On Specification and Verification of LocationBased Fault Tolerant Mobile Systems - PowerPoint PPT Presentation
Title:
On Specification and Verification of LocationBased Fault Tolerant Mobile Systems
Description:
On Specification and Verification of Location-Based ... Example: Dining Philosophers. P5. P13. T1. P3. T3. P2. T2. P1. T5. P6. T4. P4. P7. P8. P9. P11. P10 ... – PowerPoint PPT presentation
Number of Views:84
Avg rating:3.0/5.0
Title: On Specification and Verification of LocationBased Fault Tolerant Mobile Systems
1
On Specification and Verification of
Location-Based Fault Tolerant Mobile Systems
- Alexei Iliasov, Victor Khomenko, Maciej Koutny
and Alexander Romanovsky
Supported by IST 2004-511599 project (RODIN)
2
Introduction and motivation
- Verification of concurrent systems specified in B
- Combine theorem proving with model checking
- They have complementary strengths , e.g.
cumbersome theorems/invariants can be verified by
a model-checker - B machines are not very convenient for modelling
sequential activity (need program counter) it
would be good to combine B and some process
algebra - Combining theorem proving and model checking is
proven efficient in industry, e.g. Intels
verification of Pentium 4 floating point unit
3
CAMA Architecture
- Agent global structuring unit of the system
- Scope structuring unit of coordination space
and agent activity - Role structuring unit of agent functionality
and also the basis for formal specification of
functionality - Location structuring unit of agent context
4
CAMA Operations
- Location operations Scope Operations
- Engage_at_l CreateScope(n,s)_at_l.s
- Disengage_at_l DeleteScope_at_l.s
- JoinScope(r)_at_l.s
- LeaveScope_at_l.s
- GetScopes(d)_at_l.s
- Linda operations
- in, rd, inp, rdp, ina, rd, inpa, rdpa
5
Approach
B
Properties
PN
Klaim
B
Prefix
Code
MC
6
KLAIM
- A process algebra related to pi-calculus
- A network of nodes, identified by localities
(names) - Each node has an associated tuple space
- A node runs a set of processes
- Processes can create new nodes
- Processes can input/output tuples from/to tuple
spaces of nodes they know - Processes can start new processes on the nodes
they know (e.g. move)
7
CAMA ? KLAIM
- Just a simple syntactic translation
- Can combine the system described in CAMA with one
described in KLAIM
8
KLAIM ? PN
- Compositional translation is possible
- Example a simple mobile robot (SMR)
- Intended behaviour of the system
- input a start-up message
- FOREVER DO
- input locality u output your previous
locality move to u
9
KLAIM ? PN
- Possible KLAIM model
- a in(s)_at_self . eval(SMR(self))_at_self . nil
ltsgt ltcgt - b ltcgt
- c ltbgt
- where
- SMR(w) in(!u)_at_self . out(w)_at_self .
eval(SMR(self))_at_u . nil
10
Example SMR
a
SYS
ltsgt
ltcgt
c
ltbgt
b
ltcgt
11
Example SMR
a
SMR
ltcgt
c
ltbgt
b
ltcgt
12
Example SMR
a
ltagt
c
ltbgt
SMR
b
ltcgt
13
Example SMR
a
ltagt
c
ltagt
b
SMR
ltcgt
14
Example SMR
a
ltagt
c
SMR
ltagt
b
ltcgt
15
Example SMR
Possible (compositional) translation to HL Petri
nets
z
a.s
s
x.z
b.c
in
c.b
a.c
x
a
?x
x
? is the empty string
eval
?
net of SMR
?x
16
Example SMR
z
a.s
s
x.z
b.c
in
c.b
a.c
x
a
in can be fired with z s x a leading to
?x
x
eval
?
?x
17
Example SMR
z
s
x.z
b.c
in
c.b
a.c
x
a
?x
x
eval
?
?x
18
Example SMR
z
s
x.z
b.c
in
c.b
a.c
x
a
eval can be fired with x a leading to
?x
x
eval
?
