8 may 2008ipa lentedagen dynamic consistency in process algebra: from paradigm to acp suzana andova...

8 May 2008 IPA Lentedagen

Dynamic Consistency in Process Algebra: From Paradigm to ACP

Suzana Andova (FM TU/e)Luuk Groenewegen (LIACS Leiden Univ.)Erik de Vink (FM TU/e)

Suzana Andova, Luuk Groenewegen, Erik de Vink

Sheet 2 of 35

Outline Paradigm via two examples ACP and translation into ACP mCRL2 specification of the examples and results Conclusions


Sheet 3 of 35

Introduction

Paradigm: a coordination specification language


Sheet 4 of 35

Paradigm

Component

Component

Component

collaboration?


Sheet 5 of 35

Paradigm

Employee

Employee

Employee

Manager

subprocesses

= “phases”

global behaviour

trap

partition

= “particular view on the component”

= subprocesses + traps


Sheet 6 of 35

Running example

Client – Server (Critical section)1 Server and n clients trying to get service

Chosen way of modeling:Server = managerClients = employees


Sheet 7 of 35

Clients – detailed dynamics

With:Without: Interrupt:

AtDoor

Out Waiting

leave

enter

AtDoor

Out Waiting

leave

Waiting

BusyAtDoor

explain

thank

subprocesses

= “phases”

enter

thank

explainleave

Out Waiting

BusyAtDoor


Sheet 8 of 35

With:

Clients – from detailed to global dynamics

Without: Interrupt:

AtDoor

Out Waiting

notYet

Waiting

BusyAtDoor

explain

thankAtDoor

Out Waiting

triv

request

done

trap constraintsand

partition CS

enter

thank

explainleave

Out Waiting

BusyAtDoor


Sheet 9 of 35

With:

Clients – global dynamics in Paradigm

Without: Interrupt:

AtDoor

Out Waiting

notYet

Waiting

BusyAtDoor

enter

thank

explainleave

Out Waiting

BusyAtDoor

AtDoor

Out Waiting

triv

request

done

Without

With

Interrupt

notYet

triv

request

done

triv triv

Without

With

Interrupt

notYet

triv

request

done

notYet

triv

request

done

[request] Inte

rrup

t

[triv]

[notYet]Without

[triv]

[done]

[triv]

With done

notYet

request


Sheet 10 of 35

With:

Clients – consistency of detailed and global dynamics

Without: Interrupt:

AtDoor

Out Waiting

notYet

Waiting

BusyAtDoorAtDoor

Out Waiting

triv

request

donetriv triv

notYet

triv

request

done

[request] Inte

rrup

t

[triv]

[notYet]Without

[triv]

[done]

[triv]

With done

notYet

request


Sheet 11 of 35

Synchronizing composition – manager and employees

Client1 Client2 Client3

Client1(CS) Client2(CS) Client3(CS)

P r o t o c o l

Server

Collaboration CS

Employ1 Employn

Role1 Rolen

P r o t o c o l

ManagermManager1

. . .

. . .

. . .

Role21 Role2

m

P r o t o c o l

Manager2kManager2

1 . . . . . .

consistency rules


Sheet 12 of 35

Server as a manager – nondeterministic

Idle

Checking1

Helping1

check1 refuse

permit continue

Checkingn

Helpingn

checkn refuse

permit continue


Sheet 13 of 35

Consistency rules = consistent dynamics (ND server)

Idle

Checking1

Helping1

check1 refuse

permit continue

Checkingn

Helpingn

checkn refuse

permit continue

Without

With

Interrupt

notYet

triv

request

done


Sheet 14 of 35

Server as a manager – Round-robin


Sheet 15 of 35

Consistency rules = consistent dynamics (RR server)

Without

With

Interrupt

notYet

triv

request

done


Sheet 16 of 35

From Paradigm

. . . via ACP


Sheet 17 of 35

PA notions essential for Paradigm parallel composition Paradigm components run in parallel with communication (synchronization) function for consistency rules abstraction for different levels of abstraction in Paradigm equivalence relations for reasoning about Paradigm models

via PA to automated verification of Paradigm models using mCRL2 direct translation of ACP specification to mCRL2 language properties checking using model checking relating models using equivalence relations (e.g. branching bisimulation)

Why Process Algebra?


Sheet 18 of 35

Parametrized by Act and cf : Act x Act Act Operators: +, , ||, |, I,… Axioms: ax || by = a(x || by) + b(ax || y) + cf(a,b)(x || y) Recursive specifications:

Outi = enteri Waitingi

Waitingi = explaini Busyi

Busyi = thanki AtDoori

AtDoori = leavei Outi

ACP in one slide


Sheet 19 of 35

TranslationnotYet

triv

request

done

Inte

rrup

t

Without

With

Client1 Client2 Client3

Client1(CS) Client2(CS) Client3(CS)P r o t o c o l

Server

?


