Models for the Verification of Distributed Java Objects

Eric MadelaineOSMOSE -- WP2 -- Prague June

2004

Models for the Verification of Distributed Java Objects

Eric Madelainework with

Tomás Barros, Rabéa Boulifa, Christophe Massol

OASIS Project, INRIA Sophia AntipolisJune 2004


2004

Goals• Analysis and verification software platform for behavioural properties of distributed applications.

• Long term goal: full language, usable by non-specialists

• Automatic tools = static analysis, model-checkers,

equivalence / preorder checkers.

Graphical / Logical Specifications

Code analysis Model

Automatic tools, diagnostics, etc.


2004

Plan

• Distributed objects in ProActive

• Parameterized hierarchical models

• Extracting models

• Compositional verification

• Components

OSMOSE -- WP2 -- Prague June 2004

Eric Madelaine

ProActive : distributed activities

• Active objects communicate by Remote Method Invocation.

• Each active object:

• has a request queue (always accepting incoming requests)

• has a body specifying its behaviour (local state and computation, service of requests, submission of requests)

• manages the « wait by necessity » of responses (futures)


2004

ProActive : High level semantics

• Independence wrt. distribution

• Guarantee and Synchrony of delivery :– RdV mechanism ensures the delivery of requests,

and of responses.

• Determinism / Confluence :– Asynchronous communication and processing do

not change the final result of computation.

ASP Calculus: D. Caromel, L. Henrio, B. Serpette, “Asynchronous and Deterministic Objects”, POPL’2004


2004

Methodology : SnapshotInformal

Requirements

Model Checker

Source

Code

Architecture

(parameterized)

Properties

(parameterized)

Instantiations

(abstractions)

Abstract

Source Code

Data

Abstraction

Architecture

(parameterized)

Static Analysis

Validate the model

Correctness of the

implementation (model-

checking)

Correctness of the

implementation

(preorder)


2004

Model (1) :Synchronisation Networks

• Labelled Transition Systems (LTS) <S,s0,L, >

• Synchronisation Network (Net) <AG,In,T> with T=<TT,t0,LT, >

with vLT, v=[lt,1,…, n], i Ii idle,, lt AG

• Synchronisation product : builds a global LTS from a Net of arity n, and n

argument LTSs.

• Arnold 1992 : synchronisation networks• Lakas 1996 : Lotos open expressions• => Boulifa 2003, Model generation for distributed Java programs, Fidji’03


2004

• Parameterized actions (with typed variables) pA• Parameterized LTS (pLTS) <K,S,s0,L, >

with state variables vs, and labels l=(b, (x), e)

• Synchronisation Network (Net) <pAG,Hn,pT> with pT =<KG,TT,t0,LT, >

with Hn = {(pIi,Ki)}i a finite set of holes

vLT, v=[lt,1k1,…, n

kn], iki

pIi idle, ki Ki, lt AG

• Instantiation : for a finite abstract domain Dv

pLTS x Dv LTS

pNet x Dv Net

• Barros, Boulifa, Madelaine “Parameterized Models for Distributed Java Objects”, Forte 2004, Madrid.

(2) Parameterized Networks

Finite Network


2004

Graphical Models


2004

Large case-study:Electronic Invoices in Chile


2004

Electronic Invoices in ChileBarros, Madelaine “Formalisation and Verification of the Chilean electronic invoice system”, INRIA report RR-5217, june 2004.

• 15 parameterized automata / 4 levels of hierarchy

• state explosion: grouping, hiding, reduction by bisimulation :

– instantiating 7 parameters yields > millions of states...


2004

Parameterized Properties

True/False + diagnosticTrue/False + diagnostic

• Logical parameterized LTS

• Parameterized temporal logics


2004

Extracting models by static analysis


2004

Model generation : key points

• Static topology : finite number of parameterized activities.

• For each Active Object Class : – parameterized network of LTSs (one for each method)– method calls = synchronisation messages– remote calls : “wait by necessity” using proxy processes– requests queue : the main potential blow-up…!

• Property : starting from source code with abstracted data (simple types), we have a procedure that builds a finite parameterized model.

Aj Qj

serve

Pj

Requse


2004

Consumer Network


2004

Buffer Network

Buf.Body

put

Buf.Queue

get


2004

Distributed Components


2004

Fractal hierarchical model : composites encapsulate primitives, which encapsulates Java code

ComponentIdentity

BindingController

LifecycleController

ContentController

Content

Controller


2004

Fractal + ProActive Components for the GRID

An activity, a process, …potentially in its own JVM

2. Composite component

C

1. Primitive component Java + Legacy

3. Parallel and composite component

D

Composite: Hierarchical, and Distributed over machines Parallel: Composite

+ Broadcast (group)


2004

Components : correct composition• Behaviour is an essential part of a component

specification.

• Model of components :– primitive = pLTS

– composite = pNet

– state-less component = static pNet

– controller = transducer

• Correctness of composition :– implementation preorder ?

ContentController


2004

Conclusions• Parameterized, hierarchical model.

• Graphical language.

• Validated with a realistic case-study.

• Ongoing development : instantiation tool, graphical editor, generation of model from ProActive source code.

• Incorporation within a verification platform

(ACI-SI Fiacre : INRIA-Oasis, INRIA-Vasy, ENST-Paris, SVF)


2004

Perspectives• Refine the graphical language, extend to other ProActive features, formalize the abstractions.

• (Direct) parameterized verification.

• Behavioural specifications of components, correct compositions.

http://www-sop.inria.fr/oasis/Vercors

Models for the Verification of Distributed Java Objects

Documents

Transcript of Models for the Verification of Distributed Java Objects