Formal Specification and Verification of Distributed Components - - PowerPoint PPT Presentation

formal specification and verification of distributed
SMART_READER_LITE
LIVE PREVIEW

Formal Specification and Verification of Distributed Components - - PowerPoint PPT Presentation

Oct 08, 2022 146 likes •712 views

Formal Specification and Verification of Distributed Components Soutenance de Thse pour obtenir le titre de Docteur en Sciences de l'Universit de Nice-Sophia Antipolis Jean-Paul R IGAULT Prsident Rapporteurs Carlos C ANAL Frantisek P

slide-1
SLIDE 1

4 December 2008 Antonio Cansado 1

Formal Specification and Verification

  • f Distributed Components

Candidat Antonio CANSADO

Jean-Paul RIGAULT Carlos CANAL Frantisek PLASIL Tomás BARROS Fréderic LANG Lionel SEINTURIER Eric MADELAINE Président Rapporteurs Examinateurs Directeur

Soutenance de Thèse pour obtenir le titre de Docteur en Sciences de l'Université de Nice-Sophia Antipolis

slide-2
SLIDE 2

4 December 2008

2

Antonio Cansado

Motivation

  • Software Components

software modules well-defined interfaces

  • provided and required services

composition

  • Distributed Components

asynchronous

Does the system behave correctly?

slide-3
SLIDE 3

4 December 2008

3

Antonio Cansado

Approach

Specification Language Behavioural Model

Model Generation Source Code Code Generation Static Analysis

Verification Tools Software Engineers!

slide-4
SLIDE 4

4 December 2008

4

Antonio Cansado

Agenda

  • Context

GCM

  • Specification Language

Architecture Behaviour Data Abstractions

  • Behavioural Models

Primitive Components Composite Components Futures

  • On-going work and Conclusions

Specification Language Architecture Behaviour Behavioural Model Hierarchical Formalism

Model Generation

GCM Runtime ADLs and Java Skeletons

Code Generation

Data Abstraction

slide-5
SLIDE 5

4 December 2008

5

Antonio Cansado

Bindings Business code Business code Server interfaces Client interfaces

Primitive component

Primitive component

Composite component

NF (server) interfaces

Grid Component Model (GCM)

  • Extends Fractal

Abstracts away distribution and deployment No specification language Membrane

slide-6
SLIDE 6

4 December 2008

6

Antonio Cansado

Data d = qm.query(s); ... db.insert(t,d); ... d.read();

Futures for Components

Other component

qm db

  • mono-threaded primitives
  • asynchronous remote method calls
  • Data-driven synchronisation model
slide-7
SLIDE 7

4 December 2008

7

Antonio Cansado

Concurrency and Futures

Data query (Query q) { return database.query(q); } void run(Table t) { Data d = qm.query(s); db.insert(t,d); d.read(); } Data query(String s) { Query q = new Query(s); return db.query(q); } void insert (Table t, Data d) { database.insert(t,d); }

db

Client Query Manager Database

qm db

slide-8
SLIDE 8

4 December 2008

8

Antonio Cansado

Concurrency and Futures

Data query (Query q) { return database.query(q); } void run(Table t) { Data d = qm.query(s); db.insert(t,d); d.read(); } Data query(String s) { Query q = new Query(s); return db.query(q); } void insert (Table t, Data d) { database.insert(t,d); }

db qm db

  • Race-Condition on access to components
  • Deadlocks related to futures

Client Query Manager Database

slide-9
SLIDE 9

4 December 2008

9

Antonio Cansado

Summary of GCM / ProActive

  • Hierarchical model

primitive and composite components

  • Mono-threaded primitive components
  • Asynchronous method call

transparent first-class futures data-driven synchronisation

slide-10
SLIDE 10

4 December 2008

10

Antonio Cansado

Agenda

  • Introduction

GCM

  • Specification Language

Architecture Behaviour Data Abstractions

  • Behavioural Models

Primitive Components Composite Components Futures

  • On-going work and Conclusions

Specification Language Architecture Behaviour Behavioural Model Hierarchical Formalism GCM Runtime ADLs and Java Skeletons

Code Generation

Data Abstraction

Model Generation

slide-11
SLIDE 11

4 December 2008

11

Antonio Cansado

  • Expressive

architecture and behaviour dynamic behaviour visible at the interface deal with data and futures

