I/O Automata Seminar on Advanced Topics in Distributed Computing - - PowerPoint PPT Presentation

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

I/O Automata

Seminar on Advanced Topics in Distributed Computing

(University of Saarland, MPI-SWS, Ph.D. Petr Kuznetsov)

Walid Haddad March 20, 2008

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Outline

• Overview of the I/O automaton model
• Simple example: candy vending machines
• Fairness
• Properties and proof techniques
• Outlook and conclusion

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview

Developed by [Lynch, Tuttle 1987]

• Similar to traditional automata in providing a simple

mathematical basis for describing structure and behavior of systems of interacting components Already used for:

• Distributed algorithms, impossibility results
• System case studies (communication protocols (e.g. TCP),

Hybrid systems, security protocols, ...)

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview

Each system component is modeled as an I/O automaton:

I I O O

Characteristics:

• Infinite state
• Non-deterministic
• Actions are classified (input/output/internal)
• Modularity supported (parallel composition, levels of abstraction)
• Supports also correctness proofs (using invariant assertions and

simulation relations)

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview

Classification of actions:

A u t o m a t o n ’ s A c t i o n s internal external input

• u t p u t

g e n e r a t e d a u t o n o m o u s l y (output actions are transmitted i n s t a n t a n e o u s l y ) g e n e r a t e d b y e n v i r o n m e n t & t r a n s m i t t e d i n s t a n t a n e o u s l y t o t h e a u t o m a t o n

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview

Classification of actions:

• action signature S: is the interface between the automaton

and the environment

• acts(S) = in(S) ∪ out(S) ∪ int(S)
• ext(S) = out(S) ∪ in(S)
• local(S) = out(S) ∪ int(S)

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview

Two fundamental assumptions:

• 1. An I/O automaton cannot block input actions

Some advantages:

• Specifying what a component does in the face of unexpected

input is a serious source of errors in the development of system components

• Input-enabling makes the basic theory of the model work out

nicely (simple notions of external behavior of an automaton, based on sequences of external actions)

• 2. The performance of an action is controlled by at most one

system component

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview - formal definition

An I/O automaton A consists of five components:

• action signature: sig(A)
• set of states: states(A)
• a nonempty set: start(A) ⊆ states(A)
• transition relation:

step(A) ⊆ states(A) × acts(A) × states(A) with the property that for every state s′ and input action π there is a transition (s′, π, s) in step(A)

• tasks(A), a task partition, which is an equivalence relation on

local(A) having at most countably many equivalence classes

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview - formal definition

Let A be an I/O automaton:

• If (s′, π, s) is a step of A, then π is said to be enabled in s′
• An execution fragment of A is a finite (infinite) sequence of

alternating states and actions of A such that (s′

i, πi+1, si+1)

is a step of A for all i

• An execution is an execution fragment beginning with a start

state

• A state is said to be reachable if it is the final state of a

finite execution

• trace(α): the subsequence of an execution fragment α

consisting of all the external actions

• execs(A): the set of executions of A
• traces(A): the set of traces of executions of A

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview - operations on I/O automata

Composition (action signatures):

• A set of action signatures {Si : i ∈ I} is called compatible iff

for all i,j ∈ I we have:

• 1. out(Si) ∩ out(Sj) = ∅
• 2. int(Si) ∩ acts(Sj) = ∅

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview - operations on I/O automata

Composition (action signatures):

• A set of action signatures {Si : i ∈ I} is called compatible iff

for all i,j ∈ I we have:

• 1. out(Si) ∩ out(Sj) = ∅
• 2. int(Si) ∩ acts(Sj) = ∅
• S =

i∈I Si is a composition of compatible action signatures

with:

• 1. in(S) =

i∈I

in(Si) −

i∈I

• ut(Si)
• 2. out(S) =

i∈I

• ut(Si)
• 3. int(S) =

i∈I

int(Si)

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview - operations on I/O automata

Composition (automata):

• A =

i∈I Ai is a composition of compatible automata with:

• 1. states(A) =

i∈I

states(Ai)

• 2. start(A) =

i∈I

start(Ai)

• 3. sig(A) =

i∈I

sig(Ai),

• 4. tasks(A) =

i∈I

tasks(Ai)

• 5. steps(A) = {{ ((si)i∈I, a, (si)

