Model Checking Paxos in Spin

We present a formal model of a distributed consensus algorithm in the executable specification language Promela extended with a new type of guards, called counting guards, needed to implement transitions that depend on majority voting. Our formalization exploits abstractions that follow from reduction theorems applied to the specific case-study. We apply the model checker Spin to automatically validate finite instances of the model and to extract preconditions on the size of quorums used in the election phases of the protocol.Comment: In Proceedings GandALF 2014, arXiv:1408.556

Verification of Sometimes Termination of Lazy-Bounded Declarative Distributed Systems

Declarative Distributed Systems (DDSs) are distributed systems grounded in logic programming. Although DDS model-checking is undecidable in general, we detect decidable cases by tweaking the data-source bounds, the message expressiveness, and the channel type.Comment: Published in the online proceedings of the ESSLLI 2021 Student Sessio

Improvements on handling design errors in communication protocols.

With the rapid development of the Internet and distributed systems, communication protocols play a more and more important role. The correctness of the design of these communication protocols becomes crucial especially when critical applications are concerned. Common logical design errors in communication protocols include deadlock states, unspecified receptions, channel overflow, non-executable transitions, etc. Such design errors can be removed via protocol synthesis, or be detected through reachability analysis. The former may introduce more states and transitions than needed and the latter suffers from state space explosion problem. Here we present an improvement on existing technique to transform a protocol design into a deadlock-free one where the number of introduced new states and transitions can be considerably reduced. We also propose a sound reduction technique on a class of protocol designs to significantly reduce their sizes in order to perform reachability analysis.Dept. of Computer Science. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2005 .D83. Source: Masters Abstracts International, Volume: 44-03, page: 1399. Thesis (M.Sc.)--University of Windsor (Canada), 2005

Static analysis of unbounded structures in object-oriented programs

In this thesis we investigate different techniques and formalisms to address complexity introduced by unbounded structures in object-oriented programs. We give a representation of a weakest precondition calculus for abstract object creation in dynamic logic. Based on this calculus we define symbolic execution including abstract object creation. We investigate the complex behaviour introduced by multi-threading and give a formalism based on the transformation of multi-threaded reentrant call-graphs to thread automata and the application of context free language reachability to decide deadlock freedom of such programs. We give a formalisation of the observable interface behaviour of a concurrent, object-oriented language with futures and promises. The calculus captures the core of the Creol language and allows for a comparison with the concurrency model of thread-based, object-oriented languages like Java or C#. We give a technique to detect deadlock freedom for an Actor-like subset of the Creol language. LEI Universiteit LeidenThe work in this thesis has been carried out at the Christian-Albrechts--Universität zu Kiel, the Centrum Wiskunde & Informatica (CWI), and the Universiteit Leiden. The research was partially funded by the EU-project IST- 33826 Credo: Modeling and analysis of evolutionary structures for distributed services; the EU-project FP7-231620 HATS: Highly Adaptable and Trustworthy Software using Formal Methods; and the German-Norwegian DAAD-NWO exchange project Avabi (Automated validation for behavioral interfaces of asynchronous active objects).Algorithms and the Foundations of Software technolog

Separation of distributed coordination and control for programming reliable robotics

A robot's code needs to sense the environment, control the hardware, and communicate with other robots. Current programming languages do not provide the necessary hardware platform-independent abstractions, and therefore, developing robot applications require detailed knowledge of signal processing, control, path planning, network protocols, and various platform-specific details. Further, porting applications across hardware platforms becomes tedious. With the aim of separating these hardware dependent and independent concerns, we have developed Koord: a domain specific language for distributed robotics. Koord abstracts platform-specific functions for sensing, communication, and low-level control. Koord makes the platform-independent control and coordination code portable and modularly verifiable. It raises the level of abstraction in programming by providing distributed shared memory for coordination and port interfaces for sensing and control. We have developed the formal executable semantics of Koord in the K framework. With this symbolic execution engine, we can identify proof obligations for gaining high assurance from Koord applications. Koord is deployed on CyPhyHouse---a toolchain that aims to provide programming, debugging, and deployment benefits for distributed mobile robotic applications. The modular, platform-independent middleware of CyPhyHouse implements these functionalities using standard algorithms for path planning (RRT), control (MPC), mutual exclusion, etc. A high-fidelity, scalable, multi-threaded simulator for Koord applications is developed to simulate the same application code for dozens of heterogeneous agents. The same compiled code can also be deployed on heterogeneous mobile platforms. This thesis outlines the design, implementation and formalization of the Koord language and the main components of CyPhyHouse that it is deployed on

