case studies of pota hong, shin 2016-01-10 1 / 38 hong,shin@pswlab,kaist

Case Studies of POTA


Hong, Shin

23年 4月 21日

1 / 38Hong,Shin@PSWLab,KAIST


Contents

• Introduction– POTA

• Case study #1 : Distributed Dining Philosophers• Case study #2 : General Inter-ORB Protocol (GIOP)• Conclusion• Further Study

23年 4月 21日



Introduction 1/4

• The importance of Software is getting increased.Quality assurance of the software is very important today.

• To assure correctness of a software,– Traditional Testing– Formal verification

These are generally infeasible for a system with a large number of components and concurrency.

• Trace Analyzer– Specify requirements in formal language.– Extract status of process while a target program is executing.– Verify whether the trace is satisfied against a given formal

requirement.

23年 4月 21日



Introduction 2/4

• POTA : Partial Order Trace Analyzer• Target on distributed programs.• Use RCTL+ which is a subset of CTL to specify

the requirements.• Use partial order trace as simulation model.

23年 4月 21日

Hong,Shin@PSWLab,KAIST 4 / 38


Introduction 3/4

• Partial Order

- A partial order R, events a, b, c, we have that:

a R a

if a R b and b R a then a = b

if a R b and b R c then a R c

23年 4月 21日



Introduction 4/4

Partial Order Trace Analysis

(1) Specify formal requirement of a system.

(2) Extract interesting temporal relations between

processes as partial order traces.

(3) Create partial order trace with respect to extracted

information.

(4) Check whether partial order traces satisfy the

requirement or not (simulating total order traces).

23年 4月 21日



Distributed Dining Philosophers1/24Dining Philosophers• Behavior of a Philosopher: Think, and eat continously.• Philosopher must hold two forks in both hands to eat• Philosophers are sitting in circular table.• Every Philosopher shares forks;

one with left side Philosopher and

another with right side Philosopher.• No starvation for any Philosopher.

23年 4月 21日



Distributed Dining Philosophers 2/24

Dining Philosophers in distributed system

• Every Philosopher has its own servant and sends the

message of hunger to him.

• A servant sends messages to two neighbor servants.

; Messages of acquiring a fork and passing a fork.

• As Philosopher eats, forks that are used become dirty.

• Servant cleans a fork whenever he pass it to another

servant.

23年 4月 21日




23年 4月 21日




Implementation in Concurrent Programming: The Java Programming Language by S. Hartley

//message types

class Hungry {} //Philosopher to servant

class NeedL {} // servant to servant

class NeedR {}

class PassL {}

class PassR {}

23年 4月 21日




23年 4月 21日


• Behavior of a Philosopher to its Servant


Distributed Dining Philosophers 6/24Behavior of a Philosopher

class Philosopher implements Runnable {int id ;public void run() {

while (true) {think() ; myServant.takeForks(id) ;eat() ;myServant.putForks(id) ;

}}

}

23年 4月 21日



Distributed Dining Philosophers 7/24class Servant implemented Runnable {

private AsyncConditionalMessagePassing myChannel ;

private BinarySemaphore sem_eat ;

private BinarySemaphore sem_releaseForks ;

public void takeForks(int id) {

myChannel.send(new Hungry()) ;

sem_eat.wait() ;

}

public void putForks(int id) {

sem_releaseForks.release() ;

}

}

23年 4月 21日



Distributed Dining Philosophers 8/24Behavior of Servant

23年 4月 21日




23年 4月 21日


if (!haveL) left_servant_channel.send(new NeedL()) ;if (!haveR) right_servant_channel.send(new NeedR()) ;while (!(haveL && haveR)) { msg = get_a_message() ; if (msg instanceof PassL) haveL=true;dirtyL=false; else if (msg instanceof PassR) haveR=true;dirtyR=false; else if (msg instanceof NeedR){ haveL=false; dirtyL=false; left_servant_channel.send(new PassL()) ; left_servant_channel.send(new NeedL()) ; } else if (msg instanceof NeedL){ haveR=false; dirtyR=false; right_servant_channel.send(new PassR()) ; right_servant_channel.send(new NeedR()) ; }}


