Fairness in Temporal Verification of Distributed Systems

1983

With the rapid decrease in the cost of hardware distributed computing is finding wider application. The parallelism inherent in distributed processing makes it much more difficult to design reliable systems. Many software development techniques such as hierarchical design and exaustive testing used for large sequential programs are no longer adequate because of the high degree of nondeterminism present in parallelism. This thesis addresses the two aspects of correctness and performance in the design of distributed and concurrent systems. In chapters 2 through 5 we consider different temporal logics and their extensions, as formal systems for reasoning about concurrent programs. In chapter 2 we investigate the complexity of decision procedures for different versions of Propositional Linear Temporal Logics(PTL). We present a space efficient decision procedure for the full logic. We also present optimal decision procedures for other restricted versions of this logic. We investigate the...

IEEE Transactions on Software Engineering, 1983

Computations of distributed systems are extremely difficult to specify and verify using traditional techniques because the systems are inherently concurrent, asynchronous, and nondeterministic. Furthermore, computing nodes in a distributed system may be highly independent of each other, and the entire system may lack an accurate global clock. In this paper, we develop an event-based model to specify formally the behavior (the external view) and the structure (the internal view) of distributed systems. Both control-related and data-related properties of distributed systems are specified using two fundamental relationships among events: the "precedes" relation, representing time order; and the "enables' relations, representing causality. No assumption about the existence of a global clock is made in the specifications. The specification technique has a rather wide range of applications. Examples from different classes of distributed systems, include communication systems, process control systems, and a distributed prime number generator [13], are used to demonstrate the power of the technique. The correctness of a design can be proved before implementation by checking the consistency between the behavior specification and the structure specification of a system. Both safety and liveness properties can be specified and verified. Furthermore, since the specification technique defines the orthogonal properties of a system separately, each of them can then be verified independently. Thus, the proof technique avoids the exponential state-explosion problem found in state-machine specification techniques.

2005

This article deals with a distributed, fault-tolerant real-time application modeling by timed automata. The application under consideration consists of several processors communicating via Controller Area Network (CAN); each processor executes an application that consists of fault-tolerant tasks running under an operating system (e.g. OSEK) and using inter-task synchronization primitives. For such system, the model checking tool (e.g. UPAALL) can be used to verify complex time and logical properties formalized as a safety or bounded liveness properties (e.g. end-to-end response time considering occurrence of a fault, state reachability). The main contribution of this paper is that the proposed model reduces size of the statespace by sharing clocks measuring the execution time of tasks and simply incorporates fault-tolerant features of the application.

2006

We present a methodology for verifying epistemic and real-time temporal properties of multi-agent systems. We introduce an interpreted systems semantics based on diagonal timed automata and use a real-time temporal epistemic language to describe properties of multi-agent systems. We develop a bounded model checking algorithm for this setting and present experimental results for a real-time version of the alternating bit-transmission problem obtained by means of a preliminary implementation of the technique.

Sensors, 2022

In modern computer systems, distributed systems play an increasingly important role, and modeling and verification are crucial in their development. The specificity of many systems requires taking this into account in real time, as time dependencies significantly affect the system’s behavior, when achieving the goals of its processes or with adverse phenomena such as deadlocks. The natural features of distributed systems include the asynchrony of actions and communication, the autonomy of nodes, and the locality of behavior, i.e., independence from any global or non-local features. Most modeling formalisms are derived from parallel centralized systems, in which the behavior of components depends on the global state or the simultaneous achievement of certain states by components. This approach is unrealistic for distributed systems. This article presents the formalism of a timed integrated model of distributed systems that supports all of the mentioned features. The formalism is base...

DAIMI Report Series, 1993

This thesis is concerned with the verification of concurrent systems modelled by process algebras. It provides methods and techniques for reasoning about temporal properties as described by assertions from an expressive modal logic -- the modal µ-calculus. It describes a compositional approach to model checking, efficient local and global algorithms for model checking finite-state systems, a general local fixed-point finding algorithm, a proof system for model checking infinite-state systems, a categorical completeness result for an intuitionistic version of the modal µ-calculus, and finally it shows some novel applications of the logic for expressing behavioural relations.

1999

in the FSP language. We then introduce CRA, problems related to it, as well as the way in which software architecture is used to guide CRA. Chapter 4 motivates and describes the use of ALTL for expressing properties of LTSs. A generic mechanism is then provided for checking that a system satisfies properties expressed as ALTL formulas or Büchi automata. This mechanism is then adjusted to cope with issues that arise when CRA is used to construct the LTS of a system. Chapter 5 concentrates on the issue of safety-property checking. Safety properties can be specified with a less expressive model than Büchi automata. This model is amenable to an efficient checking mechanism, described in this chapter. A similar technique is presented, for checking correctness of user-specified interfaces in the context of CRA. Chapter 6 discusses the notion of fairness, and relates it to liveness property checking. It proposes efficient strategies for checking liveness properties expressed as deterministic Büchi automata, and for checking a class of liveness properties termed progress. Such checks are performed under specific fairness assumptions about the system execution, which can be refined with the use of an action priority scheme. The chapter concludes with a methodology that users are advised to follow for analysing their systems. The methodology encourages the gradual transition from efficient and inexpensive checks that may not detect all possible errors in the system, to tests that are more expensive but also more thorough. Chapter 7 describes the construction and use of our analysis tool, as well as the way in which it interacts with our other tools for the development of concurrent and distributed systems. The non-trivial case study of a Reliable Multicast Transport Protocol is used to evaluate the applicability, performance and efficiency of our approach, and to compare it with similar approaches. Chapter 8 summarises and evaluates the contribution of TRACTA to model checking, discusses open issues and explores directions for future work. Appendix A is a formal presentation of the LTS model. Appendix B is a quick reference for the FSP language. Appendix C provides the semantics of the FSP language. Finally, Appendix D presents the proofs of some theorems and lemmas used in the main body of the thesis. Model Checking 2 2.1 TEMPORAL MODEL CHECKING 28 2.2 AUTOMATA-THEORETIC METHODS 35 2.3 DISCUSSION 36 2.4 SYMBOLIC REPRESENTATION 39 2.5 ON-THE-FLY VERIFICATION 41 2.6 REDUCTION 43 2.7 COMPOSITIONAL REASONING 51 2.8 DISCUSSION 52

