240 likes | 427 Views
Specification and Verification for (complex) distributed applications running on heterogeneous infrastructures. E. Madelaine Oasis team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis HPGC – GCM Nanjing ’2010. Motivations … Heterogeneous Resources for Distributed Applications.
E N D
Specification and Verificationfor (complex) distributed applications running on heterogeneous infrastructures E. Madelaine Oasis team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis HPGC – GCM Nanjing ’2010
Motivations… Heterogeneous Resources for Distributed Applications Windows CCS Cluster PacaGrid cluster Other Clouds Other Grids, Clouds… Other Clouds Dell Cluster 47+ linux nodes 2-proc/4-core GPUs Storage Server P2P LAN network Mobile terminals
Heterogeneous Resources for Distributed Applications • Heterogeneity: OS / processor / architecture / communications • Characteristics we want to preserve: • High performance / Dynamicity / Mobility / Safety / Security… • Existing answers ? • ProActive = a middleware providing seamless programming, deployment, scheduling, and execution, with strong semantic guaranties. • VerCors = a specification and verification platform for distributed components: analysis of behaviour requirements, correct assembly of components. • The Challenge: • Provide optimisations that depend on the underlying platform, and may evolve dynamically, while keeping simplicity and correctness • This presentation: • State of our previous work, starting point for attacking this challenge.
Agenda MCorePhP collaborative project Safe Distributed Components Active Objects, Distributed Components Behavioural Semantics Specification and Verification Tools, Case Study VerCors platform Case-Study Conclusion & Perspectives
MCorePhP: A collaborative project building the basis for safe programming of heterogeneous applications • 2 Partners: • Un. of Tsinghua, Beijing, China (Pr. Yongwei Wu) NFSC • INRIA Sophia-Antipolis, France (Pr. Denis Caromel, Dr. Eric Madelaine) ANR • 3 Research Tasks: • Programming Model for Multi-Core • Infrastructure with ChinaGrid and CGSP • Application and User Case in Bioinformatics
MCorePhP: Task 1: Programming Model for Multi-Core 1.1New Basic Programming Model for Multi-Core Extensions of the Active Object programming model: - Sharing memory (efficiently) between activities - Multi-active (multi-threaded) activities 1.2 Legacy Support and Integration (last presentation in this session) 1.3 Safe Code Generation: - from model-level specification and analysis of properties, - to “correct by construction” executable code. This presentation 1.4 Monitoring
Server obj. Client obj. B A Active Objects (very short…) • Runnable (mono-threaded) objects • Communicating by remote method call • Asynchronous computation • Request queues (user-definable policy) • No shared memory • Futures • Middleware: • ProActive library
Grid Component Model (Fractal / GCM): • Distributed – asynchronous – active objects –remote method calls • Provided/Required Interfaces • Hierarchy • Separation of concern: functional / non-functional • ADL (Architecture Definition Language) • Extensible Non-functional Component in the membrane Dynamic / Autonomic component-based system reconfiguration
Grid Component Model (GCM): A Grid-aware extension to Fractal • Collective interfaces • Multicast, gathercast, gather-multicast, MxN parallel communications
Behaviour specification and Safe composition Aim : Build reliable components from the composition of smaller pieces, using their formal specification. Component paradigm : only observe activity at interfaces. Behavioural properties: Deadlock freeness, progress/termination, safety and liveness. Applications : Check behavioural compatibility between sub-components Check correctness of component deployment Check correctness of the transformation inside a running application.
