Presentation is loading. Please wait.

Presentation is loading. Please wait.

Asynchronous Components with Futures: Semantics, Specification, and Proofs in a Theorem Prover Components (Distributed) Futures Formalisations (and proofs)

Published byPrimrose Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "Asynchronous Components with Futures: Semantics, Specification, and Proofs in a Theorem Prover Components (Distributed) Futures Formalisations (and proofs)"— Presentation transcript:

1 Asynchronous Components with Futures: Semantics, Specification, and Proofs in a Theorem Prover Components (Distributed) Futures Formalisations (and proofs) Ludovic Henrio work realised with Muhammad Uzair Khan (+ Florian Kammuller) OASIS Team CNRS – INRIA - UNS Sophia Antipolis France

2 Context and Objectives 2

3 What are (GCM) Components? Bindings Business code Server interfaces Client interfaces Primitive component Composite component 3 interface = port

4 Why a Mechanised Formalisation 4 Component model and definitions Optimizations Implementation Optimizations Verification and tools GenericpropertiesGenericproperties Properties are used in the implementation and the verification of programs

5 Why a Mechanised Formalisation 5 Component model and definitions Optimizations Implementation Optimizations Verification and tools GenericpropertiesGenericproperties definitions properties Definitions and Properties are easy to check who checks the proofs? Caromel, D., Henrio, L. A Theory of Distributed Object. Springer-Verlag (2005)

6 Why a Mechanised Formalisation 6 Component model and definitions Optimizations Implementation Optimizations Verification and tools GenericpropertiesGenericproperties definitions properties Only definitions and properties must be checked (+prover)

7 Our component model structured, hierarchical, and distributed support for runtime representation and manipulation  handle reconfiguration, component structure (separation between functional and non-functional concerns) Based on the ProActive Java library Developped in our team based on Active Objects (Components monothreaded) Component model and definitions: Grid Component Model [1] Implementation: ProActive/GCM [1] Françoise Baude, Denis Caromel et al, GCM: A Grid Extension to Fractal for Autonomous Distributed Components, in Annals of Telecommunications - Special Issue on Software Components - The Fractal Initiative, Springer, 2009 Business code Primitive component Composite component

8 Our objectives From a model more precise than GCM (structure), but more general than ProActive/GCM implementation In a theorem prover  Mechanized proofs To study  interaction between futures and components,  correctness of adaptation procedures and optimisations done in the library Here: Prove correctness of future update strategies  proofs about the middleware 8 definition properties A future is a placeholder for a promised result

9 Component Structure 9

10 Encode GCM basic component structure Bindings Business code Server interfaces Client interfaces Primitive component Composite component 10 interface = port

11 Framework for Reasoning on Components 11 Component hierarchical Structure For example, bindings: Business code Primitive component Composite component Design Choices Suitable abstraction level Suitable representation List / Finite Set, component name, etc

12 Support Constructs and Lemmas 12 Operators to manipulate components inside hierarchies  E.g., Traverse hierarchy: find/replace, (recursive) set of subcomponents: cpSet To manipulate states  Retrieve referenced futures, all computed results, etc Properties on component structure  “Well-defined” and “correct” Components Support lemmas, e.g.

13 Component re-configuration Transformation of component structure or content at runtime  Two reconfiguration primitives formalised (remove and replace)  Illustrates the flexibility of the approach Basic properties on reconfiguration primitives Ludovic Henrio, Florian Kammüller, and Muhammad Uzair Khan A Framework for Reasoning on Component Composition - FMCO 2009, Springer (2010)

14 Communication Model 14

15 A Primitive GCM Component CI.foo(p) Primitive components communicating by asynchronous requests on interfaces  Components abstract away distribution and concurrency 15 CI

16 Primitive Components in Isabelle Primitive components are defined by interfaces plus an internal behaviour, they can:  emit requests  serve requests  send results  receive results (at any time)  do internal actions some rules define a correct behaviour, e.g. one can only send result for a served request We define the behaviour of the whole components as small-step operational semantics 16

17 Communication inside Composites 17 Composites only delegate calls between components Use the bindings to know where to transmit requests Composite behaviour expressed as small step semantics and encoded in Isabelle

