Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Specification and Verification of Location- Based Fault Tolerant Mobile Systems Alexei Iliasov, Victor Khomenko, Maciej Koutny and Alexander Romanovsky.

Published byWhitney England Modified over 10 years ago

Similar presentations

Presentation on theme: "On Specification and Verification of Location- Based Fault Tolerant Mobile Systems Alexei Iliasov, Victor Khomenko, Maciej Koutny and Alexander Romanovsky."— Presentation transcript:

1 On Specification and Verification of Location- Based Fault Tolerant Mobile Systems Alexei Iliasov, Victor Khomenko, Maciej Koutny and Alexander Romanovsky Supported by IST 2004-511599 project (RODIN)

2 2 Introduction and motivation Verification of concurrent systems specified in B Combine theorem proving with model checking:  They have complementary strengths, e.g. cumbersome theorems/invariants can be verified by a model-checker  B machines are not very convenient for modelling sequential activity (need ‘program counter’) – it would be good to combine B and some process algebra Combining theorem proving and model checking is proven efficient in industry, e.g. Intel’s verification of Pentium 4 floating point unit

3 3 CAMA Architecture Agent – global structuring unit of the system Scope – structuring unit of coordination space and agent activity Role – structuring unit of agent functionality and also the basis for formal specification of functionality Location – structuring unit of agent context

4 4 CAMA Operations Location operations:Scope Operations: Engage@lCreateScope(n,s)@l.s Disengage@lDeleteScope@l.s JoinScope(r)@l.s LeaveScope@l.s GetScopes(d)@l.s Linda operations: in, rd, inp, rdp, ina, rd, inpa, rdpa

5 5 Approach PNKlaim B B Code Prefix Properties MC

6 6 KLAIM A process algebra related to pi-calculus: A network of nodes, identified by localities (names) Each node has an associated tuple space A node runs a set of processes Processes can create new nodes Processes can input/output tuples from/to tuple spaces of nodes they know Processes can start new processes on the nodes they know (e.g. move)

7 7 CAMA  KLAIM Just a simple syntactic translation Can combine the system described in CAMA with one described in KLAIM

8 8 KLAIM  PN Compositional translation is possible Example: a simple mobile robot (SMR) Intended behaviour of the system: input a start-up message FOREVER DO input locality u output your previous locality move to u

9 9 KLAIM  PN Possible KLAIM model: a :: in(s)@self. eval(SMR(self))@self. nil | | || b :: || c :: where SMR(w) = in(!u)@self. out(w)@self. eval(SMR(self))@u. nil

10 10 Example: SMR b a c SYS

11 11 Example: SMR b a c SMR

12 12 Example: SMR b a c SMR

13 13 Example: SMR b a c SMR

14 14 Example: SMR b a c SMR

15 15 Example: SMR Possible (compositional) translation to HL Petri nets: in eval x z x λxλx λ λxλx x.z a.s a.c b.c c.b λ is the empty string net of SMR a s

16 16 Example: SMR in eval x z x λxλx λ λxλx x.z a.s a.c b.c c.b a s in can be fired with z = s x = a leading to

17 17 Example: SMR in eval x z x λxλx λ λxλx x.z a.c b.c c.b a s

18 18 Example: SMR in eval x z x λxλx λ λxλx x.z a.c b.c c.b a s eval can be fired with x = a leading to

19 19 Example: SMR in eval x z x λxλx λ λxλx x.z a.c b.c c.b a s λaλa λ λaλa

20 20 Example: SMR eval σtz a.c b.c c.b λaλa λ λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz

21 21 Example: SMR eval σtz a.c b.c c.b λaλa λ λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz in can be fired with σ = λ x = a z = c leading to

22 22 Example: SMR eval σtz b.c c.b λaλa λ λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc

23 23 Example: SMR eval σtz b.c c.b λaλa λ λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz out can be fired with σ = λ x = a z = a leading to λcλc

24 24 Example: SMR eval σtz b.c c.b λaλa λ λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a

25 25 Example: SMR eval σtz b.c c.b λaλa λ λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a eval can be fired with σ = λ x = a z = c leading to

26 26 Example: SMR eval σtz b.c c.b λaλa λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a t ta tc which is in fact

27 27 Example: SMR eval σtz b.c c.b λaλa λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a t ta tc

28 28 Example: SMR eval σtz b.c c.b λaλa λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a t ta tc in can be fired with σ = t x = c z = b leading to

29 29 Example: SMR eval σtz b.c λaλa λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a t ta tc tb

30 30 Example: SMR eval σtz b.c λaλa λaλa σtσt x.z t σxσx σxσx σxσx σtx σ σ σ σ σ out in σzσz σzσz σzσz λcλc a.a t ta tc tb... and so on...

31 31 Petri net unfolding prefixes Partial-order semantics of PNs Concurrency represented explicitly, using an acyclic PN Alleviate the state space explosion problem Efficient model checking algorithms Can be used for coloured PNs

32 32 Example: Dining Philosophers P5P5 P 13 T1T1 P3P3 T3T3 P2P2 T2T2 P1P1 T5T5 P6P6 T4T4 P4P4 P7P7 P8P8 P9P9 P 11 P 10 P 14 P 12 T9T9 T7T7 T 10 T6T6 T8T8 T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8

33 33 Model checking on PN unfoldings A Boolean expression  is built using the prefix, such that:   is unsatisfiable iff the property holds  Every satisfiable assignment of  gives a violation trace  has a form CONF  VIOL Some of the variables of  are associated with the events of the prefix

34 34 Shortest violation traces In the workshop’s proceedings: V. Khomenko: “Computing Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT” The structure of the prefix can be exploited to compute the shortest violation traces efficiently They can be much shorter than the first computed trace Do not contain incidental system activity unrelated to the found error Facilitate debugging, saving the designer’s time

35 35 Future work Checking the properties related to fault tolerance, e.g.:  correctness of scoping structure  handling all exceptions  absence of deadlocks  absence of information smuggling between scopes  involving (if necessary) all agents in a a scope in cooperative handling  etc. Translation of B properties to PN

Download ppt "On Specification and Verification of Location- Based Fault Tolerant Mobile Systems Alexei Iliasov, Victor Khomenko, Maciej Koutny and Alexander Romanovsky."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
1 Concurrency: Deadlock and Starvation Chapter 6.

1 Concurrency: Deadlock and Starvation Chapter 6.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.

1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.

Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts 1 - 20.

Addition Facts
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions

Similar presentations

Ads by Google