1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory,...
-
Upload
rudolph-may -
Category
Documents
-
view
214 -
download
2
Transcript of 1 Modeling and Analyzing Distributed Systems Using I/O Automata Nancy Lynch, MIT Draper Laboratory,...
1
Modeling and Analyzing Distributed Systems Using I/O Automata
Nancy Lynch, MIT
Draper Laboratory, IR&D Mid-Year Meeting
December 11, 2002
2
Project Description
• Develop I/O-automata-based methods and tools for modeling and analyzing distributed systems, with emphasis on systems for military and space applications.
• Methods and tools can be used for:– System documentation/specification– Design validation:
• Simulation • Stating correctness and performance theorems• Proving theorems, manually or with interactive theorem-provers
– Automatic code generation
• Use the methods and tools to describe and analyze Draper’s ACME system.
• Project participants:– MIT: Nancy Lynch, Stephen Garland, Vida Ha, Amittai Axelrod– Draper: Joe Kochocki, Alan Tanzman
3
I/O Automata • Infinite-state, nondeterministic, interacting state machines.• Support modular system description, using parallel composition
and levels of abstraction.• Static description:
– Actions a (input, output, internal)– States s, start states– Transitions (s, a, s')
• Dynamic description:– Execution: s0 a1 s1 a2 s2 …– Trace: Project on external actions.– A implements B: traces(A) traces(B).
• Operations for building automata:– Parallel composition, action hiding.
• Reasoning methods:– Invariant assertions: Property holds in all reachable states.– Simulation relations: Imply one automaton implements another.
4
Reliable FIFO Channel Model
• Signature:– Inputs:
• send(m), m in M
– Outputs:
• receive(m), m in M
• States:– queue, a finite sequence of elements of M, initially empty
• Transitions:– send(m)
• Effect: Add m to end of queue
– receive(m)
• Precondition: m is first on queue
• Effect: remove first element of queue
Channel(M) send(m) receive(m)
5
Example Applications
• Basic distributed algorithms:– Resource allocation, consensus, atomic objects, concurrency
control, group communication,…
• Distributed systems:– Orca distributed shared memory system [Fekete, Kaashoek,
Lynch]
– Transis group communication system [Fekete, Lynch, Shvartsman]
– Ensemble GCS [Hickey, Lynch, van Renesse]
• Algorithms for dynamic networks:– Reconfigurable atomic memory [Lynch, Shvartsman 02]
[Gilbert, Lynch, Shvartsman 02] [Musial, Shvartsman 02]
– Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02]
6
IOA Language + Toolset
• Formally-defined programming/modeling language for describing and analyzing systems modelled as I/O automata.
• Current tools: Simulator, connection to Larch theorem-prover.
• In progress: Invariant detector, connection to Isabelle/HOL theorem-prover, automatic code generator.
• Steve Garland will say more. IO A
7
Additions to I/O Automaton Models
• Timing behavior: TIOA– For describing timeout-based algorithms.
– Local clocks, clock synchronization.
– Timing/performance analysis.
• Hybrid (continuous/discrete) behavior: HIOA– Systems with real world + computer components
– Vehicle control: ground, air, space
– Embedded systems
8
Timed I/O Automata (TIOA)
• Add special time-passage actions, pass(t), to IOA model.
• Example: Reliable FIFO channel that always delivers messages within time d.– send(m)
• Effect: Add (m, now + d) to end of queue
– receive(m)
• Precondition: (m,u) is first on queue (for some u)
• Effect: remove first element of queue
– pass(t)
• Precondition: for all (m,u) in queue, now + t u• Effect: now := now + t
• Can use standard automaton-based reasoning methods:– Invariant: for all (m,u) in queue, now u now + d.
– Inductive proofs.
9
Example Applications
• Distributed algorithms: – Resource allocation, consensus,…
• Timeout-based communication protocols:– TCP, reliable multicast,…
• Performance (latency) analysis:– Group communication systems:
• Using GCS to build TO-Bcast [Fekete, Lynch, Shvartsman]
• Scalable GCS [Khazan, Keidar 01]
– RAMBO reconfiguration atomic memory
• Hybrid (continuous/discrete) systems (toy examples):– RR crossing [Heitmeyer, Lynch, Archer]
– Steam boiler controller
10
Hybrid I/O Automata (HIOA)
• TIOA plus facilities for representing continuous behavior.
• Static description:– States: input, output, internal variables; start states
– Actions: input, output, internal
– Discrete steps (s, a, s')
– Trajectories , mapping time intervals to states
• Dynamic description:– Execution 0 a1 1 a2 2 …
– Trace: Project on external variables, external actions.
– A implements B if traces(A) traces(B).
• Operations: Composition, hiding
• Reasoning methods: Invariants, simulation relations, compositional methods
11
Example Applications
• Ground transportation:– People-mover (Raytheon) [Livadas, Lynch, Weinberg, Delisle].
– California PATH automated highway system: Analysis of platoon maneuvers [Dolginova, Lynch, Lygeros].
• Aircraft control:– TCAS (Lincoln Labs): Models, proofs
[Livadas, Lygeros, Lynch].
– Quanser helicopter system (MIT Aero/Astro). Models, proofs [Mitra, Wang, Feron, Lynch 02].
• Spacecraft:– ACME [Ha, Axelrod, Lynch, Garland, Kochocki, Tanzman 03]
12
TCAS model
Aircraft
Pilot
ChannelConflictresolver
Conflictdetector
Sensor Sensor
Aircraft
Conflictdetector
Conflictresolver
Pilot
Channel
13
Quanser Model Helicopter System[Mitra, Wang, Feron, Lynch 02]
• 3 DoF models manufatured by Quanser
• User Controllers not safe
• Supervisory pitch controller– Sensor inaccuracies
– Actuator delay
– Limited sampling frequency
14
HIOA model of the system
• New language constructs for specifying trajectories
• State models and Activities
• Composition of activities
15
sample
control
command
dequeue
act
0
supervisorplant
sensorsensor usrCtrl
Discrete communication among components
actuator
16Cannot jump from U to outside of R in a single stepSwitch to supervisor : settling phaseRecovery PhaseBack to User mode
Executions in the User and Supervisor modes
17
Future Directions
• Application of HIOA model to verification
– Realistic dynamics, inaccuracies, delays
• Design of safe Supervisory Controller
– For arbitrary user controller
• Language constructs for HIOA
Contributions
• Study systems with more complicated discrete behavior and dynamics.
• Develop a set of ‘useful lemmas’ from control theory to be directly used in invariant proofs
• Partially automate proofs using theorem provers