A Colored Petri Net-Based Approach for Automated Deadlock Detection in Parallel Programs

A static analysis approach is proposed for automated detection of deadlocks in a common class of parallel programs, referred to as Single Code Multiple Data (SCMD) programs. It is based on colored Petri net (CP-net) modeling and reachability analysis, where colors correspond to parallel processes. An SCMD program is first translated into a CP-net and a reachability tree is then derived and analyzed for deadlock information. CP-subnets representing basic programming language constructs are described. These subnets are employed as building blocks by an algorithm that translates synchronization-related statements of a process in an SCMD program and connects the resulting subnets. The connection technique makes use of the characteristics of SCMD programs to produce a unified and folded CP-net model. These characteristics are also used to introduce a notion, referred to as poset-covering, that leads to a reduced reachability tree for the Cp-net. The usual algorithm for generating and analyzing reachability trees of CP-nets is modified by including poset-covering and excluding notions that are irrelevant to our application. The compactness of the CP-net model and the reachability tree makes the proposed approach appealing for practical implementation

Parameterized verification and repair of concurrent systems

In this thesis, we present novel approaches for model checking, repair and synthesis of systems that may be parameterized in their number of components. The parameterized model checking problem (PMCP) is in general undecidable, and therefore the focus is on restricted classes of parameterized concurrent systems where the problem is decidable. Under certain conditions, the problem is decidable for guarded protocols, and for systems that communicate via a token, a pairwise, or a broadcast synchronization. In this thesis we improve existing results for guarded protocols and we show that the PMCP of guarded protocols and token passing systems is decidable for specifications that add a quantitative aspect to LTL, called Prompt-LTL. Furthermore, we present, to our knowledge, the first parameterized repair algorithm. The parameterized repair problem is to find a refinement of a process implementation p such that the concurrent system with an arbitrary number of instances of p is correct. We show how this algorithm can be used on classes of systems that can be represented as well structured transition systems (WSTS). Additionally we present two safety synthesis algorithms that utilize a lazy approach. Given a faulty system, the algorithms first symbolically model check the system, then the obtained error traces are analyzed to synthesize a candidate that has no such traces. Experimental results show that our algorithm solves a number of benchmarks that are intractable for existing tools. Furthermore, we introduce our tool AIGEN for generating random Boolean functions and transition systems in a symbolic representation.In dieser Arbeit stellen wir neuartige Ans atze für das Model-Checking, die Reparatur und die Synthese von Systemen vor, die in ihrer Anzahl von Komponenten parametrisiert sein können. Das Problem des parametrisierten Model-Checking (PMCP) ist im Allgemeinen unentscheidbar, und daher liegt der Fokus auf eingeschränkten Klassen parametrisierter synchroner Systeme, bei denen das Problem entscheidbar ist. Unter bestimmten Bedingungen ist das Problem für Guarded Protocols und für Systeme, die über ein Token, eine Pairwise oder eine Broadcast-Synchronisation kommunizieren, entscheidbar. In dieser Arbeit verbessern wir bestehende Ergebnisse für Guarded Protocols und zeigen die Entscheidbarkeit des PMCP für Guarded Protocols und Token-Passing Systeme mit Spezifikationen in der temporalen Logik Prompt-LTL, die LTL einen quantitativen Aspekt hinzufügt. Darüber hinaus präsentieren wir unseres Wissens den ersten parametrisierten Reparaturalgorithmus. Das parametrisierte Reparaturproblem besteht darin, eine Verfeinerung einer Prozessimplementierung p zu finden, so dass das synchrone Systeme mit einer beliebigen Anzahl von Instanzen von p korrekt ist. Wir zeigen, wie dieser Algorithmus auf Klassen von Systemen angewendet werden kann, die als Well Structured Transition Systems (WSTS) dargestellt werden können. Außerdem präsentieren wir zwei Safety-Synthesis Algorithmen, die einen "lazy" Ansatz verwenden. Bei einem fehlerhaften System überprüfen die Algorithmen das System symbolisch, dann werden die erhaltenen "Gegenbeispiel" analysiert, um einen Kandidaten zu synthetisieren der keine solchen Fehlerpfade hat. Versuchsergebnisse zeigen, dass unser Algorithmus eine Reihe von Benchmarks löst, die für bestehende Tools nicht lösbar sind. Darüber hinaus stellen wir unser Tool AIGEN zur Erzeugung zufälliger Boolescher Funktionen und Transitionssysteme in einer symbolischen Darstellung vor