Towards Big Biology: high-performance verification of large concurrent systems

Bal, H.E. [Promotor]Fokkink, W.J. [Promotor]Kielmann, T. [Copromotor

Reasoning about Programs With Effects

AbstractThis note presents a summary of my research on reasoning about programs with effects. This work has been carried out in collaboration with several colleagues over roughly the past ten years. The work has had two major sub-themes: reasoning about functional programs extended with imperative features; and reasoning about components of open distributed systems. Functional programming languages extended with imperative features include languages like Scheme and ML as well as object-based languages such as Java. This work has focused on operationally based semantics and formalisms for specifying and reasoning about such programs. The work on components of open distributed systems has been based on the actor model of computation and has focused on developing semantic models for modular specification and composition of actor systems

Formalization and Correctness of the PALS Architectural Pattern for Distributed Real-Time Systems

Many Distributed Real-Time Systems (DRTS), such as integrated modular avionics systems and distributed control systems in motor vehicles, are made up of a collection of components communicating asynchronously among themselves and with their environment that must change their state and respond to environment inputs within hard real-time bounds. Such systems are often safety-critical and need to be certi???ed; but their certi???cation is currently very hard due to their distributed nature. The Physically Asynchronous Logically Synchronous (PALS) architectural pattern can greatly reduce the design and veri???cation complexities of achieving virtual synchrony in a DTRS. This work presents a formal speci???cation of PALS as a formal model transformation that maps a synchronous design, together with a set of performance bounds of the underlying infrastructure, to a formal DRTS speci???cation that is semantically equivalent to the synchronous design. This semantic equivalence is proved, showing that the formal veri???cation of temporal logic properties of the DRTS can be reduced to their veri???cation on the much simpler synchronous design. An avionics system case study is used to illustrate the usefulness of PALS for formal verification purposes.unpublishednot peer reviewe

A direct path to dependable software

What would it take to make software more dependable? Until now, most approaches have been indirect: some practices – processes, tools or techniques – are used that are believed to yield dependable software, and the argument for dependability rests on the extent to which the developers have adhered to them. This article argues instead that developers should produce direct evidence that the software satisfies its dependability claims. The potential advantages of this approach are greater credibility (since the argument is not contingent on the effectiveness of the practices) and reduced cost (since development resources can be focused where they have the most impact)

The Architecture and Programming of a Fine-Grain Multicomputer

The research presented in this thesis was conducted in the context of the Mosaic C, an experimental, fine-grain multicomputer. The objective of the Mosaic experiment was to develop a concurrent-computing system with maximum performance per unit cost, while still retaining a general-purpose application span. A stipulation of the Mosaic project was that the complexity of a Mosaic node be limited by the silicon complexity available on a single VLSI chip. The two most important original results reported in the thesis are: (1) The design and implementation of C+-, a concurrent, object-oriented programming system. Syntactically, C+- is an extension of C++. The concurrent semantics of C+- are contained within the process concept. A C+- process is analogous to a C++ object, but it is also an autonomous computing agent, and a unit of potential concurrency. Atomic single-process updates that can be individually enabled and disabled are the execution units of the concurrent computation. The limited set of primitives that C+- provides is shown to be sufficient to express a variety of concurrent-programming problems concisely and efficiently. An important design requirement for C+- was that efficient implementations should exist on a variety of concurrent architectures, and, in particular, on the simple and inexpensive hardware of the Mosaic node. The Mosaic runtime system was written entirely in C+-. (2) Pipeline synchronization, a novel, generally- applicable technique for hardware synchronization. This technique is a simple, low-cost, high-bandwidth, high- reliability solution to interfaces between synchronous and asynchronous systems, or between synchronous systems operating from different clocks. The technique can sustain the full communication bandwidth and achieve an arbitrarily low, non-zero probability of synchronization failure, Pf, with the price in both latency and chip area being O(log 1/Pf). Pipeline synchronization has been successfully applied to the highperformance inter-computer communication in Mosaic node ensembles

Prescriptive Semantics For Big-Step Modelling Languages

With the popularity of model-driven methodologies and the abundance of modelling languages, a major question for a modeller is: Which language is suitable for modelling a system under study? To answer this question, one not only needs to know the range of relevant languages for modelling the system under study, but also needs to be able to compare these languages. In this dissertation, I consider these challenges from a semantic point of view for a diverse range of behavioural modelling languages that I refer to as the family of Big-Step Modelling Languages (BSMLs). There is a plethora of BSMLs, including statecharts, its variants, SCR, un-clocked variants of synchronous languages (e.g., Esterel and Argos), and reactive modules. BSMLs are often used to model systems that continuously interact with their environments. In a BSML model, the reaction of the model to an environmental input is a big step, which consists of a sequence of small steps, each of which can be the concurrent execution of a set of transitions. To provide a systematic method to understand and compare the semantics of BSMLs, this dissertation introduces the big-step semantic deconstruction framework that deconstructs the semantic design space of BSMLs into eight high-level, independent semantic aspects together with the enumeration of the common semantic options of each semantic aspect. The dissertation also presents a comparative analysis of the semantic options of each semantic aspect to assist one to choose one semantic option over another. A key idea in the big-step semantic deconstruction is that the high-level semantic aspects in the deconstruction recognize a big step as a whole, rather than only considering its constituent transitions operationally. A novelty of the big-step semantic deconstruction is that it lends itself to a systematic semantic formalization of most of the languages in the deconstruction. The dissertation presents a parametric, formal semantic definition method whose parameters correspond to the semantic aspects of the deconstruction, and thus it produces prescriptive semantics: The manifestation of a semantic option in the semantics of a BSML can be clearly identified. The way transitions are ordered to form a big step in a BSML is a source of semantic complexity: A modeller needs to be aware of the possible orders of the execution of transitions when constructing and analyzing a model. The dissertation introduces three semantic quality attributes that each exempts a modeller from considering an aspect of ordering in big steps. The ranges of BSMLs that support each of these semantic quality attributes are formally specified. These specifications indicate that achieving a semantic quality attribute in a BSML is a cross-cutting concern over the choices of its different semantic options. The semantic quality attributes together with the semantic analysis of individual semantic options can be used in tandem to assist a modeller or a semanticist to compare two BSMLs or to create a new, desired BSML from scratch. Through the big-step semantic deconstruction, I have discovered that some of the semantic aspects of BSMLs can be uniformly described as forms of synchronization. The dissertation presents a general synchronization framework for behavioural modelling languages. This framework is based on a notion of synchronization between transitions of complementary roles. It is parameterized by the number of interactions a transition can take part in, i.e., one vs. many, and the arity of the interaction mechanisms, i.e., exclusive vs. shared, which are considered for the complementary roles to result in 16 synchronization types. To enhance BSMLs with the capability to use the synchronization types, a synchronizer syntax is introduced for BSMLs, resulting in the family of Synchronizing Big-Step Modelling Languages (SBSMLs). Using the expressiveness of SBSMLs, the dissertation describes how underlying the semantics of many modelling constructs, such as multi-source, multi-destination transitions, various composition operators, and workflow patterns, there is a notion of synchronization that can be systematically modelled in SBSMLs