11 research outputs found

    Model Checking Paxos in Spin

    Full text link
    We present a formal model of a distributed consensus algorithm in the executable specification language Promela extended with a new type of guards, called counting guards, needed to implement transitions that depend on majority voting. Our formalization exploits abstractions that follow from reduction theorems applied to the specific case-study. We apply the model checker Spin to automatically validate finite instances of the model and to extract preconditions on the size of quorums used in the election phases of the protocol.Comment: In Proceedings GandALF 2014, arXiv:1408.556

    The 2011 International Planning Competition

    Get PDF
    After a 3 years gap, the 2011 edition of the IPC involved a total of 55 planners, some of them versions of the same planner, distributed among four tracks: the sequential satisficing track (27 planners submitted out of 38 registered), the sequential multicore track (8 planners submitted out of 12 registered), the sequential optimal track (12 planners submitted out of 24 registered) and the temporal satisficing track (8 planners submitted out of 14 registered). Three more tracks were open to participation: temporal optimal, preferences satisficing and preferences optimal. Unfortunately the number of submitted planners did not allow these tracks to be finally included in the competition. A total of 55 people were participating, grouped in 31 teams. Participants came from Australia, Canada, China, France, Germany, India, Israel, Italy, Spain, UK and USA. For the sequential tracks 14 domains, with 20 problems each, were selected, while the temporal one had 12 domains, also with 20 problems each. Both new and past domains were included. As in previous competitions, domains and problems were unknown for participants and all the experimentation was carried out by the organizers. To run the competition a cluster of eleven 64-bits computers (Intel XEON 2.93 Ghz Quad core processor) using Linux was set up. Up to 1800 seconds, 6 GB of RAM memory and 750 GB of hard disk were available for each planner to solve a problem. This resulted in 7540 computing hours (about 315 days), plus a high number of hours devoted to preliminary experimentation with new domains, reruns and bugs fixing. The detailed results of the competition, the software used for automating most tasks, the source code of all the participating planners and the description of domains and problems can be found at the competition’s web page: http://www.plg.inf.uc3m.es/ipc2011-deterministicThis booklet summarizes the participants on the Deterministic Track of the International Planning Competition (IPC) 2011. Papers describing all the participating planners are included

    Time and Cost Optimization of Cyber-Physical Systems by Distributed Reachability Analysis

    Get PDF

    Design and evaluation of safety-critical applications based on inter-vehicle communication

    Get PDF
    Inter-vehicle communication has a potential to improve road traffic safety and efficiency. Technical feasibility of communication between vehicles has been extensively studied, but due to the scarcity of application-level research, communication\u27s impact on the road traffic is still unclear. This thesis addresses this uncertainty by designing and evaluating two fail-safe applications, namely, Rear-End Collision Avoidance and Virtual Traffic Lights