  • Easy to use

suitable for non-specialists in formal methods

  • Sound

automatic verification generate guaranteed code

Wish-List

slide-12
SLIDE 12

4 December 2008

12

Antonio Cansado

  • SOFA (Behavior Protocols)

synchronous communications formalism

  • trace semantics
  • regular expressions of events
  • compositional reasoning

runtime

  • implementation compliance (through static analysis)

Related Work

slide-13
SLIDE 13

4 December 2008

13

Antonio Cansado

  • STSLib

synchronous component model formalism

  • Symbolic Transition Systems (STS)
  • synchronisation vectors
  • Algebraic Data Types (ADT)
  • symbolic product

runtime

  • synthesis of components with guaranteed behaviour

Related Work

slide-14
SLIDE 14

4 December 2008

14

Antonio Cansado

  • Java/A, ArchJava

extends Java with component-wise primitives synchronous component model formalism

  • interface protocols given in LTS (Java/A)
  • behaviour given in Pi-calculus (ArchJava)

runtime

  • Java compiler

Related Work

slide-15
SLIDE 15

4 December 2008

15

Antonio Cansado

Our Proposal

  • JDC: Java Distributed Components

specification language close to Java targets asynchronous distributed component models

  • 3 Layers

Architecture

  • extend Java with component-wise language primitives

Behaviour

  • define the control part of a component
  • Java syntax to specify the control and data flow

Data Abstractions

  • variables influence synchronisations, control and data flow
slide-16
SLIDE 16

4 December 2008

16

Antonio Cansado

General Schema of JDC

Component → component i d ’ { ’ external interfaces I n t e r f a c e∗ [ A r ch i t e c t u r e ] [ Services ] ’} ’

id

SM ... Service Policy SM LM Service

slide-17
SLIDE 17

4 December 2008

17

Antonio Cansado

Component Architecture

component CashDesk { ex te rnal i n t e r f a c e s s e r v e r i n t e r f a c e ApplicationIf appIf; c l i e n t i n t e r f a c e EventBusIf eventBusIf; c l i e n t i n t e r f a c e ScannerIf scannerIf;

architecture contents component Application application; component Scanner scanner; i n t e r n a l i n t e r f a c e s s e r v e r i n t e r f a c e ApplicationIf appIf; / / . . . i n t e r n a l i n t e r f a c e s bindings bind( t h i s. a p p I f, a p p l i c a t i o n . a p p I f ) ; / / . . . b i n d i n gs

}

appIf Cash Desk Application appIf eventBusIf scannerIf

Scanner

Server interface Client interface

slide-18
SLIDE 18

4 December 2008

18

Antonio Cansado

Service

Service → s e r v i c e ’ { ’ LocalVariableDecl∗ p o l i c y ’ { ’ Po l i c y ’ } ’ ServiceMethodDecl∗ LocalMethodDecl∗ ’} ’

  • Java-like language to define behaviour

each sequential activity is called a service

Service Policy Service Methods SM ... Service Policy SM LM

slide-19
SLIDE 19

4 December 2008

19

Antonio Cansado

Service Policy

  • Rough specification of the

interactions/ordering of one of the services provided by the component

defined by a regular expression

Policy → ServeMode ’(’ [ Filter ] ’)’ | MethodCall | Po l i c y ’ ; ’ Po l i c y | Po l i c y ’ | ’ Po l i c y | Po l i c y ’ * ’ ServeMode → serveOldest | serveYoungest Filter → | InterfaceName | InterfaceName ’.’ MethodName | F i l t e r ’ , ’ F i l t e r

slide-20
SLIDE 20

4 December 2008

20

Antonio Cansado

Example: Service

s e r v i c e s s e r v i c e { Bool expressMode; public enum CashState{ IDLE, ST ARTED, PAYING } CashState cashState; / / . . . o t h e r v a r i a b l e s p o l i c y { i n i t ( ) ; serveOldest( a p p l i c a t i o n I f ) * } // service methods }

Serves in FIFO

Application

applicationIf

vo i d barcodeScanned(Barcode barcode); vo i d f n i s h S a l e ( ) ; / / . . .