18 Futures 18

19 Futures Future = Placeholder for an awaited result  Result of concurrent computation Example:  Futures in Multilisp [1] ( Cons (future A) ( future B) )  Separate threads for evaluating A and B (future A)(future B) A B [1] Halstead, Jr., R.H. Multilisp: A language for concurrent symbolic computation. ACM Transactions on Programming Languages and Systems (TOPLAS), 1985

20 Futures: Classification Creation of a future  How and when are futures created? l Implicit creation = automatic upon asynchronous invocation (on a remote object) l Explicit creation = there is a future construct Manipulation and access  How to manipulate the futures? l Explicit access = get operation (+ future type) l Implicit (transparent) access = any variable can contain a future 20

21 Futures for Components f=CI.foo(p) ………. g=f+3 Component are independent entities (threads are isolated in a component) + Asynchronous requests with results  Futures are necessary 21

22 First-class Futures f=CI.foo(p) ……………… CI.foo(f) Only strict operations are blocking (access to a future) Communicating a future is not a strict operation 22

23 First-class Futures and Hierarchy … … … Without first-class futures, one thread is systematically blocked in the composite component. A lot of blocked threads return C1.foo(x)

24 Future Update Strategies 24

25 Future Update Strategies How to bring future values to components that need them? A “naive” approach: Any component can receive a value for a future reference it holds. More operational is the lazy approach: 25 require future value Lazy future update -- « On demand » No-unnecessary transfer of values Two phases update: « registration delay + time for transfer » Results stored for long term  Not much operational.

26 Eager forward-based strategy A strategy avoiding to store future values indefinitely Future updates follow the same path as future flow Each component remembers only the components to which it forwarded the future 26 Results sent as soon as available No additional message Future updates form a chain  intermediate components Easy to garbage collect computed results

27 Eager home-based future update A strategy avoiding to store future values indefinitely Relies on future registration and sends the value as soon as it is calculated 27 register future Results sent as soon as available Every component with future reference is registered Un-necessary transfers Garbage collection of computed results possible Formalised in Isabelle

28 GCM-like Component with Eager-home 28

29 Composite Component Semantics – CommChild 29

30 Properties on Future updates Future updates remove all references to a given future All Future references are registered during reduction register future Garbage collectable Complete registration GenericpropertiesGenericproperties Ludovic Henrio and Muhammad Uzair Khan “Asynchronous Components with Futures: Semantics and Proofs in Isabelle/HOL” - FESCA 2010 - ENTCS

31 CONCLUSION

32 Formalisation in Isabelle > 4000 lines, mostly proofs (do not read the proofs!) Almost 300 lemmas and theorems, ~ 500 lines definitions: component model and semantics 1800 lines for future update specific properties A few tricky design choices (lists vs sets, how to store names, …) A couple of axioms remaining (reduction correctness) short-term goal: correctness of various strategies Longer term: reconfiguration and execution 32

33 A refined GCM model More precise than GCM, give a semantics to the model:  asynchronous communications: future / requests  request queues  no shared memory between components  notion of request service Less precise than ProActive/GCM  can be multithreaded  no active object, not particularly object-oriented 33 Similarities with: SCA and Fractal (structure), Creol (futures) definition

34 Conclusion Components  GCM-like Component Model  Hierarchal components / interfaces / bindings / … First class futures  For asynchronous communication  Future update strategies Formalization in Isabelle/HOL  Formal specification + one future update strategy  Tools (lemmas + constructs) for manipulating components + futures  Proofs of correctness for future update and registration 34 A framework for mechanical proofs about components Formal constructs to study: components, futures, reconfiguration, …

35 THANK YOU ! 35

36 Auxiliary lemmas 36 Registered futures are preserved during reduction Futures references from a subcomponent in C2 are either registered in S or are in RL Basic lemmas

37 Remaining axioms 37

Download ppt "Asynchronous Components with Futures: Semantics, Specification, and Proofs in a Theorem Prover Components (Distributed) Futures Formalisations (and proofs)"

Similar presentations

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.

Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.
Architecture Representation

Architecture Representation
Denis Caromel1 Joint work with Ludovic Henrio – Eric Madelaine et. OASIS members OASIS Team INRIA -- CNRS - I3S – Univ. of Nice Sophia-Antipolis, IUF.

