Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.

Published byRudolph May Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002."— Presentation transcript:

1 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002

2 2 Project Description Develop I/O-automata-based methods and tools for modeling and analyzing distributed systems, with emphasis on systems for military and space applications. Methods and tools can be used for: –System documentation/specification –Design validation: Simulation Stating correctness and performance theorems Proving theorems, manually or with interactive theorem-provers –Automatic code generation Use the methods and tools to describe and analyze Draper’s ACME system. Project participants: –MIT: Nancy Lynch, Stephen Garland, Vida Ha, Amittai Axelrod –Draper: Joe Kochocki, Alan Tanzman

3 3 I/O Automata Infinite-state, nondeterministic, interacting state machines. Support modular system description, using parallel composition and levels of abstraction. Static description: –Actions a (input, output, internal) –States s, start states –Transitions (s, a, s') Dynamic description: –Execution: s 0 a 1 s 1 a 2 s 2 … –Trace: Project on external actions. –A implements B: traces(A)  traces(B). Operations for building automata: –Parallel composition, action hiding. Reasoning methods: –Invariant assertions: Property holds in all reachable states. –Simulation relations: Imply one automaton implements another.

4 4 Reliable FIFO Channel Model Signature: –Inputs: send(m), m in M –Outputs: receive(m), m in M States: –queue, a finite sequence of elements of M, initially empty Transitions: –send(m) Effect: Add m to end of queue –receive(m) Precondition: m is first on queue Effect: remove first element of queue Channel(M) send(m)receive(m)

5 5 Example Applications Basic distributed algorithms: –Resource allocation, consensus, atomic objects, concurrency control, group communication,… Distributed systems: –Orca distributed shared memory system [Fekete, Kaashoek, Lynch] –Transis group communication system [Fekete, Lynch, Shvartsman] –Ensemble GCS [Hickey, Lynch, van Renesse] Algorithms for dynamic networks: –Reconfigurable atomic memory [Lynch, Shvartsman 02] [Gilbert, Lynch, Shvartsman 02] [Musial, Shvartsman 02] –Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02]

6 6 IOA Language + Toolset Formally-defined programming/modeling language for describing and analyzing systems modelled as I/O automata. Current tools: Simulator, connection to Larch theorem-prover. In progress: Invariant detector, connection to Isabelle/HOL theorem-prover, automatic code generator. Steve Garland will say more. I O A

7 7 Additions to I/O Automaton Models Timing behavior: TIOA –For describing timeout-based algorithms. –Local clocks, clock synchronization. –Timing/performance analysis. Hybrid (continuous/discrete) behavior: HIOA –Systems with real world + computer components –Vehicle control: ground, air, space –Embedded systems

8 8 Timed I/O Automata (TIOA) Add special time-passage actions, pass(t), to IOA model. Example: Reliable FIFO channel that always delivers messages within time d. –send(m) Effect: Add (m, now + d) to end of queue –receive(m) Precondition: (m,u) is first on queue (for some u) Effect: remove first element of queue –pass(t) Precondition: for all (m,u) in queue, now + t  u Effect: now := now + t Can use standard automaton-based reasoning methods: –Invariant: for all (m,u) in queue, now  u  now + d. –Inductive proofs.

9 9 Example Applications Distributed algorithms: –Resource allocation, consensus,… Timeout-based communication protocols: –TCP, reliable multicast,… Performance (latency) analysis: –Group communication systems: Using GCS to build TO-Bcast [Fekete, Lynch, Shvartsman] Scalable GCS [Khazan, Keidar 01] –R AMBO reconfiguration atomic memory Hybrid (continuous/discrete) systems (toy examples): –RR crossing [Heitmeyer, Lynch, Archer] –Steam boiler controller

10 10 Hybrid I/O Automata (HIOA) TIOA plus facilities for representing continuous behavior. Static description: –States: input, output, internal variables; start states –Actions: input, output, internal –Discrete steps (s, a, s') –Trajectories , mapping time intervals to states Dynamic description: –Execution  0 a 1  1 a 2  2 … –Trace: Project on external variables, external actions. –A implements B if traces(A)  traces(B). Operations: Composition, hiding Reasoning methods: Invariants, simulation relations, compositional methods

11 11 Example Applications Ground transportation: –People-mover (Raytheon) [Livadas, Lynch, Weinberg, Delisle]. –California PATH automated highway system: Analysis of platoon maneuvers [Dolginova, Lynch, Lygeros]. Aircraft control: –TCAS (Lincoln Labs): Models, proofs [Livadas, Lygeros, Lynch]. –Quanser helicopter system (MIT Aero/Astro). Models, proofs [Mitra, Wang, Feron, Lynch 02]. Spacecraft: –ACME [Ha, Axelrod, Lynch, Garland, Kochocki, Tanzman 03]

12 12 TCAS model Aircraft Pilot Channel Conflict resolver Conflict detector Sensor Aircraft Conflict detector Conflict resolver Pilot Channel

13 13 Quanser Model Helicopter System [Mitra, Wang, Feron, Lynch 02] 3 DoF models manufatured by Quanser User Controllers not safe Supervisory pitch controller –Sensor inaccuracies –Actuator delay –Limited sampling frequency

14 14 HIOA model of the system New language constructs for specifying trajectories State models and Activities Composition of activities

15 15 sample control command dequeue    act 0 supervisor plant sensor usrCtrl Discrete communication among components actuator

16 16 Cannot jump from U to outside of R in a single step Switch to supervisor : settling phase Recovery Phase Back to User mode Executions in the User and Supervisor modes

17 17 Future Directions Application of HIOA model to verification –Realistic dynamics, inaccuracies, delays Design of safe Supervisory Controller –For arbitrary user controller Language constructs for HIOA Contributions Study systems with more complicated discrete behavior and dynamics. Develop a set of ‘useful lemmas’ from control theory to be directly used in invariant proofs Partially automate proofs using theorem provers

Download ppt "1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002."

Similar presentations

Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Timed Automata.

Timed Automata.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control.

HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Modeling and Analyzing Security Protocols using I/O Automata Nancy Lynch, MIT CSAIL DIMACS Security Workshop June 7, 2004.

Modeling and Analyzing Security Protocols using I/O Automata Nancy Lynch, MIT CSAIL DIMACS Security Workshop June 7, 2004.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.
1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.

1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.
Fault-Tolerant Real-Time Networks Tom Henzinger UC Berkeley MURI Kick-off Workshop Berkeley, May 2000.

Fault-Tolerant Real-Time Networks Tom Henzinger UC Berkeley MURI Kick-off Workshop Berkeley, May 2000.
Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.

Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.
An Introduction to Input/Output Automata Qihua Wang.

An Introduction to Input/Output Automata Qihua Wang.
Architecture-driven Modeling and Analysis By David Garlan and Bradley Schmerl Presented by Charita Feldman.

Architecture-driven Modeling and Analysis By David Garlan and Bradley Schmerl Presented by Charita Feldman.
Algorithm for Virtually Synchronous Group Communication Idit Keidar, Roger Khazan MIT Lab for Computer Science Theory of Distributed Systems Group.

Algorithm for Virtually Synchronous Group Communication Idit Keidar, Roger Khazan MIT Lab for Computer Science Theory of Distributed Systems Group.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Similar presentations

Ads by Google