FORTE04 Madrid sept' 2004

1
Parameterized Models for Distributed Java Objects

• Eric Madelaine
• work with
• Tomás Barros, Rabéa Boulifa
• OASIS Project, INRIA Sophia Antipolis
• sept. 2004

2
Challenges
Goal
Automatic Verification of Properties of
Distributed Systems

• Specification language
• usable by non-specialists
• Automatic verification
• construction of models from source code
• integrated software
• Standard, state-of-the-art model checkers
• finite state models
• hierarchical models, compositional construction

3
Motivations

• Complexity of (Distributed) Software Verification
• Classical approaches
• BDDs, partial orders, data-independance,
  symmetry
• Hierarchical construction, compositional
  reduction techniques
• Value-passing systems, bounded model-checking
• Abstractions
• Parameterized / Infinite systems
• ad-hoc, problem-specific solutions (induction,
  widening, etc.)

4
Motivations

• Complexity of (Distributed) Software Verification
• Classical approaches
• BDDs, partial orders, data-independance,
  symmetry
• Hierarchical construction, compositional
  reduction techniques
• Value-passing systems, bounded model-checking
• Abstractions
• Parameterized / Infinite systems
• ad-hoc, problem-specific solutions (induction,
  widening, etc.)

5
Motivations (contd)

• Cleaveland Riely _at_ CONCUR94
• gt Abstractions for Value
  Passing Systems
• 1) Value-passing processes parameterized over
  value interpretations
• 2) Abstract interpretation over countable data
  domains
• using
  partitions (total surjections)
• 3) Specification Preorder for Processes
• 4) Result
• Safe value abstractions yields safe
  abstractions on processes.

6
Plan

• Models
• Finite systems and Synchronisation Networks.
• Parameterized LTS, Networks, Instantiation.
• Graphical Language
• Extracting models
• Java/ProActive distributed applications.
• Abstraction and Static Analysis.
• LTS and network computation.
• Conclusions and Perspectives

7
Model (1) Synchronisation Networks

• Labelled Transition Systems (LTS) ltS,s0,L, ? gt
• Synchronisation Network (Net)
• operator over transition systems (finite arity,
  arguments with sorts)
• synchronisation vectors Ag lt- , , a3, ,
  a4, a5,
• dynamic synchronisation transducers
• Synchronisation product
• builds a global LTS from a Net of arity n, and
  n argument LTSs.
• Arnold 1992 synchronisation networks
• Lakas 1996 Lotos open expressions
• Boulifa, Madelaine 2003,
• Model generation for
  distributed Java programs, Fidji03

8
(2) Parameterized Transition Systems

• Process Parameters
• denotes families of LTSs.
• Variables
• associated to each state, assigned by
  transitions.
• Simple (countable) Types
• booleans, finite enumerations, integers and
  intervals, records.
• Parameterized LTS (pLTS) ltK,S,vs,s0,L, ? gt
• with parameterized transitions

b ?(x), xe(x)
9
(3) Parameterized Networks

• Synchronisation Network (pNet)
• ltpAG, HpIi,Ki, pT
  ltKG,TT,t0,LT, ? gtgt
• global action alphabet pAg,
• finite set of arguments, each with sort pIi and
  params Ki, corresponding to as many actual
  arguments as necessary in a given instantiation,
• parameterized synchronisation vectors
• pAg lt- , ,
  a3(k3), , a4(k4),
• Instantiation for a finite abstraction of the
  parameters domains Dv

10
Plan

• Models
• Finite systems and Synchronisation Networks
• Parameterized LTS, Networks, Instantiation.
• Graphical Language
• Extracting models
• Java/ProActive distributed applications,
• Abstraction and Static Analysis,
• LTS and network computation.
• Conclusion and Future

11
Graphical Specifications

• Generating a subset of our parameterized
  networks
• static networks
• communication a la CCS
• Graphical specification language at early stages
  of
• specification.
• The mapping to the formal model allows for
  model-checking
• temporal properties of the graphical
  specification.
• Attali, Barros, Madelaine Formalisation and
  Verification of the Chilean electronic invoice
  system, JCCC04, Arica, Chili, nov2004
• Could be extended naturally for
• transducers (dynamic topology)
• 1 to n communication
• component-like interfaces.