slide-21
SLIDE 21

4 December 2008

21

Antonio Cansado

Service Method

  • Asynchronous Method Calls

transparent first-class futures

  • Abstraction of the control and data flow

reference to user-defined classes all remote method calls, with arguments access on received values (futures)

  • No business code dealing with calculi
slide-22
SLIDE 22

4 December 2008

22

Antonio Cansado

Example: Service Method

vo i d ap p l i c at i o n I f.barcodeScanned(Barcode barcode) { switch (c a sh S ta te) { c a s e IDLE: c a s e PAYING: break; / / i g n o r e s i g n a l c a s e ST ARTED: Product product = cashDeskIf.getProduct(barcode); i f (product == n u l l) { eventBusIf.productBarcodeNotValid(); break; } . . .

Is it a future? Future!

Seamless Futures for Developers

  • No specification of synchronisations
  • Reuse components in different contexts
slide-23
SLIDE 23

4 December 2008

23

Antonio Cansado

Agenda

  • Introduction

GCM

  • Specification Language

Architecture Behaviour Data Abstractions

  • Behavioural Models

Primitive Components Composite Components Futures

  • On-going work and Conclusions

Specification Language Architecture Behaviour Behavioural Model Hierarchical Formalism GCM Runtime ADLs and Java Skeletons

Code Generation

Data Abstraction

Model Generation

slide-24
SLIDE 24

4 December 2008

24

Antonio Cansado

Why use Data Abstraction ?

  • Have to consider variables that influence

synchronisations, control and data flow

  • Don't want to specify equations

too difficult not useful for code generation

  • Solution

use user-classes in the specification

  • generated code is directly useful

include abstract versions of user classes given in Java

  • derive an abstracted specification
slide-25
SLIDE 25

4 December 2008

25

Antonio Cansado

How to Define an Abstraction ?

  • For each variable in JDC, define an abstract

type abstract domain

  • based on provided library of simple types

abstract operators of concrete methods

  • Java syntax encoding the results of expressions

assign abstract types to fields

slide-26
SLIDE 26

4 December 2008

26

Antonio Cansado

Example: Abstraction

abstraction ListProducts_A of ListProducts { List<Product> products abstracted as L i s t S t a t e ; enum ListState { EMPTY, O K, FULL } Product get() abstracted a s Product_A get() { switch ( p r o d u c t s ) { c a s e EMPTY: return n u l l; c a s e O K: i f (Bool. A N Y( ) ) products = EMPTY; return Product_A.A N Y( ) ; c a s e FULL: products = O K; return Product_A.A N Y( ) ; } } c l a s s ListProducts { List<Product> products; P r o d u c t g e t ( ) { . . . } . . . }

slide-27
SLIDE 27

4 December 2008

27

Antonio Cansado

Agenda

  • Introduction

GCM

  • Specification Language

Architecture Behaviour Data Abstractions

  • Behavioural Models

Primitive Components Composite Components Futures

  • On-going work and Conclusions

Specification Language Architecture Behaviour Behavioural Model Hierarchical Formalism GCM Runtime ADLs and Java Skeletons

Code Generation

Data Abstraction

Model Generation

slide-28
SLIDE 28

4 December 2008

28

Antonio Cansado

Generation of Behavioural Models

Specification Language

Architecture Behaviour Control Automata Structure Analysis SOS Rules

Abstracted JDC eXtended MCG

Static Analysis

Behavioural Model

Functional Behaviour Data Abstraction Abstraction Inspired from

  • T. Barros

Inspired from

  • R. Boulifa
slide-29
SLIDE 29

4 December 2008

29

Antonio Cansado

Intermediate Formalism: pNets

  • Objectives

compact representation of distributed systems generalised parallel operator interface with various verification engines

  • Hierarchical, Parameterized Networks of LTSs:

pNets

tree of processes

  • leaves are pLTS
  • nodes are synchronisation operators

first-order types

  • value-passing and indexed processes
slide-30
SLIDE 30

4 December 2008

30

Antonio Cansado

Example: pNets

C

call.foo(x) [x>0]!B[i].foo(x)

?response(val)

A

!B[i].foo(x) response(val)

n

?foo(x) n+x

?foo(x)

k

B

!response (n)

