1

IOA: Mathematical Models

Distributed Programs

Nancy LynchNovember 15, 2000

Collaborators: Steve Garland, Josh Tauber, Anna Chefter, Antonio Ramirez, Michael Tsai, Chris Luhrs, Rui Fan, Laura

Dean, Andrej BogdanovIO A

2

What we want to do:

See how abstract I/O automaton models of distributed algorithms and services could be used in producing and maintaining actual distributed programs.

3

Why use models?

• Models let you:– Build very complex things and get them right

– Change things and understand the consequences

– Explain clearly how things work

• Other engineering disciplines use them

4

But why I/O automaton models?

• Very simple mathematical basis for describing structure + behavior of systems of interacting components

• Already used for:– Distributed algorithms, impossibility results– System case studies:

• Group communication services (Orca, Transis, Ensemble,…)

• Communication protocols (TCP, T/TCP,…)• Hybrid (continuous/discrete) systems (TCAS,…)• ...

5

What are I/O automata?

• Nondeterministic state machines• Infinite state• Input/output/internal actions• Transitions, executions, traces• Supports modularity:

– Composition

– Levels of abstraction

• Math model, language-independent

6

• Model service specs, distributed algorithms• Refine, from high level global service spec

to detailed distributed algorithm

• Make models as nondeterministic as possible

• Prove correctness, using invariants, simulation relations, composition

Using I/O automata

7

TO Broadcast Service Spec

Signature: input: broadcast(a,p) output: receive(a,p,q) internal: order(a,p)

State: queue, sequence of (a,p), initially empty for each p: pending[p], sequence of a, initially empty next[p], positive integer, initially 1

TO

8

TO Broadcast SpecTransitions:

broadcast(a,p) Effect: append a to pending[p]

order(a,p) Precondition: a is head of pending[p] Effect: remove head of pending[p]; append (a,p) to queue

receive(a,p,q)

Precondition:

queue[next[q]] = (a,p)

Effect:

next[q] := next[q] + 1

9

IOA Language[Garland, Lynch 97]

• Programming/specification language for defining I/O automata

• Similar to pseudocode

• Explicitly describes:– Signature, structured state, precondition/effects

– Nondeterministic choice, composition, invariants, levels of abstraction

• Declarative + imperative

For proofs For simulation, code generation

IO A

10

IOA Tools

• Front end: Parser, static checker, intermediate Java representation [Garland, Ramirez]

• Support for:– Composing models [Chefter 98] [Garland, Lynch]

– Refining models, from global specificationto low-level distributed algorithm model:

Step correspondence [Ramirez 00]

11

IOA Tools

• Prototype code generator, for generating distributed code from low-level distributed algorithm models [Tauber, Tsai]

• Validation tools: – Simulator [Chefter 98] [Ramirez 00]

Paired simulation:

– Theorem-prover interfaces: PVS [Devillers], Isabelle? LP? NuPRL? [Nolte]

– Automatic?

12

Code Generator

• Start from node models + channel models

• Implementing node automata:– Generate code (Java, C++) automatically– Use library of hand-written data type

implementations

• Implementing channel automata:– Use real communication service (TCP, MPI) – Abstract channels

13

Abstract Channels

• Model with nodes and abstract channels

(e.g., FIFO queue):

• Algorithm that implements abstract channel in terms of real channel (model):

14

Abstract Channels

Generate Code

15

Modeling Projects

• Distributed spanning tree algorithms[Luhrs, Nolte]

• Distributed replicated data management algorithms:Lamport state machines; Attiya, Bar-Noy, Dolev, …[Dean, Karlovich, Rosen]

• Future:– Practical communication protocols, services– Interacting Java objects