Distributed Dining Philosophers 10/24class ServantCondition {

private boolean hungry = false ;private boolean dirtyL = false ;private boolean dirtyR = false ;

public boolean checkCondition(Object m)if (m instanceof Hungry) return true ;else if (!hungry)

return true ;else if (m instanceof PassL || m instanceof

PassR)return true ;

else if (m instanceof NeedL && dirtyR) return true ;

else if (m instanceof NeedR && dirtyL) return true ;

else return false ;}23年 4月 21

日Hong,Shin@PSWLab,KAIST 16 / 38


Distributed Dining Philosophers 11/24public static void main(String [] args) {

……

for (int i = 0 ; i < N_of_Philosopher ; i++)

servant[i].start() ;

for (int i = 0 ; i < N_of_Philosopher ; i++)

philosopher[i].start() ;

…… }

23年 4月 21日


……age()=170, Philosopher 4 is thinking for 52 msage()=220, Philosopher 4 wants to eat330 unhungry philosopher 3 sends left fork330 unhungry philosopher 0 sends right fork390 hungry philosopher 4 got right fork440 hungry philosopher 4 got left fork440 philosopher 4 has both forksage()=440, Philosopher 4 is eating for 1842 msage()=1210, Philosopher 1 wants to eat……



23年 4月 21日




• Computational Tree Logic(CTL)

– Path quantifier A: all full paths E: some full path– Temporal logic G:always F:eventually X:next time– Non-temporal predicates :

λ : C → P(AP) where AP is atomic propositions

AG(p), AF(p), EG(p), EF(p), EX(p), EX(p)[i] , AX(p) where p is a non-temporal predicate.

23年 4月 21日




• Properties– Safety Property

If a Philosopher is eating, any adjacent Philosophers can not start to eat.

- The complement of ∨i,j ∈ 0..(n-1) EF( eati ∧ eatj )

while i , j are adjacent to each other

– Liveness Property

If a Philosopher feels hungry, the Philosopher definitely will eat.

- The complement of ∨i ∈ 0..(n-1) EF( hungryi ∧ EG(¬eati ))

- AG(EF(eati))

23年 4月 21日




23年 4月 21日



Distributed Dining Philosophers 16/24• InstrumentationFor each internal/send/receive event, we generate a vector

clock and the values of the propositions in specification.

23年 4月 21日


class VectorClock {

int id, index, n_philosopher ;

public int [] vectorClock ;

private boolean think, hungry, eat ;

……

synchronized void send(int j, int [] sentVectorClock) ;

synchronized void local(boolean think, boolean hungry,

boolean eat) ;

synchronized void receive(int j, int[]

receivedVectorClock);

}


Distributed Dining Philosophers 17/24synch void send(int j, int[] sentVectorClock) {

increment() ; arrPrint(j, true) ; }

synch void local(boolean think, boolean hungry, boolean eat){

this.think=think;this.hungry=hungry;this.eat=eat;

increment() ; arrPrint(id, true) ; }

synch void receive(int j, int[] receivedVectorClock){

for (int k = 0 ; k < n_philosopher ; k++) {

vectorClock[k]=

MAX(vectorClock[k], receivedVectorClock[k]);

increment() ; arrPrint(j, false) ;}

23年 4月 21日



Distributed Dining Philosophers 18/24class Message {

public int id ;

public int [] vectorClock = null ;

Message(int id, vectorClock) {

this.id=id; this.vectorClock=vectorClock; }

}

class Hungry extends Message {

public Hungry(int id, int [] vc) {

super(id, vc) ;}

}

……

23年 4月 21日




private void think() {think = true ;idle_for_a_while() ;

}⇓

private void think() {think = true ; vectorClock.local(think, hungry, eat)

;idle_for_a_while() ;

}

23年 4月 21日



Distributed Dining Philosophers 20/24public void run() {

……msg = get_a_message() ;……

} ⇓

public void run() {……msg = get_a_message() ;vectorClock.receive(msg.id, msg.vectorClock) ;……

}

23年 4月 21日




< Lamport’s happens before relation >

For two distinguishable events e and f, e happens before f if and only if

(1) e occurs before f in the same process.