  • Synchronisation vectors generalise parallel operators
  • Synchronised product of pNets is a pLTS
  • Holes (nodes of the tree of processes) can be filled

with a pNet or a pLTS

slide-31
SLIDE 31

4 December 2008

31

Antonio Cansado

Behavioural Models based on pNets

  • Sort of the Functional Behaviour

sItf cItf

Sort given by the interfaces

  • Methods, arguments, return values, future ids

Non-functional controllers !request(fid,cItf.M) ?response(fid,val) ?request(fid,sItf.M) !response(fid,val) pNets

slide-32
SLIDE 32

4 December 2008

32

Antonio Cansado

Primitive Component

Business code

Primitive component

Transparent Future

  • id = Prog.Point (pp), Counter (c)
  • Static representation
  • Static approximation of the flow

?request(fid,sItf.M) !response(fid,val) !request(fid,cItf.M) ?response(fid,val) Queue fid Proxy Body ?serve*(filter)

?getValue(fid,val)

slide-33
SLIDE 33

4 December 2008

33

Antonio Cansado

Composite Component

C i1 A B i2 i3

?request(fid,i1.M) !response(fid,val) !request(fid,i2.M) ?response(fid,val) pNets(A) pNets(B) Membrane !request(fid,i3.M) ?response(fid,val)

slide-34
SLIDE 34

4 December 2008

34

Antonio Cansado

Membrane

  • Primitive component with fixed behaviour

?serveOldest(fid,M) !request(fid,M) Body ?request(fid,sItf.M) !response(fid,val) !request(fid,cItf.M) ?response(fid,val) Queue Body ?serve*(filter)

?getValue(fid,val)

fid Proxy

slide-35
SLIDE 35

4 December 2008

35

Antonio Cansado

A Basic Future Proxy

?call ?response(val) !getValue(val) Caller Callee

Insufficient

  • Future references cannot be transmitted
slide-36
SLIDE 36

4 December 2008

36

Antonio Cansado

Data d = qm.query(s); ... db.insert(t,d); ... d.read();

Global Future References

void insert (Table t, Data d) { hd.insert(t,d); } qm db hd

NOT adapted to hierarchical components! Client QueryManager Database HardDrive

slide-37
SLIDE 37

4 December 2008

37

Antonio Cansado

Naïve Model: Global Futures

?call ?response (val) !getValue(val) !getValue(val) !getValue(val) ?forward(val) ?forward(val)

Client Database HardDrive

  • Optimised, i.e. less interleaving
  • But not compositional

Multi-way synchronisation

slide-38
SLIDE 38

4 December 2008

38

Antonio Cansado

An Asynchronous Object Calculus

ASP c Confluence Properties

  • Future updates can occur at any time
  • Execution characterised by the order of request senders

Benefit from ASP-Calculus

Formalisation of the ProActive library Results apply to GCM/ProActive components

slide-39
SLIDE 39

4 December 2008

39

Antonio Cansado

Data d = qm.query(s); ... db.insert(t,d); ... d.read();

Follow the Future Flow

void insert (Table t, Data d) { hd.insert(t,d); } qm db hd

Compositional Client QueryManager Database HardDrive

slide-40
SLIDE 40

4 December 2008

40

Antonio Cansado

Proxies Following the Future Flow

?call ?response(val) !getValue(val) !getValue(val) !getValue(val) !forward(val) ?forward(val) !forward(val) ?forward(val)

Client Database HardDrive

Use the most convenient update strategy in the Behavioural Models

  • Guaranteed by ASP not to change the system properties
  • Compositional
slide-41
SLIDE 41

4 December 2008

41

Antonio Cansado

Generation of Behavioural Models

JDC

Architecture Behaviour Control Automata Structure Analysis SOS Rules

Abstracted JDC eXtended MCG

Static Analysis

Behavioural Model

Functional Behaviour Data Abstraction Abstraction

slide-42
SLIDE 42

4 December 2008

42

Antonio Cansado

Functional Behaviour

Service Specification

Service Policy Service/Local Methods

  • Create pNets from

Regular Expressions + Data-flow

  • Static Analysis of JDC code

?request(fid,sItf.M) !response(fid,val) !request(fid,cItf.M) ?response(fid,val) Queue fid Proxy Body ?serve*(filter)

?getValue(fid,val)

slide-43
SLIDE 43

4 December 2008

43

Antonio Cansado

Static Analysis of JDC

  • Adapted the work done by R.Boulifa on active
  • bjects to distributed components