Denis Caromel1 Joint work with Ludovic Henrio – Eric Madelaine et. OASIS members OASIS Team INRIA -- CNRS - I3S – Univ. of Nice Sophia-Antipolis, IUF.
Eric MADELAINE1 E. Madelaine, Antonio Cansado, Emil Salageanu OASIS Team, INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis OSCAR meeting, Valparaiso,

Eric MADELAINE1 E. Madelaine, Antonio Cansado, Emil Salageanu OASIS Team, INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis OSCAR meeting, Valparaiso,
Software Engineering and Middleware: a Roadmap by Wolfgang Emmerich Ebru Dincel Sahitya Gupta.

Software Engineering and Middleware: a Roadmap by Wolfgang Emmerich Ebru Dincel Sahitya Gupta.
Scripting Languages For Virtual Worlds. Outline Necessary Features Classes, Prototypes, and Mixins Static vs. Dynamic Typing Concurrency Versioning Distribution.

Scripting Languages For Virtual Worlds. Outline Necessary Features Classes, Prototypes, and Mixins Static vs. Dynamic Typing Concurrency Versioning Distribution.
1 Ivan Lanese Computer Science Department University of Bologna Italy Behavioural Theory for SSCC Joint work with Luis Cruz-Filipe, Francisco Martins,

1 Ivan Lanese Computer Science Department University of Bologna Italy Behavioural Theory for SSCC Joint work with Luis Cruz-Filipe, Francisco Martins,
Reuse Activities Selecting Design Patterns and Components

Reuse Activities Selecting Design Patterns and Components
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Asynchronous Components Asynchronous communications: from calculi to distributed components.

Asynchronous Components Asynchronous communications: from calculi to distributed components.
Safe composition of distributed adaptable components A distributed component model Behavioural specification and verification Ludovic Henrio and Eric Madelaine.

Safe composition of distributed adaptable components A distributed component model Behavioural specification and verification Ludovic Henrio and Eric Madelaine.
INRIA Sophia-Antipolis, Oasis team INRIA Rhône-Alpes, Vasy team Feria–IRIT/LAAS, SVF team Toulouse GET - ENST Paris, LTCI team FIACRE Models and Tools.

INRIA Sophia-Antipolis, Oasis team INRIA Rhône-Alpes, Vasy team Feria–IRIT/LAAS, SVF team Toulouse GET - ENST Paris, LTCI team FIACRE Models and Tools.
Formal Models for Programming and Composing Correct Distributed Systems Jury : Gordon BlairFabienne BoyerEric Madelaine Pascal PoizatMichel RiveillDavide.

Formal Models for Programming and Composing Correct Distributed Systems Jury : Gordon BlairFabienne BoyerEric Madelaine Pascal PoizatMichel RiveillDavide.
Oct. 2012 Multi-threaded Active Objects Ludovic Henrio, Fabrice Huet, Zsolt Istvàn June 2013 –

Oct Multi-threaded Active Objects Ludovic Henrio, Fabrice Huet, Zsolt Istvàn June 2013 –
The Grid Component Model: an Overview “Proposal for a Grid Component Model” DPM02 “Basic Features of the Grid Component Model (assessed)” -- DPM04 CoreGrid.

The Grid Component Model: an Overview “Proposal for a Grid Component Model” DPM02 “Basic Features of the Grid Component Model (assessed)” -- DPM04 CoreGrid.
Oct. 2012 Active objects: programming and composing safely large-scale distributed applications Ludovic Henrio SCALE team, CNRS – Sophia Antipolis July.

Oct Active objects: programming and composing safely large-scale distributed applications Ludovic Henrio SCALE team, CNRS – Sophia Antipolis July.
Architecture styles Pipes and filters Object-oriented design Implicit invocation Layering Repositories.

Architecture styles Pipes and filters Object-oriented design Implicit invocation Layering Repositories.
The Grid Component Model and its Implementation in ProActive CoreGrid Network of Excellence, Institute on Programming Models D.PM02 “Proposal for a Grid.

The Grid Component Model and its Implementation in ProActive CoreGrid Network of Excellence, Institute on Programming Models D.PM02 “Proposal for a Grid.

Similar presentations

Ads by Google