1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory,...
-
Upload
rudolph-may -
Category
Documents
-
view
214 -
download
2
Transcript of 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory,...
![Page 1: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/1.jpg)
1
Modeling and Analyzing Distributed Systems Using I/O Automata
Nancy Lynch, MIT
Draper Laboratory, IR&D Mid-Year Meeting
December 11, 2002
![Page 2: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/2.jpg)
2
Project Description
• Develop I/O-automata-based methods and tools for modeling and analyzing distributed systems, with emphasis on systems for military and space applications.
• Methods and tools can be used for:– System documentation/specification– Design validation:
• Simulation • Stating correctness and performance theorems• Proving theorems, manually or with interactive theorem-provers
– Automatic code generation
• Use the methods and tools to describe and analyze Draper’s ACME system.
• Project participants:– MIT: Nancy Lynch, Stephen Garland, Vida Ha, Amittai Axelrod– Draper: Joe Kochocki, Alan Tanzman
![Page 3: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/3.jpg)
3
I/O Automata • Infinite-state, nondeterministic, interacting state machines.• Support modular system description, using parallel composition
and levels of abstraction.• Static description:
– Actions a (input, output, internal)– States s, start states– Transitions (s, a, s')
• Dynamic description:– Execution: s0 a1 s1 a2 s2 …– Trace: Project on external actions.– A implements B: traces(A) traces(B).
• Operations for building automata:– Parallel composition, action hiding.
• Reasoning methods:– Invariant assertions: Property holds in all reachable states.– Simulation relations: Imply one automaton implements another.
![Page 4: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/4.jpg)
4
Reliable FIFO Channel Model
• Signature:– Inputs:
• send(m), m in M
– Outputs:
• receive(m), m in M
• States:– queue, a finite sequence of elements of M, initially empty
• Transitions:– send(m)
• Effect: Add m to end of queue
– receive(m)
• Precondition: m is first on queue
• Effect: remove first element of queue
Channel(M) send(m) receive(m)
![Page 5: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/5.jpg)
5
Example Applications
• Basic distributed algorithms:– Resource allocation, consensus, atomic objects, concurrency
control, group communication,…
• Distributed systems:– Orca distributed shared memory system [Fekete, Kaashoek,
Lynch]
– Transis group communication system [Fekete, Lynch, Shvartsman]
– Ensemble GCS [Hickey, Lynch, van Renesse]
• Algorithms for dynamic networks:– Reconfigurable atomic memory [Lynch, Shvartsman 02]
[Gilbert, Lynch, Shvartsman 02] [Musial, Shvartsman 02]
– Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02]
![Page 6: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/6.jpg)
6
IOA Language + Toolset
• Formally-defined programming/modeling language for describing and analyzing systems modelled as I/O automata.
• Current tools: Simulator, connection to Larch theorem-prover.
• In progress: Invariant detector, connection to Isabelle/HOL theorem-prover, automatic code generator.
• Steve Garland will say more. IO A
![Page 7: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/7.jpg)
7
Additions to I/O Automaton Models
• Timing behavior: TIOA– For describing timeout-based algorithms.
– Local clocks, clock synchronization.
– Timing/performance analysis.
• Hybrid (continuous/discrete) behavior: HIOA– Systems with real world + computer components
– Vehicle control: ground, air, space
– Embedded systems
![Page 8: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/8.jpg)
8
Timed I/O Automata (TIOA)
• Add special time-passage actions, pass(t), to IOA model.
• Example: Reliable FIFO channel that always delivers messages within time d.– send(m)
• Effect: Add (m, now + d) to end of queue
– receive(m)
• Precondition: (m,u) is first on queue (for some u)
• Effect: remove first element of queue
– pass(t)
• Precondition: for all (m,u) in queue, now + t u• Effect: now := now + t
• Can use standard automaton-based reasoning methods:– Invariant: for all (m,u) in queue, now u now + d.
– Inductive proofs.
![Page 9: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/9.jpg)
9
Example Applications
• Distributed algorithms: – Resource allocation, consensus,…
• Timeout-based communication protocols:– TCP, reliable multicast,…
• Performance (latency) analysis:– Group communication systems:
• Using GCS to build TO-Bcast [Fekete, Lynch, Shvartsman]
• Scalable GCS [Khazan, Keidar 01]
– RAMBO reconfiguration atomic memory
• Hybrid (continuous/discrete) systems (toy examples):– RR crossing [Heitmeyer, Lynch, Archer]
– Steam boiler controller
![Page 10: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/10.jpg)
10
Hybrid I/O Automata (HIOA)
• TIOA plus facilities for representing continuous behavior.
• Static description:– States: input, output, internal variables; start states
– Actions: input, output, internal
– Discrete steps (s, a, s')
– Trajectories , mapping time intervals to states
• Dynamic description:– Execution 0 a1 1 a2 2 …
– Trace: Project on external variables, external actions.
– A implements B if traces(A) traces(B).
• Operations: Composition, hiding
• Reasoning methods: Invariants, simulation relations, compositional methods
![Page 11: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/11.jpg)
11
Example Applications
• Ground transportation:– People-mover (Raytheon) [Livadas, Lynch, Weinberg, Delisle].
– California PATH automated highway system: Analysis of platoon maneuvers [Dolginova, Lynch, Lygeros].
• Aircraft control:– TCAS (Lincoln Labs): Models, proofs
[Livadas, Lygeros, Lynch].
– Quanser helicopter system (MIT Aero/Astro). Models, proofs [Mitra, Wang, Feron, Lynch 02].
• Spacecraft:– ACME [Ha, Axelrod, Lynch, Garland, Kochocki, Tanzman 03]
![Page 12: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/12.jpg)
12
TCAS model
Aircraft
Pilot
ChannelConflictresolver
Conflictdetector
Sensor Sensor
Aircraft
Conflictdetector
Conflictresolver
Pilot
Channel
![Page 13: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/13.jpg)
13
Quanser Model Helicopter System[Mitra, Wang, Feron, Lynch 02]
• 3 DoF models manufatured by Quanser
• User Controllers not safe
• Supervisory pitch controller– Sensor inaccuracies
– Actuator delay
– Limited sampling frequency
![Page 14: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/14.jpg)
14
HIOA model of the system
• New language constructs for specifying trajectories
• State models and Activities
• Composition of activities
![Page 15: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/15.jpg)
15
sample
control
command
dequeue
act
0
supervisorplant
sensorsensor usrCtrl
Discrete communication among components
actuator
![Page 16: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/16.jpg)
16Cannot jump from U to outside of R in a single stepSwitch to supervisor : settling phaseRecovery PhaseBack to User mode
Executions in the User and Supervisor modes
![Page 17: 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory, IR&D Mid-Year Meeting December 11, 2002.](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649f445503460f94c65220/html5/thumbnails/17.jpg)
17
Future Directions
• Application of HIOA model to verification
– Realistic dynamics, inaccuracies, delays
• Design of safe Supervisory Controller
– For arbitrary user controller
• Language constructs for HIOA
Contributions
• Study systems with more complicated discrete behavior and dynamics.
• Develop a set of ‘useful lemmas’ from control theory to be directly used in invariant proofs
• Partially automate proofs using theorem provers