Presentation is loading. Please wait.

Presentation is loading. Please wait.

Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 - Florence 1.

Published byElla King Modified over 8 years ago

Similar presentations

Presentation on theme: "Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 - Florence 1."— Presentation transcript:

1 Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 - Florence 1

2 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 2

3 What are Components? Business code Primitive component Server / input Client / output 3

4 What are Components? Business code Primitive component Business code Primitive component Composite component  Grid Component Model (GCM) An extension of Fractal for Distributed computing  ProActive/GCM An implementation based on active objects  Grid Component Model (GCM) An extension of Fractal for Distributed computing  ProActive/GCM An implementation based on active objects 4

5 A Primitive GCM Component CI.foo(p) CI 5  Primitive components communicating by asynchronous requests on interfaces  Components abstract away distribution and concurrency  In ProActive/GCM a primitive component is an active object  Primitive components communicating by asynchronous requests on interfaces  Components abstract away distribution and concurrency  In ProActive/GCM a primitive component is an active object

6 Futures for Components f=CI.foo(p) ………. g=f+3 Component are independent entities (threads are isolated in a component) + Asynchronous requests with results  Futures are necessary Component are independent entities (threads are isolated in a component) + Asynchronous requests with results  Futures are necessary 1 2 3 6

7 First-class Futures f=CI.foo(p) ……………… CI.foo(f) 7  In GCM/ProActive, 1 Component (data/code unit) = 1 Active object (1 thread = unit of concurrency) = 1 Location (unit of distribution)  In GCM/ProActive, 1 Component (data/code unit) = 1 Active object (1 thread = unit of concurrency) = 1 Location (unit of distribution)

8 Collective interfaces: a core GCM originality One-to-many = multicast Many-to-one = gathercast Distribution and synchronisation/collection policies for invocation and results Business code Primitive component Business code Primitive component Composite component Business code Primitive component Business code Primitive component 8

9 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 9

10 How to ensure the correct behaviour of a component application? Our approach: behavioural specification Service methods pNets: Behavioural Models for Distributed Fractal Components Antonio Cansado, Ludovic Henrio, and Eric Madelaine - Annals of Telecommunications - 2008 10  Trust the implementation step  Or static analysis  Generate correct (skeletons of) components (+static and/or runtime checks)  Trust the implementation step  Or static analysis  Generate correct (skeletons of) components (+static and/or runtime checks)

11 Full picture: a pNet !Q_Write(b) ?Q_Write(x) Support for parameterised families Synchronisation vectors 11

12 Basic pNets: parameterised LTS Labelled transition systems, with: Value passing Local variables Guards…. (~value passing CCS, LOTOS) Can be written as a UML state machine Eric MADELAINE 12

13 Complex synchronisations in pNets: Many-to-many Synchronisation of any number of processes at the same time 13

14 Complex synchronisations in pNets: indexing A parameter can be used to index inside a structure Indexation in family of future proxies Many to-many synchronisation with indexing 14 Global action Transmit reply to subcomponent k Update local future proxy Recycle local future proxy

15 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 15

16 Use-case: Fault-tolerant storage 1 multicast interface sending write/read requests to all slaves. the slaves reply asynchronously, the master only needs enough coherent answers to terminate Verifying Safety of Fault-Tolerant Distributed Components Rabéa Ameur-Boulifa, Raluca Halalai, Ludovic Henrio, and Eric Madelaine - FACS 2011 16

17 BFT pNet: focus on multicast 17

18 Properties proved (on the case study) Reachability(*): 1- The Read service can terminate  fid:nat among {0...2}. ∃ b:bool. true 2- Is the BFT hypothesis respected by the model ? true Inevitability: After receiving a Q_Write(f,x) request, it is (fairly) inevitable that the Write services terminates with a R_Write(f) answer, or an Error is raised. Functional correctness: After receiving a ?Q_Write(f1,x), and before the next ?Q_Write, a ?Q_Read requests raises a !R_Read(y) response, with y=x (*) Model Checking Language (MCL), Mateescu et al, FM’08 Prove (safety and liveness)  generic properties like absence of deadlock  or properties specific to the application logic Prove (safety and liveness)  generic properties like absence of deadlock  or properties specific to the application logic 18

19 Tool Architecture Currently: production of the CADP input formats; only partially (~50%) available. Goal: full automatisation 19 Vercors Editors: ADL ++ Interfaces Behaviors Properties Behav. Sem. *.fractal pNets N2F LNT exp svl++ CADP: Caesar.open Distributor Exp.open Evaluator MCL Abs Diagnostic visualisation