12
Graphical Specifications
13
Plan

• Models
• Finite systems and Synchronisation Networks
• Parameterized LTS, Networks, Instantiation.
• Graphical Language
• Extracting models
• Java/ProActive distributed applications,
• Abstraction and Static Analysis,
• LTS and network computation.
• Conclusion and Future

14
Extracting models principles
15
ProActive distributed activities

• Active objects communicate by Remote Method
  Invocation.
• Each active object
• has a request queue (always accepting incoming
  requests)
• has a body specifying its behaviour (local state
  and computation, service of requests, submission
  of requests)
• manages the  wait by necessity  of responses
  (futures)

16
ProActive High level semantics

• Independence wrt. distribution
• Guarantee and Synchrony of delivery
• RdV mechanism ensures the delivery of requests,
  and of responses.
• Determinism / Confluence
• Asynchronous communication and processing do not
  change the final result of computation.
• ASP Calculus D. Caromel, L. Henrio, B.
  Serpette, Asynchronous and Deterministic
  Objects, POPL2004

17
Step 1 Front end abstractions

• Various methods for simplifying source code, with
  respect to a (set of) properties to be proven
• Data abstraction transform the application data
  domains into simple types.
• Slicing only keep variables and instructions
  influencing the property of interest.
• The BANDERA toolset offers modules for slicing
  and data abstraction. We have adapted them to
  deal with ProActive code.
• We use JIMPLE as an intermediate code for
  defining our static analysis functions (simpler
  than bytecode).

18
Step 2 Extended Call Graphs

• control flow class analysis method calls
• data flow sequences of instructions (bytecode
  level)
• distribution identification of active objects
  in the code activities, remote calls, futures.

• Complex static analysis
• class analysis
• alias analysis
• approximation of object topology
• simulation of generated code.

19
Step 3a Model generation Global Network

• Static topology finite number of parameterized
  activities.
• Identify parameters
• Build boxes and links for each activity
• Add Proxies and Queues for the management of
  messages

20
Step 3b Model generation Global Network

• Property for each distributed active object
  class, starting from source code with abstracted
  data (simple types), our procedure terminates and
  builds a finite parameterized model.

21
Step 3c Model generation Method LTS

• One pLTS for each method in the Active Object
• For each method
• a residual algorithm for crossing the XMCG
• generates a parameterized LTS of linear size
  (each XMCG node is crossed only once)
• imprecision of the static analysis results in
  non-determinism.

22
Example Call rule
23
Buffer Network
Buf.Body
get
put
Buf.Queue
24
Conclusions

• Parameterized, hierarchical model.
• Validated with a realistic case-study.
• Automatic construction of model from the code
• using safe approximations.
• Ongoing development
• verification platform for ProActive
• graphical editor, generation of model from
  ProActive source code, instantiation tool,
  connections with finite-state checkers.

25
Perspectives

• What is so special with ProActive ?
• Could be done for other languages /
  middlewares, endowed with a formal semantics.
• Refine the graphical language, extend to other
  ProActive features.
• (Direct) parameterized verification.
• Behavioural specifications of components,
• correct compositions.

26
Thank you !

• http//www-sop.inria.fr/oasis/Vercors

27
Electronic Invoices in Chile

• Barros, Madelaine Formalisation and Verification
  of the Chilean electronic invoice system, INRIA
  report RR-5217, june 2004.
• 15 parameterized automata / 4 levels of
  hierarchy
• state explosion grouping, hiding, reduction by
  bisimulation
• instantiating 7 parameters yields gt millions
  of states...

28
Large case-studyElectronic Invoices in Chile
29
Electronic Invoices in Chile

• Barros, Madelaine Formalisation and Verification
  of the Chilean electronic invoice system, INRIA
  report RR-5217, june 2004.
• 15 parameterized automata / 4 levels of hierarchy
• state explosion grouping, hiding, reduction by
  bisimulation

30
Parameterized Properties

• Logical parameterized LTS

• Parameterized temporal logics

31
Methodology Snapshot
Informal Requirements
Model Checker
32
Algorithm rules
33
Consumer Network
34
Fractal hierarchical model composites
encapsulate primitives, which encapsulates Java
code
Controller
Content
35
Fractal ProActive Components for the GRID
An activity, a process, potentially in its own
JVM
Composite Hierarchical, and Distributed
over machines
Parallel Composite Broadcast (group)
36
Components correct composition

• Behaviour is an essential part of a component
  specification.
• Model of components
• primitive pLTS
• composite pNet
• state-less component static pNet
• controller transducer
• Correctness of composition
• implementation preorder ?