on specification and verification of location- based fault tolerant mobile systems alexei iliasov,...
TRANSCRIPT
On Specification and Verification of Location-
Based Fault Tolerant Mobile Systems
Alexei Iliasov, Victor Khomenko, Maciej Koutny and
Alexander Romanovsky
Supported by IST 2004-511599 project
(RODIN)
2
Introduction and motivation• Verification of concurrent systems specified in B
• Combine theorem proving with model checking: They have complementary strengths , e.g.
cumbersome theorems/invariants can be verified by a model-checker
B machines are not very convenient for modelling sequential activity (need ‘program counter’) – it would be good to combine B and some process algebra
• Combining theorem proving and model checking is proven efficient in industry, e.g. Intel’s verification of Pentium 4 floating point unit
3
CAMA Architecture
• Agent – global structuring unit of the system
• Scope – structuring unit of coordination space and agent activity
• Role – structuring unit of agent functionality and also the basis for formal specification of functionality
• Location – structuring unit of agent context
4
CAMA OperationsLocation operations: Scope Operations:
Engage@l CreateScope(n,s)@l.s
Disengage@l [email protected]
JoinScope(r)@l.s
GetScopes(d)@l.s
Linda operations:
in, rd, inp, rdp, ina, rd, inpa, rdpa
5
Approach
PNKlaim
B
B
Code
Prefix
Properties
MC
6
KLAIM• A process algebra related to pi-calculus:
• A network of nodes, identified by localities (names)
• Each node has an associated tuple space
• A node runs a set of processes
• Processes can create new nodes
• Processes can input/output tuples from/to tuple spaces of nodes they know
• Processes can start new processes on the nodes they know (e.g. move)
7
CAMA KLAIM
• Just a simple syntactic translation
• Can combine the system described in CAMA with one described in KLAIM
8
KLAIM PN
• Compositional translation is possible
• Example: a simple mobile robot (SMR)
Intended behaviour of the system:
input a start-up message
FOREVER DO
input locality uoutput your previous locality
move to u
9
KLAIM PNPossible KLAIM model:
a :: in(s)@self . eval(SMR(self))@self . nil | <s> | <c>
||
b :: <c>
||
c :: <b>
where
SMR(w) = in(!u)@self . out(w)@self . eval(SMR(self))@u . nil
10
Example: SMR
b
a
c
SYS
<c>
<c>
<b>
<s>
11
Example: SMR
b
a
c
SMR
<c>
<c>
<b>
12
Example: SMR
b
a
c
<c>
<b>SMR
<a>
13
Example: SMR
b
a
c
<c>
<a>
SMR
<a>
14
Example: SMR
b
a
c
<a>
<a>
<c>
SMR
15
Example: SMR
Possible (compositional) translation to HL Petri nets:
in
eval
x
z
xλx
λ
λx
x.z
a.s
a.c
b.c c.b
λ is the empty string
net of SMR
a
s
16
Example: SMR
in
eval
x
z
xλx
λ
λx
x.z
a.s
a.c
b.c c.b
a
s
in can be fired with
z = s
x = a
leading to
17
Example: SMR
in
eval
x
z
xλx
λ
λx
x.z
a.c
b.c c.b
a
s
18
Example: SMR
in
eval
x
z
xλx
λ
λx
x.z
a.c
b.c c.b
a
s
eval can be fired with
x = a
leading to
19
Example: SMR
in
eval
x
z
xλx
λ
λx
x.z
a.c
b.c c.b
a
s
λa
λ
λa
20
Example: SMR
evalσtz
a.c
b.c c.b
λa
λ
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
21
Example: SMR
evalσtz
a.c
b.c c.b
λa
λ
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σzin can be fired with
σ = λ
x = a
z = c
leading to
22
Example: SMR
evalσtz
b.c c.b
λa
λλa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
23
Example: SMR
evalσtz
b.c c.b
λa
λλa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σzout can be fired with
σ = λ
x = a
z = a
leading to
λc
24
Example: SMR
evalσtz
b.c c.b
λa
λ
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
25
Example: SMR
evalσtz
b.c c.b
λa
λ
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
eval can be fired with
σ = λ
x = a
z = c
leading to
26
Example: SMR
evalσtz
b.c c.b
λa
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
t
ta
tc
which is in fact
27
Example: SMR
evalσtz
b.c c.b
λa
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
t
ta
tc
28
Example: SMR
evalσtz
b.c c.b
λa
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
t
ta
tc
in can be fired with
σ = t
x = c
z = b
leading to
29
Example: SMR
evalσtz
b.c
λa
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
t
ta
tc tb
30
Example: SMR
evalσtz
b.c
λa
λa
σt
x.z
t
σx
σx
x.z
σx
σtxσ
σ
σ
σ
σ
out
in
σz
σz
σz
λc
a.a
t
ta
tc tb
... and so on ...
31
Petri net unfolding prefixes
• Partial-order semantics of PNs
• Concurrency represented explicitly, using an acyclic PN
• Alleviate the state space explosion problem
• Efficient model checking algorithms
• Can be used for coloured PNs
32
Example: Dining Philosophers
P5 P13
T1
P3 T3
P2 T2
P1 T5 P6 T4
P4
P7
P8
P9
P11
P10
P14
P12
T9
T7
T10 T6
T8
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
33
Model checking on PN unfoldings
• A Boolean expression is built using the prefix, such that: is unsatisfiable iff the property holds Every satisfiable assignment of
gives a violation trace has a form CONFVIOL
• Some of the variables of are associated with the events of the prefix
34
Shortest violation traces
• In the workshop’s proceedings:
V. Khomenko: “Computing Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT”
• The structure of the prefix can be exploited to compute the shortest violation traces efficiently
• They can be much shorter than the first computed trace
• Do not contain incidental system activity unrelated to the found error
• Facilitate debugging, saving the designer’s time
35
Future work
• Checking the properties related to fault tolerance, e.g.:
correctness of scoping structure handling all exceptions absence of deadlocks absence of information smuggling
between scopes involving (if necessary) all agents in a a
scope in cooperative handling etc.
• Translation of B properties to PN