20 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 20

21 Conclusion A component model made of autonomous asynchronous components  Request/future comunications  One-to-many and many-to-one communications + MxN A formalism for representing the behavioural semantics of a system The translation between the two,  completely formalised,  Partially implemented. 21

22 Recent advances in behavioural specification for GCM Scaling-up : gained orders of magnitude by a combination of:  data abstraction,  compositional and contextual minimization,  distributed state-space generation. Biggest intermediate model: 5M states / estimated brute force: ~ 10 32 pNets: 2004-2008 CoCoME: hierarchical & synchronous FACS’08: 1 st class futures WCSI’10: group communication FACS’11: GCM & multicast interfaces Application to BFT Ongoing work Reconfiguration... 22

23 Correct component reconfiguration Towards safety and autonomicity Verify reconfiguration procedures Safe adaptation procedures as a solid ground for autonomic applications Some directions:  Parameterized topologies (not only master-slave): ADL[N] ; behavioural specification (pNets) ; reconfiguration primitives  Theorem proving might help (prove general properties) 23

24 Correct component reconfiguration Towards safety and autonomicity 24 [N] Verify reconfiguration procedures Safe adaptation procedures as a solid ground for autonomic applications Some directions:  Parameterized topologies (not only master-slave): ADL[N] ; behavioural specification (pNets) ; reconfiguration primitives  Theorem proving might help (prove general properties)

25 THANK YOU ! See our webpages for technical papers, tools, and usecases http://www-sop.inria.fr/members/Eric.Madelaine/ eric.madelaine@inria.fr http://www-sop.inria.fr/oasis/personnel/Ludovic.Henrio/ ludovic.henrio@cnrs.fr 25

26 26

27 State-space generation workflow Build product Flac + Distributor + Minimize Master.exp MQueue.bcg Master Queue MQueue.fcr MQueue.bcg Master Body MBody.fcr … WriteProxy.bcg Write Proxy WriteProxy.fcr (Hide/Rename) Minimize (Hide/Rename) Minimize Master.exp … 27

28 But what is a Good size for a (primitive) Component? Not a strict requirement, but somehow imposed by the model design According to CCA or SCA, a service (a component contains a provided business function) According to Fractal, a few objects According to GCM, a process GCM: A Grid Extension to Fractal for Autonomous Distributed Components - F. Baude, D. Caromel, C. Dalmasso, M. Danelutto, V. Getov, L. Henrio, C. Pérez - Annals of Telecom. - 2008  In GCM/ProActive, 1 Component (data/code unit) = 1 Active object (1 thread = unit of concurrency) = 1 Location (unit of distribution)  In GCM/ProActive, 1 Component (data/code unit) = 1 Active object (1 thread = unit of concurrency) = 1 Location (unit of distribution)

29 First-class Futures and Hierarchy … … … Without first-class futures, one thread is systematically blocked in the composite component. A lot of blocked threads In GCM/ProActive  systematic deadlock Without first-class futures, one thread is systematically blocked in the composite component. A lot of blocked threads In GCM/ProActive  systematic deadlock return C1.foo(x) 29

30 Back to the case study Hypotheses: 1.The master is reliable: this simplifies the 3-phases commit protocol, and avoid the consensus research phase. 2.The underlying middleware ensures safe communications :  faulty components only respond to their own requests  communication order is preserved. 3.To tolerate f faults we use 3f+1 slaves, and require 2f+1 agreeing answers, as in the usual BFT algorithms. NB: Here f+1 would be sufficient 30

31 Generation of state-space Taming state-space explosion: Data abstraction (through abstract interpretation): integers => small intervals arrays => open question. Partitioning and minimizing by bisimulation + context specification Distributed verification. Only partially available (state-space generation, but no M.C.). 31

32 Compositional + Distributed State-space generation Abstract model: f=1, (=> 4 slaves), |data|= 2, |proxies|=3*3, |client requests|=3 Master queue size = 2 ~100 cores, max 300 GB RAM System part sizes (states/transitions): 32 Queue Largest intermediate Master Good Slave GlobalTime 237/3189524/31075M/103M5936/61K34K/164K59’ Estimated brute force state spaces : 10 18 6.10 3 ~ 10 32

Download ppt "Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 - Florence 1."

Similar presentations

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.

Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.
European Commission Directorate-General Information Society Unit F2 – Grid Technologies INSERT PROJECT ACRONYM HERE BY EDITING THE MASTER SLIDE (VIEW.