Formal Aspects of Computing, 2005

We present a framework for model checking concurrent software systems which incorporates both states and events. Contrary to other state/event approaches, our work also integrates two powerful verification techniques, counterexample-guided abstraction refinement and compositional reasoning. Our specification language is a state/event extension of linear temporal logic, and allows us to express many properties of software in a concise and intuitive manner. We show how standard automata-theoretic LTL model checking algorithms can be ported to our framework at no extra cost, enabling us to directly benefit from the large body of research on efficient LTL verification.

Queue

L eslie Lamport, known for his seminal work in distributed systems, famously said, "A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable." Given this bleak outlook and the large set of possible failures, how do you even begin to verify and validate that the distributed systems you build are doing the right thing? Distributed systems are difficult to build and test for two main reasons: partial failure and asynchrony. Asynchrony is the nondeterminism of ordering and timing within a system; essentially, there is no now. 10 Partial failure is the idea that components can fail along the way, resulting in incomplete results or data. These two realities of distributed systems must be addressed to create a correct system. Solving these problems often leads to solutions with a high degree of complexity. This in turn leads to an increase in the probability of human error in either design, implementation, or operation. In addition, the interaction of asynchrony and partial failure leads to an extremely large state space of failure conditions.

2006

Model checking suffers from the state explosion problem, due to the exponential increase in the size of a finite state model as the number of system components grows. Directed model checking aims at reducing this problem through heuristic-based search strategies. The model of the system is built while checking the formula and this construction is guided by some heuristic function. In this line, we have defined a structure-based heuristic function operating on processes described in the Calculus of Communicating Systems (CCS), which accounts for the structure of the formula to be verified, expressed in the selective Hennessy-Milner logic. We have implemented a tool to evaluate the method and verified a sample of well known CCS processes with respect to some formulae, the results of which are reported and commented.

2017

Integrated Model of Distributed Systems (IMDS) is a formalism which expresses duality of message passing and resource sharing and which highlights locality, autonomy of distributed elements as well as asynchrony of actions and communication. Combined with model checking, IMDS allows to verify numerous properties of modeled systems. It also provides insights into the behavior of model components (servers and agents) in the form of server view and agent view of the system. IMDS is used in the Dedan verification environment which can detect several types of deadlocks, including communication deadlocks (in the server view) and resource deadlocks (in the agent view). The paper also outlines a mapping of IMDS models into behaviorally equivalent Petri nets, opening the way for many analysis techniques developed for Petri nets to be used for analysis of IMDS models. In particular, structural (siphon-based) methods for deadlock analysis in Petri nets can be used for deadlock detection in IMD...

TENCON '91. Region 10 International Conference on EC3-Energy, Computer, Communication and Control Systems

Temporal logic is widely acclaimed to be a highly successful tool for analyzing non-real-time properties of programs. However, a few fundamental problems arise while designing temporal logic-based techniques to verify real-time properties of programs. In this context, we formulateamodallogiccalleddishibufed Iogic (DL) byusingideas from both the interleaving and partial ordering approach. This logic uses spatial modal operators in addition to temporal operators for representing real-timed concurrency. In additikn to the syntax and semantics of the logic, a programming model, and a formal proof technique based on the logic are also presented. FmaUy, use of the proof method is illustrated through the analysis of the real-time properties of a generic multiprocess producer/consumer program.

2007

Abstract There is a high demand for correctness for safety critical systems, often requiring the use of formal verification. Simple, well-understood scheduling strategies ease verification but are often very inefficient. In contrast, efficient concurrent schedulers are often complex and hard to reason about. This paper shows how the temporal logic of action (TLA) can be used to formally reason about a well-understood scheduling strategy in the process of implementing a more efficient one.

Electronic Notes in Theoretical Computer Science, 2007

Model checking suffers from the state explosion problem, due to the exponential increase in the size of a finite state model as the number of system components grows. Directed model checking aims at reducing this problem through heuristic-based search strategies. The model of the system is built while checking the formula and this construction is guided by some heuristic function. In this line, we have defined a structure-based heuristic function operating on processes described in the Calculus of Communicating Systems (CCS), which accounts for the structure of the formula to be verified, expressed in the selective Hennessy-Milner logic. We have implemented a tool to evaluate the method and verified a sample of well known CCS processes with respect to some formulae, the results of which are reported and commented.

Theoretical Computer Science, 1999

This paper presents a framework for the specification and verification of timing properties of reactive systems using Temporal Logic with Clocks (TLC). Reactive systems usually contain a number of parallel processes, therefore, it is essential to study and analyse each process based on its own local time. TLC is a temporal logic extended with multiple clocks, and it is in particular suitable for the specification of reactive systems. In our framework, the behavior of a reactive system is described through a formal specification; its timing properties, including safety and liveness properties, are expressed by TLC formulas. We also propose several demonstration techniques, such as an application of local reasoning and deriving fixed-time rules from the proof system of TLC, for proving that a reactive system meets its temporal specification. Under the proposed framework, the timing properties of a reactive system can therefore be directly reasoned about from the formal specification of the system.