics of the new constructs are given by

their translation to (Event) B

– Enables reuse of existing proof tools

slide-19
SLIDE 19

Verification Verification

  • The events of the SERVICE machine are merged with

the events in the client

  • The variables of the SERVICE machine are translated

to functions from instance to variable type

  • The remote operations calls are inlined
  • A notification is sent only after all events in the grid

service have become disabled

  • The notification handler is only be executed once for

each notification

slide-20
SLIDE 20

Code generation and Tool support Code generation and Tool support

  • The domain-specific constructs of Event B ensure that

the specification can be implemented in a grid environment

  • Grid enabled code can be generated from the

specifications

– Code for the Distributed B specification – Code for setting up connections in the grid environment – Interface description of the services in WSDL

  • No tool support

– Tool needed for translating to B – Tool needed for translating to Java

slide-21
SLIDE 21

Conclusions Conclusions

  • Enables construction of correct grid applications
  • Automatic generation of proof obligations
  • Implementable architecture by construction

– Although not very flexible

  • These Event B extensions can also use other

middleware for distributed systems

slide-22
SLIDE 22

References References

  • Pontus Boström and Marina Waldén. An Extension of Event B for

Developing Grid Systems. In Proceedings of the 4th International Conference of B and Z users - ZB2005: Formal specification and Development in Z and B, Apr 2005.

  • Pontus Boström and Marina Waldén. Development of Fault Tolernt

Grid Applications Using Distributed B. In 5th International Conference on Integrated Formal Methods, IFM2005, Dec 2005.