Parameterized models for distributed objects

Parameterized models for distributed objects Eric Madelaine, Rabéa Boulifa, Tomás Barros OASIS INRIA Sophia-Antipolis, I3S, UNSA Eric.Madelaine@sophia.inria.fr http://www-sop.inria.fr/oasis/Vercors

Aims • Models for analysis of distributed applications: • specification : compositional, graphical, intuitive • automatic derivation from code • Checking behavioral properties: • branching time, action-based logics • bisimulation-based models (compositional reduction) • In the context of the Vercors, our verification platform for distributed communicating components.

Contents • Parameterized model • Graphical syntax • Application to ProActive • Ongoing work

Behavioral Models • Starting point = Finite models : Networks of communicating Labelled Transition Systems Process Algebras (under syntactic conditions for finiteness) Format for automatic tools (FC2 format, Concur tools) • Parametric models : Compact representation for (families of) finite models • Closer to code structure • Automatic construction • Automatic instantiations Other approaches : IF, NTIF, Promela, BIR, Estelle, ...

Finite Model Rabea Boulifa : “Model generation for Distributed Java Programs”, FIDJI’03 Networks of LTSs as finite abstractions of distributed systems: Actions are communication events (e.g. remote method calls) Data abstraction : Finite set of process parameters (static analysis, or user provided, or deployment descriptor) Finite set of messages (e.g. method names only, or finite sets of values) Method : Static analysis : class analysis, MCG construction, pointer analysis (for keeping track of active objects) SOS rules crossing the MCG, building the corresponding LTS. Interleaving of the remote responses.

Finite Model Results : • Given a finite data abstraction, the construction procedure terminates, and produces a finite LTS. (even with recursive local or remote method calls) • Optimisation of the request queue model. Difficulties : Precision, and cost, of static analysis (cannot be modular). Size of the network (one process per active object) => crucial importance of compositional reduction techniques.

Parameterized Model • Finite representation of data • parameterized states with variables • message arguments • Instances of dynamic / generic networks • parameterized processes • evolving communication links • More compact, closer to the code structure • easier for model generation • one model => many (instantiated) proofs.

P1 (params) vars Graphical Syntax • Networks !M (args) M (abst) P2 (…) ?… !… ?… • Tree structure of boxes with ports, links, labels… • Encodes structure, scopes, renamings.

Graphical Syntax y=2*x • p-LTSs x, y x, y ! O[y].Mess (x+1) If y=0 then {z=0; goto s1} else ... s1 s2 s3 x, z • States, with variables • Visible transitions (communication events) • Local transitions (sequential programs) • Compromise macro-transitions / interleaving x, z x, z

Graphical Syntax • Data • Local variables Scope = boxes, states, transitions. • Expressions Variables, operators, structured objects • Types booleans, integers, intervals finite enumerations structured objects • Communication • Rendez-vous (a la value-passing CCS) but the model allows for group / multicast communication...

Application :Building models of Distributed Active Objects ProActive code eXtended MCG Abstracted ProActive code Static Analysis Behavioral rules Parameterized Network P-LTS: behavior, queue Instantiations, Checking tools

ProActive 100% java, Parallel, Distributed, Concurrent, Mobile programming Distributed Sequential • Transparent distribution, remote object creation, migration of active objects • Remote method call -> asynchronous communication • Futures & wait-by-necessity

Remote Method Calls : informal diagram Local object Remote object !Req_m !Req_m • method call ?Req_m • request arriving in • the queue ?Req_m !Serv_m • request served • (executed and removed) !Serv_m !Rep_m • response sent back !Rep_m • response received ?Rep_m ?Rep_m

prog Extended Method Call Graph • It encodes both the usual control flow usual in MCG (resolution of class • analysis and of method calls), and the data flow relative to interesting • parameters. • MCG=<V, C, T , > • Node types : • ent(id,args), seq, ret(val), call(id,args), • resp(id,val), serve(id,args) • Loc (M) and Loc(V) sets of variables local to a method or to a node. •  : V  V , function mapping a future use-point to its definition. M(args) Call edges Transfer edges

Eat(p) !ReqTake(p,f) Philo(p) ?RepTake(p,f) Think(p) Fork(f) ?ReqDrop(p,f) Application level:Network Topology • Enumeration: • O ={Oi} a set of active object classes. • Dom (Oi) a set of instantiations of each class. • (use the abstraction of creation parameters) • Incoming ports (available services) = set of public methods • (with abstracted parameters) • Outgoing links = remote requests • (use the abstraction of message name and parameters)

Active Object Model ProActive structure : - One activity = one request queue + one behavior + one local store. - Queues = at any time, accept a set of values (mess+args) Specialised generation procedure, factorisation possible. Synchronised with the behavior through “Serve” messages. - Behavior = parameterized LTS, or network. One process (box) for each SCC of the method call graph (or even one box for each method)

Example : recursive method int Fact (int y) { if y=0 {return 1;} else return y*Fact(y-1); }

Example (store) Each object allocation has a parameterized representation in the active object store. public int m1() { int $val, y; y = 2; this.[TStore.x:int] = 1; virtualinvoke this.[TStore.m2(int):void](y); $val = this.[TStore.x:int]; return $val; }

Example (store) A, thisalloc(i)

 {Premisses} <v=pattern, n, A, M, Sc, Sm> <v ’,n ’, A ’, M ’, Sc ’,Sm ’> Rules: SOS-style For each SCC of the call graph : • v = pattern, the current MCG node analyzed, • n, the last LTS node created, • A, the LTS under construction, • M,the mapping between MCG nodes and LTS nodes, • Sc, the continuations stack, • Sm, the method calls stack.