′

i∈I) : ∀i ∈ I

a ∈ acts(Ai) = ⇒ (si, a, s′

i ) ∈ steps(Ai)

a / ∈ acts(Ai) = ⇒ si = s′

i {}

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Model overview - operations on I/O automata

Hiding:

• The effect of the hiding operator is to hide output actions by

reclassifying them as internal actions

• Prevents them from being used for further communication

and means that they are no longer included in traces

• Helps make automata compatible for composition

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Example: candy vending machines

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Example: candy vending machines

C A N D Y M A C H I N E C U S T O M E R S K Y B A R H E A T H B A R A L M O N D J O Y P U S H 1 P U S H 2

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Example: candy machines

Candy machine:

• action signature:
• Input actions:

PUSH1, PUSH2

• Output actions:

SKYBAR, HEATHBAR, ALMONDJOY

• Internal actions: none
• transition relation:

PUSH1 Effect: button-pushed ← 1 PUSH2 Effect: button-pushed ← 2 SKYBAR Precondition: button-pushed = 1 Effect: button-pushed ← 0 HEATHBAR Precondition: button-pushed = 2 Effect: button-pushed ← 0 ALMONDJOY Precondition: button-pushed = 2 Effect: button-pushed ← 0

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Example: candy machines

Customer:

• action signature:
• Input actions:

SKYBAR, HEATHBAR, ALMONDJOY

• Output actions:

PUSH1, PUSH2

• Internal actions: none
• transition relation:

SKYBAR Effect: waiting ← no HEATHBAR Effect: waiting ← no ALMONDJOY Effect: waiting ← no PUSH1 Precondition: waiting = no Effect: waiting ← yes PUSH2 Precondition: waiting = no Effect: waiting ← yes

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness

• Fairness specifies that all the components in a system get

”fair” turns to perform steps every so often

• Recall that each automaton Ai is associated with a task

partition tasks(Ai) of its locally-controlled actions

• The notion of fairness for an I/O automaton requires that

each task gets infinitely many opportunities to perform one of its actions

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - formal definition

Let α be an execution fragment of an I/O automaton A. α is said to be fair if the following conditions hold for each class C of tasks(A):

• 1. If α is finite, then C is not enabled in the final state of α
• 2. If α is infinite, then α contains either infinitely many events

from C or infinitely many occurrences of states in which C is not enabled

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - traces and executions

We can also define:

• fairexecs(A) : the set of fair executions of automaton A
• fairtraces(A) : the set of fair traces of automaton A

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - example: discrete clock

Clock automaton:

Signature: Input: request Output: clock(t), t ∈ N Internal: tick States: counter ∈ N initially 0, flag: boolean initially false Transitions: tick Precondition: true Effect: counter := counter + 1 clock(t) Precondition: flag = true, counter = t Effect: flag := false request Effect: flag := true Tasks: {tick}, {clock(t) : t ∈ N}

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - example: discrete clock

Which of these actions sequences are fair?

• 1. tick, tick, tick, ...

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - example: discrete clock

Which of these actions sequences are fair?

• 1. tick, tick, tick, ...
• 2. tick, tick, tick

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - example: discrete clock

Which of these actions sequences are fair?

• 1. tick, tick, tick, ...
• 2. tick, tick, tick
• 3. tick, tick, request, tick, tick, clock(4), tick, tick, ...

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - example: discrete clock

Which of these actions sequences are fair?

• 1. tick, tick, tick, ...
• 2. tick, tick, tick
• 3. tick, tick, request, tick, tick, clock(4), tick, tick, ...
• 4. tick, tick, request, tick, tick, tick, ...

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Fairness - example: discrete clock

Which of these actions sequences are fair?

• 1. tick, tick, tick, ...
• 2. tick, tick, tick
• 3. tick, tick, request, tick, tick, clock(4), tick, tick, ...
• 4. tick, tick, request, tick, tick, tick, ...

