Mechanizing compositional reasoning for concurrent systems: some lessons

The paper reports on experiences of mechanizing various proposals for compositional reasoning in concurrent systems. The work uses the UNITY formalism and the Isabelle proof tool. The proposals investigated include existential/universal properties, guarantees properties and progress sets. The results also apply to related proposals such as traditional assumption-commitment guarantees and Misras closure properties. Findings that have been published in detail elsewhere are summarised and consolidated here. One conclusion is that UNITY and related formalisms leave some important issues implicit, such as their concept of the program state, which means that great care must be exercised when implementing tool support. Another conclusion is that many compositional reasoning methods can be mechanized, provided that the issues mentioned above are correctly addressed.Received November 2003Revised November 2004Accepted November 2004 by C. B. Jones     

Component assembly for OO distributed systems

Software development that assembles prefabricated components faces different challenges than development that starts from scratch with programming constructs. For example, it is often impossible, or at least not economical, to change the source code of components from independent suppliers. But how do you assemble the components without doing that? How do you link them with the services they require? And how do you build a distributed system and ensure system-wide security, performance, and fault tolerance without breaking the system? These are just some of the issues that designers face when using prefabricated components in a distributed system. Object-oriented distributed systems pose some specific problems. Objects communicate by invoking methods on other objects, so they must maintain static information, such as class or interface names. Thus, objects may have strong dependencies, not only on each other but also on outside services. Distributed systems built from prefabricated components require an assembly approach that separates architecture, component, and distributed object infra-structure concerns     

A model of the behavior of network objects in distributed computer systems

A model designed for the analysis of intrusion detection methods is described. The model also helps validate such methods and estimate their complexity. In terms of this model, a new intrusion detection method is proposed, its validity is proved, and its computational complexity is evaluated. It differs from the available expert-based methods in that it does not impose constraints on the behavior being detected and makes it possible to detect unknown or modified attacks.     

Markov nets: probabilistic models for distributed and concurrent systems

For distributed systems, i.e., large complex networked systems, there is a drastic difference between a local view and knowledge of the system, and its global view. Distributed systems have local state and time, but do not possess global state and time in the usual sense. In this paper, motivated by the monitoring of distributed systems and in particular of telecommunications networks, we develop a generalization of Markov chains and hidden Markov models for distributed and concurrent systems. By a concurrent system, we mean a system in which components may evolve independently, with sparse synchronizations. We follow a so-called true concurrency approach, in which neither global state nor global time are available. Instead, we use only local states in combination with a partial order model of time. Our basic mathematical tool is that of Petri net unfoldings.     

Component survivability at runtime for mission-critical distributed systems

As information systems develop into larger and more complex implementations, the need for survivability in mission-critical systems is pressing. Furthermore, the requirement for protecting information systems becomes increasingly vital, while new threats are identified each day. It becomes more challenging to build systems that will detect such threats and recover from the damage. This is particularly critical for distributed mission-critical systems, which cannot afford a letdown in functionality even though there are internal component failures or compromises with malicious codes, especially in a downloaded component from an external source. Therefore, when using such a component, we should check to see if the source of the component is trusted and that the code has not been modified in an unauthorized manner since it was created. Furthermore, once we find failures or malicious codes in the component, we should fix those problems and continue the original functionality of the component at runtime so that we can support survivability in the mission-critical system. In this paper, we define our definition of survivability, discuss the survivability challenges in component-sharing in a large distributed system, identify the static and dynamic survivability models, and discuss their trade-offs. Consequently, we propose novel approaches for component survivability. Finally, we prove the feasibility of our ideas by implementing component recovery against internal failures and malicious codes based on the dynamic model.     

Abstraction for concurrent objects

Concurrent data structures are usually designed to satisfy correctness conditions such as sequential consistency or linearizability. In this paper, we consider the following fundamental question: What guarantees are provided by these conditions for client programs? We formally show that these conditions can be characterized in terms of observational refinement. Our study also provides a new understanding of sequential consistency and linearizability in terms of abstraction of dependency between computation steps of client programs.     

Influence-based model decomposition for reasoning about spatially distributed physical systems

Many important science and engineering applications, such as regulating the temperature distribution over a semiconductor wafer and controlling the noise from a photocopy machine, require interpreting distributed data and designing decentralized controllers for spatially distributed systems. Developing effective computational techniques for representing and reasoning about these systems, which are usually modeled with partial differential equations (PDEs), is one of the major challenge problems for qualitative and spatial reasoning research.