(2) e is sending a message and f is a receiving of that message.

(3) There exist e happens before g and g happens before f.

Events in the same process are totally ordered and events between different processes are partially ordered.

23年 4月 21日



Distributed Dining Philosophers 22/24• Result

{(0,0),[0,0,0],[0,0,0],[false,false,false]}3{(0,1),[1,0,0],[1,4,5],[true,false,false]}3{(0,2),[2,0,0],[2,4,5],[false,true,false]}3{(0,3),[3,0,0],[3,4,5],[false,false,true]}3{(0,4),[4,0,0],[4,4,5],[false,false,false]}3

…….{(1,0),[0,0,0],[0,0,0],[false,false,false]}3{(1,1),[0,1,0],[6,1,5],[true,false,false]}3{(1,2),[0,2,0],[6,2,5],[false,true,false]}3{(1,3),[0,3,0],[6,3,5],[false,true,false]}1{(1,4),[7,4,0],[13,4,6],[false,true,false]}2{(1,5),[7,5,0],[13,5,6],[false,false,true]}3{(1,6),[7,6,0],[13,6,6],[false,false,false]}3{(1,7),[7,7,3],[13,7,6],[false,false,false]}2{(1,8),[7,8,3],[13,8,6],[false,false,false]}1

…….{(2,0),[0,0,0],[0,0,0],[false,false,false]}3{(2,1),[0,0,1],[8,7,1],[true,false,false]}3{(2,2),[0,0,2],[8,7,2],[false,true,false]}3{(2,3),[0,0,3],[8,7,3],[false,true,false]}1{(2,4),[0,0,4],[8,10,4],[false,true,false]}1{(2,5),[9,3,5],[14,15,5],[false,true,false]}2{(2,6),[9,8,6],[14,15,6],[false,true,false]}2{(2,7),[9,8,7],[14,15,7],[false,false,true]}3{(2,8),[9,8,8],[14,15,8],[false,false,false]}3

23年 4月 21日




23年 4月 21日


1.4 GHz Pentium 4 machine running Linux, 512MB main memory

T: running time(sec) M: memory usage(MB)



Property 1 :

23年 4月 21日



GIOP 1/4

• General Inter-ORB Protocol(GIOP)

- ORB enables transparent client/server object interaction by linking potentially different systems.

- ORB is the middleware that establishes the client-server relationship between objects.

- GIOP is the standard protocol to allow communication of object invokation between objects.

- GIOP messages

Only client can send Request and CancelRequest

Only server can send Reply and CloseConnection

23年 4月 21日



GIOP 2/4• Requirements

i) After sending URequest message, a user should eventually receive the corresponding UReply message.

The complement of EF(URequestSenti^EG(¬UReplyReceivedi))

for all user i

ii) After sending an SRequest, the GIOP agent should receive a corresponding SReply

The complement of

EF(CRequestSenti^EG(¬CReplyReceivedi))

for all agent i

23年 4月 21日



GIOP 3/4

23年 4月 21日



GIOP 4/4

23年 4月 21日


1.4 GHz Pentium 4 machine running Linux, 512MB main memory

T: running time(sec) M: memory usage(MB)


Conclusion

• POTA is scalable in the number of concurrent process.• POTA is also scalable in the size of predicate

• POTA only works for distributed system.• Extracting Happen before relation automatically is

challenging.• Still can not prove the correctness of program.

23年 4月 21日



Further Study

• MaC

• HAWK and EAGLE

• More survey on Trace analyzer

23年 4月 21日



References[1] A Sen&V K. Garg, Partial Order Trace Analyzer for Distributed Programs,

2003.

[2] A Sen&V K.Garg, Formal Verification of Simulation Traces Using Computation Slicing, 2006.

[3] Formalization and validation of the General Inter-ORB Protocol(GIOP) using PROMELA and SPIN, Moataz Kamel&Stefan Leue, 2000.

23年 4月 21日



Discussion

23年 4月 21日


case studies of pota hong, shin 2016-01-10 1 / 38 hong,shin@pswlab,kaist

Documents