Generalising feature interactions in email

We report on a property-based approach to feature interaction analysis for a client-server email system. The model is based upon Hall's email model presented at FIW'00, but the implementation is at a lower level of abstraction, employing non-determinism and asynchronous communication; it is a challenge to avoid deadlock and race conditions. The analysis is more extensive in two ways: interaction analysis is fully automated, based on model-checking the entire state-space, and results are scalable, that is they generalise to email systems consisting of any number of email clients. Abstraction techniques are used to prove general results. The key idea is to model-check a system consisting of a constant number (m) of client processes, in parallel with a mailer process and an ``abstract'' process which represents the product of any number of other (unfeatured, isomorphic) client processes. We give a lower bound for the value of m. All of the models -- for any specified set of client processes and selected features -- are generated automatically using Perl scripts

Analysis and Verification of Service Interaction Protocols - A Brief Survey

Modeling and analysis of interactions among services is a crucial issue in Service-Oriented Computing. Composing Web services is a complicated task which requires techniques and tools to verify that the new system will behave correctly. In this paper, we first overview some formal models proposed in the literature to describe services. Second, we give a brief survey of verification techniques that can be used to analyse services and their interaction. Last, we focus on the realizability and conformance of choreographies.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

A model of actors and grey failures

Existing models for the analysis of concurrent processes tend to focus on fail-stop failures, where processes are either working or permanently stopped, and their state (working/stopped) is known. In fact, systems are often affected by grey failures: failures that are latent, possibly transient, and may affect the system in subtle ways that later lead to major issues (such as crashes, limited availability, overload). We introduce a model of actor-based systems with grey failures, based on two interlinked layers: an actor model, given as an asynchronous process calculus with discrete time, and a failure model that represents failure patterns to inject in the system. Our failure model captures not only fail-stop node and link failures, but also grey failures (e.g., partial, transient). We give a behavioural equivalence relation based on weak barbed bisimulation to compare systems on the basis of their ability to recover from failures, and on this basis we define some desirable properties of reliable systems. By doing so, we reduce the problem of checking reliability properties of systems to the problem of checking bisimulation

Typing actors using behavioural types

The actor model of computation assists and disciplines the development of concurrent programs by forcing the software engineer to reason about high-level concurrency abstractions. While this leads to a better handling of concurrency-related issues, the model itself does not exclude erratic program behaviours. In this paper we consider the actor model and investigate a type-based static analysis to identify actor systems which may behave erraticly during runtime. We consider the notion of behavioural types and consider issues related to the nature of the actor model including non-determinism, multi-party communication, dynamic actor spawning, non-finite computation and a possibly changing communication topology, which we contrast with existing works.peer-reviewe

Towards a Framework for Developing Mobile Agents for Managing Distributed Information Resources

Distributed information management tools allow users to author, disseminate, discover and manage information within large-scale networked environments, such as the Internet. Agent technology provides the flexibility and scalability necessary to develop such distributed information management applications. We present a layered organisation that is shared by the specific applications that we build. Within this organisation we describe an architecture where mobile agents can move across distributed environments, integrate with local resources and other mobile agents, and communicate their results back to the user

Robust Communications in Erlang

Erlang is a dynamically-typed functional and concurrent programming language lauded by its proponents for its relatively simple syntax, process isolation, and fault tolerance. The functional aspect has rich features like pattern matching and tail-call optimisation, while the concurrent aspect uses isolated processes and asynchronous message passing to share state between system components. The two meet with pattern matching on mailboxes, which allows for a process to pick a message from its mailbox - potentially out of order - based on its structure, value, type, or a mixture thereof. A strongly and dynamically typed language like Erlang can experience many kinds of runtime errors, such as ill-typed operands to arithmetic operators. The interaction between Erlang's type system and process mailboxes can lead to a more subtle runtime error which is harder to detect: orphan messages. As the types of messages are not checked either at compile time or runtime, a process can be sent a message which it will never receive. Essentially, non-trivial type discrepancies in Erlang programs can cause subtle bugs when communication is involved. These problems can be hard to detect and fix, with current solutions such as extensive testing and exhaustive model checking. This thesis reports on work to detect communication-related type discrepancies in Erlang programs. A fragment of the Core Erlang intermediate format is modelled formally so that we can reason about the out-of-order communication in Erlang systems, particularly the dependencies between sent messages when determining whether orphan messages exist. Afterwards, a sub-typing relation based on Erlang's type system is introduced to clearly define the notion of an orphan message, forming the foundation of a system for automatic detection via a mix of static analysis and runtime verification. This culminates in automatic tooling to detect certain cases of communication discrepancies via static analysis, and automatic instrumentation of concurrent programs to detect and recover from more complicated cases at runtime

