Safe composition of distributed adaptable components
description
Transcript of Safe composition of distributed adaptable components
![Page 1: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/1.jpg)
Safe composition of distributed adaptable components
• A distributed component model
• Behavioural specification and verification
Ludovic Henrio and Eric Madelaine
Journée Composition Logicielle – Avril 2009
![Page 2: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/2.jpg)
A DISTRIBUTED COMPONENT MODEL
![Page 3: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/3.jpg)
Motivation
• A component model for distributed systems (GCM)
• Following active objects (actors) principles• Simple to program• Verification of safe composition➡ Strong guarantees from
➡ the programming model point of view (on middleware / execution)
➡ behavioural point of view (on program instances, e.g. no dead lock)
• A component model “derived” from GCM (≈ ProActive/GCM)
+ A verification environment for ProActive/GCM
![Page 4: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/4.jpg)
What are (GCM) Components?
Bindings
Business code
Business code
Server interfaces
ClientinterfacesPrimitive component
Primitive component
Composite component
NF (server) interfaces
GCM components are adaptable !!!GCM components are adaptable !!!
![Page 5: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/5.jpg)
A Primitive GCM Component
CI.foo(p)
Primitive components communicating by asynchronous remote method invocations on interfaces (requests)
Components abstract away distribution and concurrency
in ProActive components are mono-threaded simplifies concurrency but can create deadlocks
Primitive components communicating by asynchronous remote method invocations on interfaces (requests)
Components abstract away distribution and concurrency
in ProActive components are mono-threaded simplifies concurrency but can create deadlocks
![Page 6: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/6.jpg)
Composition in GCM
Bindings:Requests = Asynchronous method invocations
![Page 7: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/7.jpg)
Futures for Components
f=CI.foo(p)……….f.bar()f.bar()
Component are independent entities (threads are isolated in a component)
+Asynchronous method invocations with results
Futures are necessary
Component are independent entities (threads are isolated in a component)
+Asynchronous method invocations with results
Futures are necessary
![Page 8: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/8.jpg)
Replies
f=CI.foo(p)
………f.bar()
![Page 9: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/9.jpg)
First-class Futures
f=CI.foo(p)
………CI.foo(f)CI.foo(f)
• Only strict operations are blocking (access to a future)
• Communicating a future is not a strict operation
• Only strict operations are blocking (access to a future)
• Communicating a future is not a strict operation
![Page 10: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/10.jpg)
Advantages of our approach
• Primitive components contain the business code
• Primitive components act as the unit of distribution and concurrency (each thread is isolated in a component)
• Communications follow component bindings
• Hierarchy for building complex applications
• Adaptable: Fractal’s introspection and reconfiguration
• Futures allow communication to be asynchronous requests
➡ Easy to program (no shared memory)
➡ Same behaviour whatever the order of future replies
➡ Behaviour easy to study (actor like)
![Page 11: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/11.jpg)
One Ongoing / future work
• Specification of this component model in Isabelle/HOL Isabelle/HOL is a theorem prover To prove properties on the component model + on
protocols for managing components and execution• A first prototype specification + small proofs
Next steps• Basic correctness proofs• Specification of future update strategies + proofs• More properties on dead locks, on component stop, …
![Page 12: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/12.jpg)
BEHAVIOURAL SPECIFICATION AND VERIFICATION
![Page 13: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/13.jpg)
![Page 14: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/14.jpg)
First-class Futures and Hierarchy
Without first-class futures, one thread is systematically blocked in the composite component.
Without first-class futures, one thread is systematically blocked in the composite component.
![Page 15: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/15.jpg)
First-class Futures and Hierarchy
… … …
Almost systematic dead-lock in ProActive
A lot of blocked threads otherwise
Almost systematic dead-lock in ProActive
A lot of blocked threads otherwise
![Page 16: Safe composition of distributed adaptable components](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813ad1550346895da2fd4d/html5/thumbnails/16.jpg)
Reply Strategies
In ASP / ProActive, the result is insensitive to the order of replies (shown for ASP-calculus)
Ongoing experiments with different strategies
In ASP / ProActive, the result is insensitive to the order of replies (shown for ASP-calculus)
Ongoing experiments with different strategies