Sheet 20 of 35

Translation (cont.) notYet

triv

request

done

Inte

rrup

t

Without

With

- Can I do “enter” and start waiting?- Yes, it is ok!(enter) / No

- Are you waiting at “Waiting” so I can do “request”?- Yes, at!(Waiting) / No


Sheet 21 of 35

Translation (cont.) Clienti:

NDServer:

Clienti(CS):

notYet

triv

request

done

Inte

rrup

t

Without

With


Sheet 22 of 35

Translation (cont.) Communication:

Collaboration process:

CSNDet = ( Client1 || Client1(CS) || …|| Clientn || Clientn(CS) || NDServer)


Sheet 23 of 35

Translation (cont. RRServer) Clienti:

Clienti(CS):

RRServer:


Sheet 24 of 35

Translation (cont.) Communication:


CSRR = ( Client1 || Client1(CS) || …|| Clientn || Clientn(CS) || RRServer)


Sheet 25 of 35

From Paradigm

. . . via ACP

. . . to mCRL2


Sheet 26 of 35

mCRL2 specification CSNDet


Sheet 27 of 35

Clienti(CS):


Sheet 28 of 35


CSNDet = ( Client1 || Client1(CS) || …|| Client3 || Client3(CS) || NDServer)


Sheet 29 of 35

CSNDet – properties checking%% never two clients in critical section (valid) [ true* . ok(A,explain) . (!ok(A,thank))* . ok(B,explain) ] false

%% the same from server point of view (valid) [ true* . sync(permit,A,request) . (!sync(continue,A,done))* .

sync(permit,B,request) ] false

%% two clients may approach the critical section (valid) < true* . ok(A,enter) . (!ok(A,thank))* . ok(B,enter) > true

%% fair reachability of critical section (valid) [ true* . ok(A,enter) . (!ok(A,thank))* ] < true* . ok(A,thank) > true

%% general reachability of critical section (not valid) [ true* . ok(A,enter) ] mu X . [ !ok(A,thank) ] X


Sheet 30 of 35

CSNDet – equivalent behaviour

%% file ndserver-spec.mcrl2%% non-deterministic server for 3 clientssort CName = struct A | B | C ;act incs, outcs : CName ;proc Idle = sum i:CName . tau . CritSection(i) ; CritSection(i:CName) = incs(i) . outcs(i) . Idle ;init Idle ;


Sheet 31 of 35

CSRR – properties checking%% never two clients in critical section (valid) [ true* . ok(A,explain) . (!ok(A,thank))* . ok(B,explain) ] false

%% the same from server point of view (valid) [ true* . sync(permit,A,request) . (!sync(continue,A,done))* .

sync(permit,B,request) ] false

%% two clients may approach the critical section (valid) < true* . ok(A,enter) . (!ok(A,thank))* . ok(B,enter) > true

%% fair reachability of critical section (valid) [ true* . ok(A,enter) . (!ok(A,thank))* ] < true* . ok(A,thank) > true

%% general reachability of critical section (valid) [ true* . ok(A,enter) ] mu X . [ !ok(A,thank) ] X


Sheet 32 of 35

CSRR – equivalent behaviour


Sheet 33 of 35

CSRR for n=2


Sheet 34 of 35

After abstraction

from internal activity

B requested entrance to CS


Sheet 35 of 35

CSRR for n=3

#st=270#tr = 684


Sheet 36 of 35

After abstraction

from internal activity#st = 28#tr = 60


Sheet 37 of 35

CSRR for n=4

#st = 1080#tr = 3456

for n=5 #states = 4050, #transitions=15660for n=6 #states = 14580, #transitions=66096


Sheet 38 of 35

After abstraction

from internal activity#st = 77#tr = 200

for n clients #states = (5x2n-2 -1)xn + 1


Sheet 39 of 35

Conclusions:

Paradigm models translated to ACP via ACP they can be analyzed formally mCRL2 used for our experiments

(small components may still produce a big state space to be analyzed)

Paradigm migration approach to self-adaptation Verification of self-adaptation straightforward

8 may 2008ipa lentedagen dynamic consistency in process algebra: from paradigm to acp suzana andova...

Documents

triv notyet triv request

vink sheet

notyet request slide

interrupt notyet triv

request interrupt triv

busy atdoor slide

atdoor outwaiting notyet

acp suzana andova fm