 Method Entry v1  Mv1 T v2 <v1=ent(m,args), _, _, M, Sc, Sm> <v2, _, _, M  {v1  n}, Sc,(m,args):Sm> Push the new method m on the calls stack, and starts its processing. The process produced encodes calls of m for any values of the parameters. This is carried by the guards/assignments of its transitions...

Call 0 If b0 then x0=v0; if b1 then x1=v2; goto C1 else x1=v3; goto C2 else x0=v1; goto C3 Call 3 Call 1 Sequence Macro-transitions are simple sequential programs: - no intermediate nodes - no code duplication - no mixing with communication events.

 Local Call 1 v1  M v1C v2 v1 Tv3 Local (O) fresh(n ’) <v1=call(O.m, args), n, A, M, Sc, Sm> <v2, n ’, A‹(n n ’), M  {v1  n}, (v3, ):Sc, Sm> M Local calls will be inlined if possible, that is if the called method is not recursive (part of a SCC of the call graph). M is an abstract event “!Lcall m(co, o, args)”, generated only if visible. In the next step, we go and inline the callee code

 n n1 n2 n3 Local Call 2 prog v1  M v1C v2 v1 Tv3 Local (O) fresh(n1, n2, n3) <v1=call(O.m, args), n, A, M, Sc, Sm> !Lcall m(args) ?Ret m(val) prog If the called method is recursive, its model is a boxed process, we generated a (parameterized) local call to this process, immediately followed by the corresponding return transition.

 v1T v2 Remote(O) fresh(n ’) <v1=call(O.m,args), n, A, M, _, _> <v2, n ’, A‹(n n ’), M  {v1  n ’}, _, _> !Req_M Remote Request O is a remote active object. We simply generate a send message !Req_m (Oc, O, args) encoding the method name and its (abstracted) parameters.

 i i i i Mixed Call <v1=call(O[i].m (args)), _, _, _, _, _> Difficulty: distinguish the local object amongst the other instances of the same class (Philo[n] = Philo[n+1]). Local O[i] => !Lcall m(args) Remote O[i] => !Req O[i].m(args) ?Ret m(val)

n1 n2 Futures ?Rep_M(val) (v1)=v2 n1=M(v1) n2=M(v2) A ’ = (A ) <v1, A>A ’  Where M is the phantom of M, i.e. the union of all Ms during the construction procedure V v = O.m1(x); xxx; yyy; v.f();

Server Side : models for the queues • General case : • Infinite structure (unbounded queue) • In practice the implementation uses bounded data structures • Approximation : (small) bounded queues • Operations : Add, Remove, Choose (filter on method name and args) Generic Queue model • Optimisation : • Most programs filter on method names : partition the queue. • Use specific (temporal) properties to minimise the queue model.

Eat(p) !ReqTake(p,f) Philo(p) ?RepTake(p,f) Think(p) Fork(f) ?ReqDrop(p,f) Example : Optimised Fork model Two small queues + One behaviour LTS

Verification : Tools 1) Formats : Graphical: we are building the tool… experience from a large realistic case study. Textual: conservative extension of the FC2 format, but we need more experience, and will certainly redesign it. 2) Instantiation : Work already done, tools by Toufik and Tomas. Direct (on-the-fly) interface to be worked on with CADP.

Imprecision • Abstract Interpretation (data domains). • Static Analysis (class analysis, pointer analysis); production of the extended MCG. • Instantiation = abstraction of finite or integer domains to abstract “range” domains: typically Nat -> {0, 1, …, k, more}

Other Formats • Promela (SPIN) : • State-based versus action-based • No hierarchical models • Bounded generation (user control) • NTIF : • Lotos communication (agreement) • No parallelism • No guarantee of finiteness • Estelle, IF2.0, IC, CRL, ...

Conclusion • Graphical and textual Intermediate Format for parameterized and compositional transition systems, capturing value-passing communication within distributed applications. • Compact representation for families of finite instantiations. • Close to the source code structure. • Automatic generation from static analysis of source code, starting with a simple abstraction of parameter domains.

Ongoing work • Parameterized properties and their instantiations. • Implementation of the generation tool. • Bridges with verification tools: on the fly interface (evaluator), LTS operation at parameterized level (minimisation, product…). • Specialised tools for infinite systems (Trex, Bebop, …) http://www-sop.inria.fr/oasis/Vercors http://www-sop.inria.fr/oasis/ProActive

Parameterized models for distributed objects

Parameterized models for distributed objects

Presentation Transcript

Distributed Objects

Distributed Objects and Components

Parameterized Models for Distributed Java Objects

Distributed objects and components

Distributed Objects

Secure Distributed Objects for Grid Applications

Distributed Objects

Local vs. distributed Objects

Distributed Objects

CS551 UML for Distributed Objects (Chapter 2 of Engineering Distributed Objects)

Distributed Objects

Distributed Objects

Parameterized Models

Distributed Objects

Distributed Objects

Formal Models for Distributed Negotiations Distributed 2PC

Parameterized Models for Distributed Java Objects

Distributed Objects