Multiparty session types for dynamic verification of distributed systems

In large-scale distributed systems, each application is realised through interactions among distributed components. To guarantee safe communication (no deadlocks and communication mismatches) we need programming languages and tools that structure, manage, and policy-check these interactions. Multiparty session types (MPST), a typing discipline for structured interactions between communicating processes, offers a promising approach. To date, however, session types applications have been limited to static verification, which is not always feasible and is often restrictive in terms of programming API and specifying policies. This thesis investigates the design and implementation of a runtime verification framework, ensuring conformance between programs and specifications. Specifications are written in Scribble, a protocol description language formally founded on MPST. The central idea of the approach is a dynamic monitor, which takes a form of a communicating finite state machine, automatically generated from Scribble specifications, and a communication runtime stipulating a message format. We extend and apply Scribble-based runtime verification in manifold ways. First, we implement a Python library, facilitated with session primitives and verification runtime. We integrate the library in a large cyber-infrastructure project for oceanography. Second, we examine multiple communication patterns, which reveal and motivate two novel extensions, asynchronous interrupts for verification of exception handling behaviours, and time constraints for enforcement of realtime protocols. Third, we apply the verification framework to actor programming by augmenting an actor library in Python with protocol annotations. For both implementations, measurements show Scribble-based dynamic checking delivers minimal overhead and allows expressive specifications. Finally, we explore a static analysis of Scribble specifications as to efficiently compute a safe global state from which a monitored system of interacting processes can be recovered after a failure. We provide an implementation of a verification framework for recovery in Erlang. Benchmarks show our recovery strategy outperforms a built-in static recovery strategy, in Erlang, on a number of use cases.Open Acces

Meta-level engineering for debugging asynchronous applications in JavaScript

Treball fet a la Vrije Universiteit Brussel (VUB), Faculty of Computer ScienceThis thesis presents a reflective model that we call MIAJ-Meta-level Infrastructure for Asynchronous JavaScript Applications. It is designed for giving support in debugging asynchronous JavaScript programs, and overcoming the challenges of debugging applications based on communicating event-loops

Special Delivery: Programming with Mailbox Types (Extended Version)

The asynchronous and unidirectional communication model supported by mailboxes is a key reason for the success of actor languages like Erlang and Elixir for implementing reliable and scalable distributed systems. While many actors may send messages to some actor, only the actor may (selectively) receive from its mailbox. Although actors eliminate many of the issues stemming from shared memory concurrency, they remain vulnerable to communication errors such as protocol violations and deadlocks. Mailbox types are a novel behavioural type system for mailboxes first introduced for a process calculus by de'Liguoro and Padovani in 2018, which capture the contents of a mailbox as a commutative regular expression. Due to aliasing and nested evaluation contexts, moving from a process calculus to a programming language is challenging. This paper presents Pat, the first programming language design incorporating mailbox types, and describes an algorithmic type system. We make essential use of quasi-linear typing to tame some of the complexity introduced by aliasing. Our algorithmic type system is necessarily co-contextual, achieved through a novel use of backwards bidirectional typing, and we prove it sound and complete with respect to our declarative type system. We implement a prototype type checker, and use it to demonstrate the expressiveness of Pat on a factory automation case study and a series of examples from the Savina actor benchmark suite.Comment: Extended version of paper accepted to ICFP'2

From CRSM to a Tasking Design

This paper introduces elements to facilitate crossing of the gap between analysis and design in the case of real-time applications relying on multitasking operating system. The chosen specification method is based on the use of Shaw’s CRSM (Communicating Real-Time States Machines) and our purpose is to put the basis of a method for an easier translation of a CRSM-based modelling of a system into a real-time multitasking execution model. In order to do this, we present guidelines for translating the basic constructs of a CRSM model (communicating machines, channels, transitions) into programs involving the usual objects and primitives found in off-the shelf real-time multitasking operating systems (tasks or threads, message passing, event signalling ...). The guidelines are illustrated with the classical specification example of the Martian Lander. The aim is to overcome the gap between a specification made with the CRSM and a multitasking execution model: this will then enable good possibilities for verification. The specification can be executed and the design can be verified for correctness (liveliness, safety). Eventually, a comparison between the behaviour of the specified model and that of the target program can be made