SOS rules

  • Easier on JDC

remote calls are easy to identify

  • creation of futures is known
  • future flow can be better approximated

business code is already abstract

  • abstraction of control and data flow
  • abstraction of data types
slide-44
SLIDE 44

4 December 2008

44

Antonio Cansado

Summary of Behavioural Models

  • Behaviour of Component System

hierarchical and compositional every synchronisation and communication functional and non-functional behaviour

  • Automatic verification

deadlocks and blocked components check for future update reachability of predefined events

  • Verification of other user requirements

user specified properties in mu-calculus (CADP)

slide-45
SLIDE 45

4 December 2008

45

Antonio Cansado

Agenda

  • Introduction

GCM

  • Specification Language

Architecture Behaviour Data Abstractions

  • Behavioural Models

Primitive Components Composite Components Futures

  • On-going work and Conclusions

Specification Language Architecture Behaviour Behavioural Model Hierarchical Formalism GCM Runtime ADLs and Java Skeletons

Code Generation

Data Abstraction

Model Generation

slide-46
SLIDE 46

4 December 2008

46

Antonio Cansado

Overview of Code Generation

  • Idea

use the specifications in JDC to build safe-by- construction GCM components

  • How?

abstraction of control and data flow user classes communication and synchronisation are well defined GCM / ProActive runtime

slide-47
SLIDE 47

4 December 2008

47

Antonio Cansado

Generated Code

  • Composite components

final GCM ADL Life-cycle(LF) and Binding(BC) controllers automatically generated from the architecture

  • Primitive components

final GCM ADL and LF,BC controllers skeletons for the behaviour

slide-48
SLIDE 48

4 December 2008

48

Antonio Cansado

Skeletons for the Behaviour (1/2)

public v o i d runActivity(Body body) {

Service service = new Service(body); while ( b o d y. i s A c t i v e ( ) ) { i n i t ( ) ; service.blockingServeOldest( " a p p l i c a t i o n I f " ) ; } }

p o l i c y { i n i t ( ) ; serveOldest( a p p l i c a t i o n I f ) * }

  • Service Policy

regular expression

slide-49
SLIDE 49

4 December 2008

49

Antonio Cansado

Skeletons for the Behaviour (2/2)

  • Service methods

skeleton code with the control and data flow

  • all remote method calls
  • every possible synchronisation

hooks to fill-in final implementation

  • set rules on what the programmer is allowed to modify
slide-50
SLIDE 50

4 December 2008

50

Antonio Cansado

Rules for the Generated Code

  • ADLs cannot be modified
  • Business code

request queue is not accessible by the implementation code no change in remote calls, access to futures no influence in the control flow

  • User-classes
  • mitted fields must be strictly values

values of variables can be changed as far as they have the same abstract value

slide-51
SLIDE 51

4 December 2008

51

Antonio Cansado

Applications

  • Specification Language

basis for reconfiguration

  • ther component models
  • Java syntax to specify the control code
  • specify the abstract behaviour instead of the events
  • Behavioural Models

pNets formalism c verification tools futures c Creol (Univ. of Oslo)

  • multithreaded active objects
slide-52
SLIDE 52

4 December 2008

52

Antonio Cansado

Summary (1/2)

  • Specification language for the GCM

Architecture + Behaviour + Data Abstraction interaction between futures, queues and synchronisations

  • Behavioural models for the GCM

hierarchical and compositional transparent first-class futures

  • On-going work on generation of GCM code
slide-53
SLIDE 53

4 December 2008

53

Antonio Cansado

Summary (2/2)

  • Advantages

structured behaviour

  • build behavioural model
  • generate code with guaranteed properties

high level description of the behaviour

  • leaves complexity on synchronisations to tools
  • Limitations
  • nly address the core of GCM

determining sound abstractions is tricky limited abstraction of concurrency

slide-54
SLIDE 54

4 December 2008

54

Antonio Cansado

Conclusions

  • Specification Language

adapted to asynchronous distributed components hides complexity of formal methods

  • Model is a safe approximation of the

implementation

automatic verification of typical scenarios check for user requirements

  • Safe by construction Code

skeleton code with the control of the components

slide-55
SLIDE 55

4 December 2008

55

Antonio Cansado

Questions ?

Thank you!