This paper introduces a novel approach to decentralized control design, influence-based model decomposition, and applies it in the context of thermal regulation. Influence-based model decomposition uses a decentralized model, called an influence graph, as a key data abstraction representing influences of controls on distributed physical fields. It serves as the basis for novel algorithms for control placement and parameter design for distributed systems with large numbers of coupled variables. These algorithms exploit physical knowledge of locality, linear superposability, and continuity, encapsulated in influence graphs representing dependencies of field nodes on control nodes. The control placement design algorithms utilize influence graphs to decompose a problem domain so as to decouple the resulting regions. The decentralized control parameter optimization algorithms utilize influence graphs to efficiently evaluate thermal fields and to explicitly trade off computation, communication, and control quality. By leveraging the physical knowledge encapsulated in influence graphs, these control design algorithms are more efficient than standard techniques, and produce designs explainable in terms of problem structures.     

Implementing set objects in dynamic distributed systems

This paper considers a set object, i.e., a shared object allowing users (processes) to add and remove elements to the set, as well as taking consistent snapshots of its content. Specifically, we show that there not exists any protocol implementing a set object, using finite memory, when the underlying distributed system is eventually synchronous and affected by continuous arrivals and departures of processes (phenomenon also known as churn). Then, we analyze the relationship between system model assumptions and object specification in order to design protocols implementing the set object using finite memory. Along one direction (strengthening the system model), we propose a protocol implementing the set object in synchronous distributed systems and, along the other direction (weakening the object specification), we introduce the notion of a k-bounded set object proposing a protocol working on an eventually synchronous system.     

A fuzzy-rough approach for the maintenance of distributed case-based reasoning systems

Case-based reasoning (CBR) means reasoning from prior examples and it has considerable potential for building intelligent assistant system for the World Wide Web. In order to develop successful Web-based CBR systems, we need to select a set of representative cases for the client side case-base such that this thin client is competence in problem solving. This paper proposes a fuzzy-rough method of selecting cases for such a distributed CBR system, i.e., a thin client system (a smaller case-base with rules) connected to a comparatively more powerful server system (the entire original case-base). The methodology is mainly based on the idea that an original case-base can be transformed into a smaller case-base together with a group of fuzzy adaptation rules, which could be generated using our fuzzy-rough approach. As a result, the smaller case-base with a group of fuzzy rules will almost have the same problem coverage as the entire original case-base. The method proposed in this paper, consists of four steps. First of all, an approach of learning feature weights automatically is used to evaluate the importance of different features in a given case-base. Secondly, clustering of cases is carried out to identify different concepts in the case-base using the acquired feature weights. Thirdly, fuzzy adaptation rules are mined for each concept using a fuzzy-rough method. Finally, a selection strategy which based on the concepts of case coverage and reachability is used to select representative cases. The effectiveness of our method is demonstrated experimentally using some testing data in the travel domain. This project is supported by the Hong Kong Polytechnic University Grant G-V957 and H-ZJ90.     

Observable Behavior of Dynamic Systems: Component Reasoning for Concurrent Objects

Current object-oriented approaches to distributed programs may be criticized in several respects. First, method calls are generally synchronous, which leads to much waiting in distributed and unstable networks. Second, the common model of thread concurrency makes reasoning about program behavior very challenging. Models based on concurrent objects communicating by asynchronous method calls, have been proposed to combine object orientation and distribution in a more satisfactory way. In this paper, a high-level language and proof system are developed for such a model, emphasizing simplicity and modularity. In particular, the proof system is used to derive external specifications of observable behavior for objects, encapsulating their state. A simple and compositional proof system is paramount to allow verification of real programs. The proposed proof rules are derived from the Hoare rules of a standard sequential language by a semantic encoding preserving soundness and relative completeness. Thus, the paper demonstrates that these models not only address the first criticism above, but also the second.     

Verification of concurrent control flow in distributed computer systems

An approach to verifying control flow in distributed computer systems (DCS) is presented. The approach is based on control flow checking among software components distributed over processors and cooperating among them. In this approach, control-flow behavior of DCS software is modeled and contained in special software components called verifiers. The verifiers are distributed over the processors and consulted to check the correctness of the control flow in DCS software during its execution. Algorithms for deriving the verifiers are presented. This technique can detect global errors including synchronization errors as well as local errors. It can be used for sequential or concurrent software at various levels of details. Experiments show that using this technique requires no significant overhead.<>     

Synthesis of decentralized and concurrent adaptors for correctly assembling distributed component-based systems

Building a distributed system from third-party components introduces a set of problems, mainly related to compatibility and communication. Our existing approach to solve such problems is to build a centralized adaptor which restricts the system’s behavior to exhibit only deadlock-free and desired interactions. However, in a distributed environment such an approach is not always suitable. In this paper, we show how to automatically generate a distributed adaptor for a set of black-box components. First, by taking into account a specification of the interaction behavior of each component, we synthesize a behavioral model for a centralized glue adaptor. Second, from the synthesized adaptor model and a specification of the desired behavior that must be enforced, we generate one local adaptor for each component. The local adaptors cooperatively behave as the centralized one restricted with respect to the specified desired interactions.     

