1 / 26

Behavioural Verification of Distributed Components

Behavioural Verification of Distributed Components . Ludovic Henrio and Eric Madelaine. ICE 2013. Agenda. A Distributed Component Model Behavioural Specification Verification Platform Status , conclusion, and perspectives. What are Components?. Primitive component. Business code.

landis
Download Presentation

Behavioural Verification of Distributed Components

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Behavioural Verification of Distributed Components LudovicHenrio and Eric Madelaine ICE 2013

  2. Agenda • A Distributed Component Model • BehaviouralSpecification • VerificationPlatform • Status, conclusion, and perspectives

  3. What are Components? Primitive component Business code Client/ output Server / input

  4. What are Components? Composite component Primitive component Primitive component Business code Business code • Grid Component Model (GCM) • An extension of Fractal for Distributed computing

  5. A Primitive GCM Component CI CI.foo(p) • Primitive components communicating by asynchronous requests on interfaces • Components abstract away distribution and concurrency • In ProActive/GCM a primitive component is an active object

  6. Futures for Components 1 2 f=CI.foo(p)………. 3 g=f+3 g=f+3 Component are independent entities (threads are isolated in a component) + Asynchronous requests with results  Futures are necessary

  7. First-class Futures … … … f=CI.foo(p) CI.foo(f) CI.foo(f) Only strict operations are blocking (access to a future) Communicating a future is not a strict operation In ProActive and ASP, futures are created and accessed implicitly (no explicit type “future”) IN contrast with Creol, Jcobox, ...

  8. Collective interfaces • One-to-many = multicast • Many-to-one = gathercast • Distribution and synchronisation/collection policies for invocation and results Composite component Primitive component Primitive component Business code Business code Primitive component Business code Primitive component Business code

  9. Agenda • A Distributed Component Model • BehaviouralSpecification • VerificationPlatform • Status, conclusion, and perspectives

  10. How to ensure the correct behaviour of a given program? • Our approach: behaviouralspecification Service methods Service methods pNets: BehaviouralModels for Distributed Fractal Components Antonio Cansado, Ludovic Henrio, and Eric Madelaine - Annals of Telecommunications - 2008

  11. Use-case: Fault-tolerant storage • 1 multicast interface sendingwrite/readrequeststo all slaves. • the slaves replyasynchronously, the master onlyneedsenoughcoherentanswers to terminate Verifying Safety of Fault-Tolerant Distributed Components Rabéa Ameur-Boulifa, Raluca Halalai, Ludovic Henrio, and Eric Madelaine - FACS 2011

  12. Full picture: a pNet Support for parameterizedfamilies ?Q_Write(x) !Q_Write(b) Synchronisation vectors

  13. Labelled transition systems, with: Value passing Local variables Guards…. Can be written as a UML diagram Basic pNets: parameterized LTS Eric MADELAINE

  14. Complex synchronisations in pNets – Many-to-many • Synchronisation of anynumber of processesat the same time input/output is « informal », restriction on bound variables

  15. Complex synchronisations in pNets: indexing • A parametercanbeused to index inside a structure • Indexation in family of future proxies Many to-many synchronisation withindexing Recycle local future proxy Global action Transmit reply to subcomponent k Update local future proxy

  16. Agenda • A Distributed Component Model • BehaviouralSpecification • Verification Platform • Status, conclusion, and perspectives

  17. Propertiesproved (on the case study) • Reachability(*): 1- The Read service canterminate  fid:natamong {0...2}. ∃ b:bool. <true* . {!R_Read !fid !b}> true 2- Is the BFT hypothesisrespected by the model ? < true* . 'Error (NotBFT)'> true • Termination: Afterreceiving a Q_Write(f,x) request, itis (fairly) inevitablethat the Write services terminateswith a R_Write(f) answer, or an Errorisraised. • Functionalcorrectness: Afterreceiving a ?Q_Write(f1,x), and before the next ?Q_Write, a ?Q_Readrequestsraises a !R_Read(y) response, with y=x (*) Model CheckingLanguage (MCL), Mateescu et al, FM’08 • Prove • generic properties like absence of deadlock • or properties specific to the application logic

  18. Tool Architecture • Currently: production of the CADP input formats only partially (~50%) available. • Goal: full automatisation • Vercors Editors: • ADL ++ • Interfaces • Behaviors • Properties CADP: Caesar.open Distributor Exp.open Evaluator *.fractal Abs LNT exp svl++ Behav. Sem. pNets N2F MCL Diagnostic visualisation

  19. Graphical Specifications : VCE tool

  20. Agenda • A Distributed Component Model • BehaviouralSpecification • VerificationPlatform • Status, conclusion, and perspectives

  21. Conclusion • A component model made of autonomousasynchronous components • Request/future comunications • Many-to-many communications • A formalism for representing the behaviouralsemantics of a system • The translation between the two, • completelyformalised, • Partiallyimplemented.

  22. Recent advances in behavioural specification for GCM • Scaling-up : gained orders of magnitude by a combination of: • data abstraction, • compositional and contextual minimization, • distributed state-space generation. • Specified formally the whole generation process pNets: 2004-2008 CoCoME: hierarchical & synchronous FACS’08: 1st class futures WCSI’10: group communication FACS’11: GCM & multicast interfacesApplication to BFT Ongoingwork Reconfiguration...

  23. Correct component reconfigurationTowards safety and autonomicity • Verify reconfiguration procedures • Safeadaptation proceduresas a solidground for autonomic applications • Somedirections: • Parameterizedtopologies (not only master-slave): ADL[N] ; behaviouralspecification (pNets) ; reconfiguration primitives

  24. Correct component reconfigurationTowards safety and autonomicity • Verify reconfiguration procedures • Safeadaptation proceduresas a solidground for autonomic applications • Somedirections: • Parameterized topologies (not only master-slave): ADL[N] ; behaviouralspecification (pNets) ; reconfiguration primitives [N]

  25. THANK YOU ! 

  26. WriteProxy.fcr MQueue.fcr MBody.fcr Master Body Write Proxy Master Queue MQueue.bcg MQueue.bcg WriteProxy.bcg State-spacegenerationworkflow … Flac + Distributor + Minimize Build product Master.exp (Hide/Rename) Minimize … Master.exp

More Related