Presentation is loading. Please wait.

Presentation is loading. Please wait.

Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 1.

Published byJulian Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 1."— Presentation transcript:

1 Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 1

2 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 2

3 What are Components? Business code Primitive component Server / input Client / output 3

4 What are Components? Business code Primitive component Business code Primitive component Composite component  Grid Component Model (GCM) An extension of Fractal for Distributed computing  Grid Component Model (GCM) An extension of Fractal for Distributed computing 4

5 A Primitive GCM Component CI.foo(p) CI 5  Primitive components communicating by asynchronous requests on interfaces  Components abstract away distribution and concurrency  In ProActive/GCM a primitive component is an active object  Primitive components communicating by asynchronous requests on interfaces  Components abstract away distribution and concurrency  In ProActive/GCM a primitive component is an active object

6 Futures for Components f=CI.foo(p) ………. g=f+3 Component are independent entities (threads are isolated in a component) + Asynchronous requests with results  Futures are necessary Component are independent entities (threads are isolated in a component) + Asynchronous requests with results  Futures are necessary 1 2 3 6

7 First-class Futures f=CI.foo(p) ……………… CI.foo(f) Only strict operations are blocking (access to a future) Communicating a future is not a strict operation In ProActive and ASP, futures are created and accessed implicitly (no explicit type “future”) IN contrast with Creol, Jcobox,... Only strict operations are blocking (access to a future) Communicating a future is not a strict operation In ProActive and ASP, futures are created and accessed implicitly (no explicit type “future”) IN contrast with Creol, Jcobox,... 7

8 Collective interfaces One-to-many = multicast Many-to-one = gathercast Distribution and synchronisation/collection policies for invocation and results Business code Primitive component Business code Primitive component Composite component Business code Primitive component Business code Primitive component 8

9 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 9

10 How to ensure the correct behaviour of a given program? Our approach: behavioural specification Service methods pNets: Behavioural Models for Distributed Fractal Components Antonio Cansado, Ludovic Henrio, and Eric Madelaine - Annals of Telecommunications - 2008 10

11 Use-case: Fault-tolerant storage 1 multicast interface sending write/read requests to all slaves. the slaves reply asynchronously, the master only needs enough coherent answers to terminate Verifying Safety of Fault-Tolerant Distributed Components Rabéa Ameur-Boulifa, Raluca Halalai, Ludovic Henrio, and Eric Madelaine - FACS 2011 11

12 Full picture: a pNet !Q_Write(b) ?Q_Write(x) Support for parameterized families Synchronisation vectors 12

13 Basic pNets: parameterized LTS Labelled transition systems, with: Value passing Local variables Guards…. Can be written as a UML diagram Eric MADELAINE 13

14 Complex synchronisations in pNets – Many-to-many Synchronisation of any number of processes at the same time input/output is « informal », restriction on bound variables 14

15 Complex synchronisations in pNets: indexing A parameter can be used to index inside a structure Indexation in family of future proxies Many to-many synchronisation with indexing 15 Global action Transmit reply to subcomponent k Update local future proxy Recycle local future proxy

16 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 16

17 Properties proved (on the case study) Reachability(*): 1- The Read service can terminate  fid:nat among {0...2}. ∃ b:bool. true 2- Is the BFT hypothesis respected by the model ? true Termination: After receiving a Q_Write(f,x) request, it is (fairly) inevitable that the Write services terminates with a R_Write(f) answer, or an Error is raised. Functional correctness: After receiving a ?Q_Write(f1,x), and before the next ?Q_Write, a ?Q_Read requests raises a !R_Read(y) response, with y=x (*) Model Checking Language (MCL), Mateescu et al, FM’08 Prove  generic properties like absence of deadlock  or properties specific to the application logic Prove  generic properties like absence of deadlock  or properties specific to the application logic 17

18 Tool Architecture Currently: production of the CADP input formats only partially (~50%) available. Goal: full automatisation 18 Vercors Editors: ADL ++ Interfaces Behaviors Properties Behav. Sem. *.fractal pNets N2F LNT exp svl++ CADP: Caesar.open Distributor Exp.open Evaluator MCL Abs Diagnostic visualisation

19 Graphical Specifications : VCE tool 19

20 Agenda I.A Distributed Component Model II.Behavioural Specification III.Verification Platform IV.Status, conclusion, and perspectives 20