?x
19
Example SMR
z
s
x.z
b.c
in
c.b
a.c
x
a
?a
?x
x
?
eval
?
?x
?a
20
Example SMR
?a
sz
x.z
s
in
?
b.c
c.b
sz
s
sx
a.c
x.z
?a
s
sx
out
s
stx
sz
sx
st
s
eval
stz
t
21
Example SMR
?a
sz
x.z
s
in
?
b.c
c.b
sz
s
sx
a.c
x.z
?a
s
sx
out
in can be fired with s ? x a z c leading to
s
stx
sz
sx
st
s
eval
stz
t
22
Example SMR
?a
sz
x.z
s
in
b.c
c.b
sz
s
sx
?
x.z
?c
?a
s
sx
out
s
stx
sz
sx
st
s
eval
stz
t
23
Example SMR
?a
sz
x.z
s
in
b.c
c.b
sz
s
sx
?
x.z
?c
?a
s
sx
out
out can be fired with s ? x a z a leading to
s
stx
sz
sx
st
s
eval
stz
t
24
Example SMR
?a
sz
a.a
x.z
s
in
b.c
c.b
sz
s
sx
x.z
?c
?a
s
sx
out
s
stx
sz
sx
?
st
s
eval
stz
t
25
Example SMR
?a
sz
a.a
x.z
s
in
b.c
c.b
sz
s
sx
x.z
?c
?a
s
sx
out
eval can be fired with s ? x a z c leading
to
s
stx
sz
sx
?
st
s
eval
stz
t
26
Example SMR
?a
sz
a.a
x.z
s
in
b.c
c.b
sz
s
sx
x.z
?c
?a
s
sx
out
ta
s
stx
sz
which is in fact
sx
t
st
s
eval
tc
stz
t
27
Example SMR
ta
?a
sz
a.a
x.z
s
in
t
b.c
c.b
sz
s
sx
x.z
tc
?c
?a
s
sx
out
s
stx
sz
sx
st
s
eval
stz
t
28
Example SMR
ta
?a
sz
a.a
x.z
s
in
t
b.c
c.b
sz
s
sx
x.z
tc
?c
?a
s
sx
out
in can be fired with s t x c z b leading to
s
stx
sz
sx
st
s
eval
stz
t
29
Example SMR
ta
?a
sz
a.a
x.z
s
in
b.c
sz
s
sx
tb
t
x.z
tc
?c
?a
s
sx
out
s
stx
sz
sx
st
s
eval
stz
t
30
Example SMR
ta
?a
sz
a.a
x.z
s
in
b.c
sz
s
sx
tb
t
x.z
tc
?c
?a
s
sx
out
s
stx
sz
sx
... and so on ...
st
s
eval
stz
t
31
Petri net unfolding prefixes
- Partial-order semantics of PNs
- Concurrency represented explicitly, using an
acyclic PN - Alleviate the state space explosion problem
- Efficient model checking algorithms
- Can be used for coloured PNs
32
Example Dining Philosophers
P13
P5
33
Model checking on PN unfoldings
- A Boolean expression ?? is built using the
prefix, such that - ? is unsatisfiable iff the property holds
- Every satisfiable assignment of ? gives a
violation trace - ? has a form CONF?VIOL
- Some of the variables of ? are associated with
the events of the prefix
34
Shortest violation traces
- In the workshops proceedings
- V. Khomenko Computing Shortest Violation
Traces in Model Checking Based on Petri Net
Unfoldings and SAT - The structure of the prefix can be exploited to
compute the shortest violation traces efficiently - They can be much shorter than the first computed
trace - Do not contain incidental system activity
unrelated to the found error - Facilitate debugging, saving the designers time
35
Future work
- Checking the properties related to fault
tolerance, e.g. - correctness of scoping structure
- handling all exceptions
- absence of deadlocks
- absence of information smuggling between scopes
- involving (if necessary) all agents in a a scope
in cooperative handling - etc.
- Translation of B properties to PN