User-defined schedulers for real-time concurrent objects

Scheduling concerns the allocation of processors to processes, and is traditionally associated with low-level tasks in operating systems and embedded devices. However, modern software applications with soft real-time requirements need to control application-level performance. High-level scheduling control at the application level may complement general purpose OS level scheduling to fine-tune performance of a specific application, by allowing the application to adapt to changes in client traffic on the one hand and to low-level scheduling on the other hand. This paper presents an approach to express and analyze application-specific scheduling decisions during the software design stage. For this purpose, we integrate support for application-level scheduling control in a high-level object-oriented modeling language, Real-Time ABS, in which executable specifications of method calls are given deadlines and real-time computational constraints. In Real-Time ABS, flexible application-specific schedulers may be specified by the user, i.e., developer, at the abstraction level of the high-level modeling language itself and associated with concurrent objects at creation time. Tool support for Real-Time ABS is based on an abstract interpreter that supports simulations and measurements of systems at the design stage.     

Transformation and exchange of multimedia objects in distributed multimedia systems

One of the challenges in the design of a distributed multimedia system is devising suitable specification models for various schemas in different levels of the system. Another important research issue is the integration and synchronization of heterogeneous multimedia objects. In this paper, we present our models for multimedia schemas and transformation algorithms. They transform high-level multimedia objects into schemas that can be used to support the presentation and communication of the multimedia objects. A key module in the system is the Object Exchange Manager (OEM). In this paper, we present the design and implementation of the OEM module, and discuss in detail the interaction between the OEM and other modules in a distributed multimedia system.     

Layered reasoning for randomized distributed algorithms

This paper adopts the communication closed layer (CCL) concept of Elrad and Francez to the formal reasoning of randomized distributed algorithms. We do so by enriching probabilistic automata (PA) with a layered composition operator, an intermediate between parallel and sequential composition. Layered composition is used to establish probabilistic counterparts of the CCL laws that exploit independence and/or precedence conditions between the constituent PA. The probabilistic CCL laws enable partial order (po-) equivalence when layered composition is replaced by sequential composition. Such po-equivalence induces a purely syntactic partial-order state space reduction via layered separation in compositions of PA while preserving probabilistic next-free linear-time properties. The feasibility of such layered separation is demonstrated on a randomized mutual exclusion algorithm by Kushilevitz and Rabin, complementing an algebraic approach (for analyzing this algorithm) by McIver, Gonzalia, Cohen, and Morgan.     

Observable state space realizations for multivariable systems

This paper derives two canonical state space forms (i.e., the observer canonical form and the observability canonical form) from multiple-input multiple-output systems described by difference equations. The state space model is expressed by the first-order difference equation and is equivalent to the input–output representation. More specifically, by setting the different state variables, the difference equations or the input–output representations can be transformed into two observable canonical forms and the canonical state space model can be also transformed into the difference equations. Finally, two examples are given.     

APS: adaptable prefetching scheme to different running environments for concurrent read streams in distributed file systems

The Journal of Supercomputing - Distributed file systems (DFSs) are widely used in various areas. One of the key issues is to provide high performance of concurrent read streams (i.e., multiple...     

Schedulability of asynchronous real-time concurrent objects

We present a modular method for schedulability analysis of real time distributed systems. We extend the actor model, as the asynchronous model for concurrent objects, with real time using timed automata, and show how actors can be analyzed individually to make sure that no task misses its deadline. We introduce drivers to specify how an actor can be safely used. Using these drivers we can verify schedulability, for a given scheduler, by doing a reachability check with the Uppaal model checker. Our method makes it possible to put a finite bound on the process queue and still obtain schedulability results that hold for any queue length.     

Using distributed objects for digital library interoperability

Information repositories are just one of many services tomorrow's digital libraries might offer. Other services include automated news summarization, trend analysis across news repositories, and copyright-related facilities. This distributed collection of services has the potential to be enormously helpful in performing information-intensive tasks. It could also turn such tasks into confusing, frustrating annoyances by forcing programmers and users to learn many interfaces and by confronting users with the bewildering details of fee-based services that were previously only accessible to professional librarians. The Stanford Digital Library project is addressing the problem of interoperability, which is particularly important because standardization efforts are lagging behind the development of digital library services. The authors used CORBA to implement information-access and payment protocols. These protocols provide the interface uniformity necessary for interoperability, while leaving implementers a large amount of leeway to optimize performance and to provide choices in service performance profiles. The authors' initial experience indicates that a distributed object framework does give clients and servers the flexibility to manage their communication and processing resources effectively