21 Conclusion A component model made of autonomous asynchronous components  Request/future comunications  Many-to-many communications A formalism for representing the behavioural semantics of a system The translation between the two,  completely formalised,  Partially implemented. 21

22 Recent advances in behavioural specification for GCM Scaling-up : gained orders of magnitude by a combination of:  data abstraction,  compositional and contextual minimization,  distributed state-space generation. Specified formally the whole generation process pNets: 2004-2008 CoCoME: hierarchical & synchronous FACS’08: 1 st class futures WCSI’10: group communication FACS’11: GCM & multicast interfaces Application to BFT Ongoing work Reconfiguration... 22

23 Correct component reconfiguration Towards safety and autonomicity Verify reconfiguration procedures Safe adaptation procedures as a solid ground for autonomic applications Some directions:  Parameterized topologies (not only master-slave): ADL[N] ; behavioural specification (pNets) ; reconfiguration primitives 23

24 Correct component reconfiguration Towards safety and autonomicity 24 [N] Verify reconfiguration procedures Safe adaptation procedures as a solid ground for autonomic applications Some directions:  Parameterized topologies (not only master-slave): ADL[N] ; behavioural specification (pNets) ; reconfiguration primitives

25 THANK YOU ! 25

26 State-space generation workflow Build product Flac + Distributor + Minimize Master.exp MQueue.bcg Master Queue MQueue.fcr MQueue.bcg Master Body MBody.fcr … WriteProxy.bcg Write Proxy WriteProxy.fcr (Hide/Rename) Minimize (Hide/Rename) Minimize Master.exp … 26

27 But what is a Good size for a (primitive) Component? Not a strict requirement, but somehow imposed by the model design According to CCA or SCA, a service (a component contains a provided business function) According to Fractal, a few objects According to GCM, a process GCM: A Grid Extension to Fractal for Autonomous Distributed Components - F. Baude, D. Caromel, C. Dalmasso, M. Danelutto, V. Getov, L. Henrio, C. Pérez - Annals of Telecom. - 2008  In GCM/ProActive, 1 Component (data/code unit) = 1 Active object (1 thread = unit of concurrency) = 1 Location (unit of distribution)  In GCM/ProActive, 1 Component (data/code unit) = 1 Active object (1 thread = unit of concurrency) = 1 Location (unit of distribution)

28 First-class Futures and Hierarchy … … … Without first-class futures, one thread is systematically blocked in the composite component. A lot of blocked threads In GCM/ProActive  systematic deadlock Without first-class futures, one thread is systematically blocked in the composite component. A lot of blocked threads In GCM/ProActive  systematic deadlock return C1.foo(x) 28

29 Back to the case study Hypotheses: 1.The master is reliable: this simplifies the 3-phases commit protocol, and avoid the consensus research phase. 2.The underlying middleware ensures safe communications :  faulty components only respond to their own requests  communication order is preserved. 3.To tolerate f faults we use 3f+1 slaves, and require 2f+1 agreeing answers, as in the usual BFT algorithms. NB: Here f+1 would be sufficient 29

30 Generation of state-space Taming state-space explosion: Data abstraction (through abstract interpretation): integers => small intervals arrays => open question. Partitioning and minimizing by bisimulation + context specification Distributed verification. Only partially available (state-space generation, but no M.C.). 30

31 Compositional + Distributed State-space generation Abstract model: f=1, (=> 4 slaves), |data|= 2, |proxies|=3*3, |client requests|=3 Master queue size = 2 ~100 cores, max 300 GB RAM System part sizes (states/transitions): 31 Queue Largest intermediate Master Good Slave GlobalTime 237/3189524/31075M/103M5936/61K34K/164K59’ Estimated brute force state spaces : 10 18 6.10 3 ~ 10 32

Download ppt "Behavioural Verification of Distributed Components Ludovic Henrio and Eric Madelaine ICE 2013 1."

Similar presentations

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.

Pontus Boström and Marina Waldén Åbo Akademi University/ TUCS Development of Fault Tolerant Grid Applications Using Distributed B.
Architecture Representation

Architecture Representation
Denis Caromel1 Joint work with Ludovic Henrio – Eric Madelaine et. OASIS members OASIS Team INRIA -- CNRS - I3S – Univ. of Nice Sophia-Antipolis, IUF.