European Commission Directorate-General Information Society Unit F2 – Grid Technologies INSERT PROJECT ACRONYM HERE BY EDITING THE MASTER SLIDE (VIEW.
Timed Automata.

Timed Automata.
Denis Caromel1 Joint work with Ludovic Henrio – Eric Madelaine et. OASIS members OASIS Team INRIA -- CNRS - I3S – Univ. of Nice Sophia-Antipolis, IUF.

Denis Caromel1 Joint work with Ludovic Henrio – Eric Madelaine et. OASIS members OASIS Team INRIA -- CNRS - I3S – Univ. of Nice Sophia-Antipolis, IUF.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Designing, programming, and verifying (large scale) distributed systems Eric Madelaine INRIA Sophia-Antipolis SCALE team

Designing, programming, and verifying (large scale) distributed systems Eric Madelaine INRIA Sophia-Antipolis SCALE team
Eric MADELAINE1 E. Madelaine, Antonio Cansado, Emil Salageanu OASIS Team, INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis OSCAR meeting, Valparaiso,

Eric MADELAINE1 E. Madelaine, Antonio Cansado, Emil Salageanu OASIS Team, INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis OSCAR meeting, Valparaiso,
Session 2: task 3.2 GCM, Kracow, June 27 2006 l Current status of GCM Denis Caromel (10 mn each talk) l Wrapping CCA Components as GCM Components Maciej.

Session 2: task 3.2 GCM, Kracow, June l Current status of GCM Denis Caromel (10 mn each talk) l Wrapping CCA Components as GCM Components Maciej.
1 IFM 2005 – November 30, 2005 EXP.OPEN 2.0 A flexible tool integrating partial order, compositional, and on-the-fly verification methods Frédéric Lang.

1 IFM 2005 – November 30, 2005 EXP.OPEN 2.0 A flexible tool integrating partial order, compositional, and on-the-fly verification methods Frédéric Lang.
Optimisation of behaviour of component-based distributed systems INRIA - I3S - CNRS – University of Nice Sophia-Antipolis EPC SCALE Galyna Zholtkevych.

Optimisation of behaviour of component-based distributed systems INRIA - I3S - CNRS – University of Nice Sophia-Antipolis EPC SCALE Galyna Zholtkevych.
02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.

02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.
Distributed Control of FACTS Devices Using a Transportation Model Bruce McMillin Computer Science Mariesa Crow Electrical and Computer Engineering University.

Distributed Control of FACTS Devices Using a Transportation Model Bruce McMillin Computer Science Mariesa Crow Electrical and Computer Engineering University.
Asynchronous Components Asynchronous communications: from calculi to distributed components.

Asynchronous Components Asynchronous communications: from calculi to distributed components.
Safe composition of distributed adaptable components A distributed component model Behavioural specification and verification Ludovic Henrio and Eric Madelaine.

Safe composition of distributed adaptable components A distributed component model Behavioural specification and verification Ludovic Henrio and Eric Madelaine.
INRIA Sophia-Antipolis, Oasis team INRIA Rhône-Alpes, Vasy team Feria–IRIT/LAAS, SVF team Toulouse GET - ENST Paris, LTCI team FIACRE Models and Tools.

INRIA Sophia-Antipolis, Oasis team INRIA Rhône-Alpes, Vasy team Feria–IRIT/LAAS, SVF team Toulouse GET - ENST Paris, LTCI team FIACRE Models and Tools.
Formal Models for Programming and Composing Correct Distributed Systems Jury : Gordon BlairFabienne BoyerEric Madelaine Pascal PoizatMichel RiveillDavide.

Formal Models for Programming and Composing Correct Distributed Systems Jury : Gordon BlairFabienne BoyerEric Madelaine Pascal PoizatMichel RiveillDavide.
Oct. 2012 Multi-threaded Active Objects Ludovic Henrio, Fabrice Huet, Zsolt Istvàn June 2013 –

Oct Multi-threaded Active Objects Ludovic Henrio, Fabrice Huet, Zsolt Istvàn June 2013 –
The Grid Component Model: an Overview “Proposal for a Grid Component Model” DPM02 “Basic Features of the Grid Component Model (assessed)” -- DPM04 CoreGrid.

The Grid Component Model: an Overview “Proposal for a Grid Component Model” DPM02 “Basic Features of the Grid Component Model (assessed)” -- DPM04 CoreGrid.

Similar presentations

Ads by Google