1 / 15

Modeling and Analyzing Distributed Systems Using I/O Automata

Modeling and Analyzing Distributed Systems Using I/O Automata. Nancy Lynch, MIT Draper Laboratory, IR&D Kickoff Meeting Aug. 30, 2002. Modeling using I/O Automata. Mathematical, infinite-state, automaton models. Describe states, transitions. Describe system modularity:

chava
Download Presentation

Modeling and Analyzing Distributed Systems Using I/O Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Kickoff Meeting Aug. 30, 2002

  2. Modeling using I/O Automata • Mathematical, infinite-state, automaton models. • Describe states, transitions. • Describe system modularity: • Parallel composition of interacting components. • Levels of abstraction. • Example: Generic distributed system: • Diagram represents interfaces only. • IOA models also describe behavior. • Abstract models for system components. • Channel: Implemented by TCP, modeled as reliable FIFO queue. • Node: Implemented by C++ or Java program, modeled as simple algorithm automaton.

  3. Reliable FIFO Channel Model send(m) receive(m) Channel(M) • Signature: • Inputs: • send(m), m in M • Outputs: • receive(m), m in M • States: • queue, a finite sequence of elements of M, initially empty • Transitions: • send(m) • Effect: Add m to end of queue • receive(m) • Precondition: m is first on queue • Effect: remove first element of queue

  4. Levels of Abstraction TO-Bcast GCS GCS • Used in system development by successive refinement. • Top level: Specification for allowed behaviors. • Can write in same automaton style. • Refine through many levels, to code-like, detailed description. • Example: Group communication: • Automata used to represent totally-ordered reliable broadcast service, group communication service, and algorithm. • Composition of algorithm and GCS automata implements TO-Bcast automaton. • Continue, implementing GCS in terms of lower-level network.

  5. Flavors of I/O Automaton Models • Ordinary, basic IOAs deal with: • What happens, in what order (not when). • Discrete events (not continuous behavior). • Timing: TIOA • For describing timeout-based algorithms. • Local clocks, clock synchronization. • Timing/performance analysis. • Hybrid (continuous/discrete): HIOA • Systems with real world + computer components • Vehicle control: ground, air, space • Embedded systems

  6. What are these models good for? • System documentation/specification • High-level, precise, reasonably easy to understand. • Design validation: • Simulation of system behavior • Stating and proving correctness theorems. • Manually, or with interactive theorem-provers. • Finite-state exploration, for debugging, for complete analysis of small pieces, small cases, small abstractions. • Top-down system development • Code validation: • Models as templates for code • Demonstrate consistency between model, code • Generate code automatically from low-level models?

  7. In the remaining minutes: • I/O Automata • What they are (math) • Applications: Distributed algorithms, systems • Tool support: IOA language and toolset • Timed I/O Automata • What they are • Applications: Communication, performance analysis • Hybrid I/O Automata • What they are • Applications: Safety-critical systems

  8. I/O Automata (IOA) • Static description: • Actions a (input, output, internal) • States s, start states • Transitions (s, a, s'); input actions enabled in all states. • Dynamic description: • Execution: s0 a1s1a2s2 … • Trace: Sequence of input and output actions; externally visible behavior. • A implements B: traces(A)  traces(B). • Operations for building automata: • Parallel composition, identifying inputs and outputs. • Action hiding. • Reasoning methods: • Invariant assertions: Property holds in all reachable states. • Simulation relations: Imply one automaton implements another. • Compositional methods

  9. Example Applications • Theoretical distributed algorithms: • Mutual exclusion, Byzantine agreement, atomic object implementation, resource allocation, data management… • Distributed systems: • Orca DSM system: Two-layer model, following the implementation. Found, fixed logical error. Proofs. • Transis group communication system: Models for key layers. Proofs. Algorithmic improvements. • Ensemble GC system: Models for key layers. Found, fixed logical error. Proofs. • Algorithms for dynamic networks (new): • RAMBO reconfigurable atomic memory algorithm • Dynamic atomic broadcast algorithm

  10. IOA Language + Toolset I A O • Formally-defined programming/modeling language for describing and analyzing systems modelled as I/O automata. • Current tools: Simulator, connection to theorem-prover. • In progress: Invariant detector, connections to other theorem-provers, automatic code generator. • Steve Garland will say more.

  11. Timed I/O Automata (TIOA) • Add special time-passage actions, pass(t), to IOA model. • Example: Reliable FIFO channel that always delivers messages within time d. • send(m) • Effect: Add (m, now + d) to end of queue • receive(m) • Precondition: (m,u) is first on queue (for some u) • Effect: remove first element of queue • pass(t) • Precondition: for all (m,u) in queue, now + t  u • Effect: now := now + t • Can use standard automaton-based reasoning methods: • Invariant: for all (m,u) in queue, now  u  now + d. • Inductive proofs.

  12. Example Applications • Theoretical distributed algorithms: • Mutual exclusion, consensus,… • Timeout-based communication protocols: • TCP,… • Group communication systems: • Using GCS to build TO-Bcast: Conditional performance analysis. • Scalable GCS: Performance analysis. • RAMBO: Performance analysis. • Hybrid (continuous/discrete) systems: • Toy examples: RR crossing, steam boiler controller • Stretched TIOA capabilities; motivated HIOA.

  13. Hybrid I/O Automata (HIOA) • TIOA plus facilities for representing continuous behavior. • Static description: • States: input, output, internal variables; start states • Actions: input, output, internal • Discrete steps (s, a, s') • Trajectories , mapping time intervals to states • Dynamic description: • Execution 0a11a22… • Trace: Project on external variables, external actions. • A implements B if traces(A)  traces(B). • Operations: Composition, hiding • Reasoning methods: Invariants, simulation relations, compositional methods

  14. Example Applications • Ground transportation: • People-mover (Raytheon) • California PATH automated highway system: Analysis of platoon maneuvers. • Aircraft control: • TCAS (Lincoln Labs): Models, proofs. • Quanser helicopter system (MIT Aero/Astro). • Spacecraft, …: • ACME

  15. TCAS model Aircraft Aircraft Sensor Sensor Pilot Pilot Conflict detector Conflict detector Channel Conflict resolver Conflict resolver Channel

More Related