Denis Caromel1 Joint work with Ludovic Henrio – Eric Madelaine et. OASIS members OASIS Team INRIA -- CNRS - I3S – Univ. of Nice Sophia-Antipolis, IUF.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Designing, programming, and verifying (large scale) distributed systems Eric Madelaine INRIA Sophia-Antipolis SCALE team

Designing, programming, and verifying (large scale) distributed systems Eric Madelaine INRIA Sophia-Antipolis SCALE team
Eric MADELAINE1 E. Madelaine, Antonio Cansado, Emil Salageanu OASIS Team, INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis OSCAR meeting, Valparaiso,

Eric MADELAINE1 E. Madelaine, Antonio Cansado, Emil Salageanu OASIS Team, INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis OSCAR meeting, Valparaiso,
Session 2: task 3.2 GCM, Kracow, June 27 2006 l Current status of GCM Denis Caromel (10 mn each talk) l Wrapping CCA Components as GCM Components Maciej.

Session 2: task 3.2 GCM, Kracow, June l Current status of GCM Denis Caromel (10 mn each talk) l Wrapping CCA Components as GCM Components Maciej.
1 IFM 2005 – November 30, 2005 EXP.OPEN 2.0 A flexible tool integrating partial order, compositional, and on-the-fly verification methods Frédéric Lang.

1 IFM 2005 – November 30, 2005 EXP.OPEN 2.0 A flexible tool integrating partial order, compositional, and on-the-fly verification methods Frédéric Lang.
Optimisation of behaviour of component-based distributed systems INRIA - I3S - CNRS – University of Nice Sophia-Antipolis EPC SCALE Galyna Zholtkevych.

Optimisation of behaviour of component-based distributed systems INRIA - I3S - CNRS – University of Nice Sophia-Antipolis EPC SCALE Galyna Zholtkevych.
02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.

02/06/05 “Investigating a Finite–State Machine Notation for Discrete–Event Systems” Nikolay Stoimenov.
Asynchronous Components Asynchronous communications: from calculi to distributed components.

Asynchronous Components Asynchronous communications: from calculi to distributed components.
Safe composition of distributed adaptable components A distributed component model Behavioural specification and verification Ludovic Henrio and Eric Madelaine.

Safe composition of distributed adaptable components A distributed component model Behavioural specification and verification Ludovic Henrio and Eric Madelaine.
INRIA Sophia-Antipolis, Oasis team INRIA Rhône-Alpes, Vasy team Feria–IRIT/LAAS, SVF team Toulouse GET - ENST Paris, LTCI team FIACRE Models and Tools.

INRIA Sophia-Antipolis, Oasis team INRIA Rhône-Alpes, Vasy team Feria–IRIT/LAAS, SVF team Toulouse GET - ENST Paris, LTCI team FIACRE Models and Tools.
Formal Models for Programming and Composing Correct Distributed Systems Jury : Gordon BlairFabienne BoyerEric Madelaine Pascal PoizatMichel RiveillDavide.

Formal Models for Programming and Composing Correct Distributed Systems Jury : Gordon BlairFabienne BoyerEric Madelaine Pascal PoizatMichel RiveillDavide.
Oct. 2012 Multi-threaded Active Objects Ludovic Henrio, Fabrice Huet, Zsolt Istvàn June 2013 –

Oct Multi-threaded Active Objects Ludovic Henrio, Fabrice Huet, Zsolt Istvàn June 2013 –
The Grid Component Model: an Overview “Proposal for a Grid Component Model” DPM02 “Basic Features of the Grid Component Model (assessed)” -- DPM04 CoreGrid.

The Grid Component Model: an Overview “Proposal for a Grid Component Model” DPM02 “Basic Features of the Grid Component Model (assessed)” -- DPM04 CoreGrid.
Oct. 2012 Active objects: programming and composing safely large-scale distributed applications Ludovic Henrio SCALE team, CNRS – Sophia Antipolis July.

Oct Active objects: programming and composing safely large-scale distributed applications Ludovic Henrio SCALE team, CNRS – Sophia Antipolis July.

Similar presentations

Ads by Google