pNets : Hierarchical and Parameterized LTSs [Arnold, Nivat 92] Synchronization networks [Lin 92] symbolic graphs with assignments [Lakas 96] semantics of Lotos open expressions • Value-passing, Dynamic architectures, etc. • But close to code structure • Instantiation to finite structures (through abstract interpretation) [Forte’04: T. Barros, R. Boulifa, E. Madelaine] [Annals of Telecomunications’08: T. Barros, A. Cansado, L. Henrio, E. Madelaine]
Agenda MCorePhP collaborative project Safe Distributed Components Active Objects, Distributed Components Behavioural Semantics Specification and Verification Tools, Case Study VerCors platform Case-Study Conclusion & Perspectives
Participant Initiator B A Participant Case-study:dating agreement protocol with group communication • Active objects (single thread, no shared memory) • No component structure • Asynchronous _bounded_ request queues • Group communication
Example : « rendez-vous agreement » (1) Initiator Participant [i] !Suggest(date) (broadcast) independent, asynchronous responses ?Suggest(i,b) [∀ i, b=true] !Validate ? R_Validate (All) (acknowledge) Eric MADELAINE 14
Generated Model: the full picture This is a small system: 10 pLTS 6 int. parameters 1 array parameter 11 pNets 19 synch vectors, including 3 broadcast and 2 collectors. Eric MADELAINE ---- OASIS 15
Behaviour Verification (1)Generating State Space • Tool : CADP toolset, explicite state space representation, distributed state generation (on-the-fly partial order reduction), compositional minimization, (regular μ-calculus) model-checker. • Brute forcegeneration: • Initiator: 3 163 states / 152 081 transns -- 54 / 1 489 minimized -- 11 " • Full system: 170 K / 1 646 K 458 / 1 284 406 " • Group 3 participants: > 10^11 states • Compositional generation: • The biggest intermediate structure has ~ 3000 states before reduction. • A group of 3 (reduced) participants would be 90^3 = 800 000 states. • Distributed Verification: • Cluster-based State-space generation + verification task workflow
Behaviour Verification (2) Proving properties These experiments have been done while developing the semantic encoding, so we had real opportunities to find bugs (and we did) Properties proved: Reachability and progress: < True ∗ .T CollateResult ( f alse) > True < True ∗ .R suggest (i,b) > True Inevitability: After !Q_Suggest(id) Eventually !Q_Cancel(.) ∨ !Q_validate(.) Boundedness: < True ∗ .Error > True (with queues of length 1) [True ∗ .Error] False (with queues of length 2) Regular μ-calculus Specification patterns Eric MADELAINE 17
Agenda MCorePhP collaborative project Safe Distributed Components Active Objects, Distributed Components Behavioural Semantics Specification and Verification Tools, Case Study VerCors platform Case-Study Conclusion & Perspectives
Conclusions • Starting Point: the pNETs model for behavioural semantics • Semantic model for hierarchical, parameterized asynchronous systems • Flexible, expressive and compact. • We have define the semantics of: active objects, fractal components, asynchronous components, group communication, component reconfiguration… • Tool support for (graphical) architecture specification, bridges to model-checking tool sets. • This presentation summarizes our recent work on extensions for group communication • Ongoing work on component reconfiguration…
Perspectives for MCorePhP • Extensions : • Generation of Behaviour models (pNets) for the MultiCore extensions • Tool support : • Scripting Languages for Distributed Model-Checking • Specialized model-checking engines for specific classes of infinite systems, e.g. unbound fifo channels • Code Generation : • From Architecture and Behaviour Diagrams … to ADL descriptions and GCM/ProActive codeskeletons • Only generate the control part of the code, and protect it from user modifications: guarantee safety/liveness properties.
Thank you • 谢谢 • Papers, Use-cases and Tools, Position Offers at : • http://www-sop.inria.fr/oasis/Vercors
Task 1 Book nodes; Prepare nodes; Build GCF Config2.gcf Config1.gcf InitiatorOptim.fcr Participant.fcr Task 2.1 Compile client; Generate state space Task 2.2 Compile server; Generate state space Flac + Distributor Flac + Distributor InitiatorOptim.bcg Participant.bcg Participant$K[i].svl Task 3 Rename Participants Task 2.3 Merge sources SVL Participant$K[i].bcg Task 4 Build product; Minimization System.exp BCG tools SystemMin.bcg
G C M / ProActive ADL/IDL (final) Code Generator Java Skeletons Runtime Business code pNets/ Fiacre JDC Formula Model Generator Finite model Prover Formula Compiler The Vercors Specification and Verification Platform (middle term) Vercors Graphical Editor (Eclipse Plugin) JDC Specification