− → only 1 and 3

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Types of properties:

• Invariant assertions
• ”any property that is true in all reachable states of an

automaton”

• proof by induction on the number of steps in an execution

leading to the state in question

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Types of properties:

• Invariant assertions
• ”any property that is true in all reachable states of an

automaton”

• proof by induction on the number of steps in an execution

leading to the state in question

• Trace properties
• automaton is viewed as a ”black box”
• only the traces of an automaton’s execution (fair execution)

are observed

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Types of properties:

• Invariant assertions
• ”any property that is true in all reachable states of an

automaton”

• proof by induction on the number of steps in an execution

leading to the state in question

• Trace properties
• automaton is viewed as a ”black box”
• only the traces of an automaton’s execution (fair execution)

are observed

• Safety and liveness properties
• safety properties: ”bad” things never happen
• liveness properties: a ”good” thing eventually happens

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Compositional reasoning:

• One common technique for reasoning about the behavior of

an automaton is modular decomposition

• Idea: reason about the behavior of a composition by reasoning

about the component automata individually

• Some examples:
• if A =

i∈I Ai and each Ai satisfies a trace property Pi, then

it follows that A satisfies the product trace property P =

i∈I Pi

• Compositional proofs for safety properties: one strategy is to

show for a composed system A =

i∈I Ai and a safety

property P that none of the system components Ai is the first to violate P

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Hierarchical proofs:

• Proofs are based on hierarchical decomposition in which we

prove that a given automaton solves a second, and the second solves a third, and so on until the final automaton solves the problem

• Successive refinement is the process of moving from a higher

level to a lower level of abstraction

. . .

top level

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Hierarchical proofs:

• The top level may be not more than a problem specification

written in the form of an I/O automaton

• Lower levels in the hierarchy look more and more like the

actual system (or algorithm) that will be used in practice

• Hierarchical proofs depend on relating lower level automata to

automata at higher levels in the hierarchy

. . .

top level

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Properties and proof techniques

Hierarchical proofs - simulation:

• Simulation relations are the means for relating levels of

abstractions together

• Example: consider that R is a simulation relation from A to

B; the figure below shows a step correspondence for R

a a u u’ s s’

B : A :

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Outlook and conclusion

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Outlook

Extensions of I/O automata:

• Timed I/O automata
• Capable of describing real-time behavior
• Include ”trajectories” which describe the evolution of the system

state during time-passage

• Example applications: communication protocols, other

timing-sensitive distributed algorithms, ...

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Outlook

Extensions of I/O automata:

• Timed I/O automata
• Capable of describing real-time behavior
• Include ”trajectories” which describe the evolution of the system

state during time-passage

• Example applications: communication protocols, other

timing-sensitive distributed algorithms, ...

• Hybrid I/O automata
• Capable of describing continuous behavior in addition to discrete

behavior

• Example applications: algorithms for mobile networks, automated

vehicle control systems, ...

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Outlook

Extensions of I/O automata:

• Timed I/O automata
• Capable of describing real-time behavior
• Include ”trajectories” which describe the evolution of the system

state during time-passage

• Example applications: communication protocols, other

timing-sensitive distributed algorithms, ...

• Hybrid I/O automata
• Capable of describing continuous behavior in addition to discrete

behavior

• Example applications: algorithms for mobile networks, automated

vehicle control systems, ...

• Probabilistic I/O automata
• Components of a system can make random choices based on some

given probability distributions

• Example applications: security protocols, randomized distributed

algorithms, ...

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Outlook

Language and tools for system design and analysis:

• IOA [Garland, Lynch 97] is a formal language for describing

I/O automata which explicitly describes signatures, structured state, preconditions, effects, nondeterministic choice, composition, invariants, levels of abstraction

• IOA is designed to support both proving correctness and

generating code

• Extensions to IOA: TIOA, HIOA, PIOA
• A set of tools for simulation, verification, and code generation:
• home-grown simulator [Ramirez]
• connection to the Larch theorem-prover [Bogdanov, Garland]
• automatic code-generator for distributed code [Tauber,

Mavrommatis, Tsai]

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

Conclusion

• The I/O automaton model can be used to for modeling many

different types of distributed system

• It provides a precise way of describing and reasoning about

system components that interact with each other and operate at arbitrary relative speeds

• It also supports correctness proofs
• I/O automata are already used in practice for different

applications

• Extensions to I/O automata are used to describe some more

behavior (e.g. real-time, randomization, ...)

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

References

Nancy Lynch and Mark Tuttle. An Introduction to Input/Output automata, 1989 Nancy Lynch. Distributed Algorithms, Chapter 8. Morgan Kaufmann Publishers, 1996 Nancy Lynch. and Stephen Garland. Using I/O Automata for Developing Distributed Systems, 2000

Model overview Example: candy vending machines Fairness Properties and proof techniques Outlook and conclusion

THANK YOU!