    A comparison of two different model checking techniques

    Get PDF
    Thesis (MSc)--University of Stellenbosch, 2003.ENGLISH ABSTRACT: Model checking is a computer-aided verification technique that is used to verify properties about the formal description of a system automatically. This technique has been applied successfully to detect subtle errors in reactive systems. Such errors are extremely difficult to detect by using traditional testing techniques. The conventional method of applying model checking is to construct a model manually either before or after the implementation of a system. Constructing such a model requires time, skill and experience. An alternative method is to derive a model from an implementation automatically. In this thesis two techniques of applying model checking to reactive systems are compared, both of which have problems as well as advantages. Two specific strategies are compared in the area of protocol development: 1. Structuring a protocol as a transition system, modelling the system, and then deriving an implementation from the model. 2. Automatically translating implementation code to a verifiable model. Structuring a reactive system as a transition system makes it possible to verify the control flow of the system at implementation level-as opposed to verifying the control flow at abstract level. The result is a closer correspondence between implementation and specification (model). At the same time testing, which is restricted to small, independent code fragments that manipulate data, is simplified significantly. The construction of a model often takes too long; therefore, verification results may no longer be applicable when they become available. To address this problem, the technique of automated model extraction was suggested. This technique aims to reduce the time required to construct a model by minimising manual input during model construction. A transition system is a low-level formalism and direct execution through interpretation is feasible. However, the overhead of interpretation is the major disadvantage of this technique. With automated model extraction there are disadvantages too. For example, differences between the implementation and specification languages-such as constructs present in the implementation language that cannot be expressed in the modelling language-make the development of an automated model extraction tool extremely difficult. In conclusion, the two techniques are compared against a set of software development considerations. Since a specific technique is not always preferable, guidelines are proposed to help select the best approach in different circumstances.AFRIKAANSE OPSOMMING: Modeltoetsing is 'n rekenaargebaseerde verifikasietegniek wat gebruik word om eienskappe rakende 'n formele spesifikasie van 'n stelsel te verifieer. Die tegniek is al suksesvol toegepas om subtiele foute in reaktiewe stelsels op te spoor. Sulke foute word uiters moeilik opgespoor as tradisionele toetsings tegnieke gebruik word. Tradisioneel word modeltoetsing toegepas deur 'n model te bou voor of na die implementasie van 'n stelsel. Om'n model te bou verg tyd, vernuf en ervaring. 'n Alternatiewe metode is om outomaties 'n model van 'n implementasie af te lei. In hierdie tesis word twee toepassingstegnieke van modeltoetsing vergelyk, waar beide tegnieke beskik oor voordele sowel as nadele. Twee strategieë word vergelyk in die gebied van protokol ontwikkeling: 1. Om 'n protokol as 'n oorgangsstelsel te struktureer, dit te moduleer en dan 'n implementasie van die model af te lei. 2. Om outomaties 'n verifieerbare model van 'n implementasie af te lei. Om 'n reaktiewe stelsel as 'n oorgangsstelsel te struktureer maak dit moontlik om die kontrolevloei op implementasie vlak te verifieer-in teenstelling met verifikasie van kontrolevloei op 'n abstrakte vlak. Die resultaat is 'n nouer band wat bestaan tussen die implementasie en die spesifikasie. Terselfdetyd word toetsing, wat beperk word tot klein, onafhanklike kodesegmente wat data manupileer, beduidend vereenvoudig. Die konstruksie van 'n model neem soms te lank; gevolglik, wanneer die verifikasieresultate beskikbaar word, is dit dalk nie meer toepaslik op die huidige weergawe van 'n implementasie nie. Om die probleem aan te spreek is 'n tegniek om modelle outomaties van implementasies af te lei, voorgestel. Die doel van die tegniek is om die tyd wat dit neem om 'n model te bou te verminder deur handtoevoer tot 'n minimum te beperk. 'n Oorgangsstelsel is 'n laevlak formalisme en direkte uitvoering deur interpretasie is wesenlik. Die oorhoofse koste van die interpreteerder is egter die grootste nadeel van die tegniek. Daar is ook nadele wat oorweeg moet word rakende die tegniek om outomaties modelle van implementasies af te lei. Byvoorbeeld, verskille tussen die implementasietaal en spesifikasietaal=-soos byvoorbleed konstrukte wat in die implementasietaal gebruik word wat nie in die modeleringstaal voorgestel kan word nie-vrnaak die ontwikkeling van 'n modelafieier uiters moeilik. As gevolg word die twee tegnieke vergelyk teen 'n stel van programatuurontwikkelingsoorwegings. Omdat 'n spesifieke tegniek nie altyd voorkeur kan geniet nie, word riglyne voorgestel om te help met die keuse om die beste tegniek te kies in verskillende omstandighede

    How To Touch a Running System

    Get PDF
    The increasing importance of distributed and decentralized software architectures entails more and more attention for adaptive software. Obtaining adaptiveness, however, is a difficult task as the software design needs to foresee and cope with a variety of situations. Using reconfiguration of components facilitates this task, as the adaptivity is conducted on an architecture level instead of directly in the code. This results in a separation of concerns; the appropriate reconfiguration can be devised on a coarse level, while the implementation of the components can remain largely unaware of reconfiguration scenarios. We study reconfiguration in component frameworks based on formal theory. We first discuss programming with components, exemplified with the development of the cmc model checker. This highly efficient model checker is made of C++ components and serves as an example for component-based software development practice in general, and also provides insights into the principles of adaptivity. However, the component model focuses on high performance and is not geared towards using the structuring principle of components for controlled reconfiguration. We thus complement this highly optimized model by a message passing-based component model which takes reconfigurability to be its central principle. Supporting reconfiguration in a framework is about alleviating the programmer from caring about the peculiarities as much as possible. We utilize the formal description of the component model to provide an algorithm for reconfiguration that retains as much flexibility as possible, while avoiding most problems that arise due to concurrency. This algorithm is embedded in a general four-stage adaptivity model inspired by physical control loops. The reconfiguration is devised to work with stateful components, retaining their data and unprocessed messages. Reconfiguration plans, which are provided with a formal semantics, form the input of the reconfiguration algorithm. We show that the algorithm achieves perceived atomicity of the reconfiguration process for an important class of plans, i.e., the whole process of reconfiguration is perceived as one atomic step, while minimizing the use of blocking of components. We illustrate the applicability of our approach to reconfiguration by providing several examples like fault-tolerance and automated resource control

    Cooperative Communications inWireless Local Area Networks: MAC Protocol Design and Multi-layer Solutions

    Get PDF
    This dissertation addresses cooperative communications and proposes multi-layer solu- tions for wireless local area networks, focusing on cooperative MAC design. The coop- erative MAC design starts from CSMA/CA based wireless networks. Three key issues of cooperation from the MAC layer are dealt with: i.e., when to cooperate (opportunistic cooperation), whom to cooperate with (relay selection), and how to protect cooperative transmissions (message procedure design). In addition, a cooperative MAC protocol that addresses these three issues is proposed. The relay selection scheme is further optimized in a clustered network to solve the problem of high collision probability in a dense network. The performance of the proposed schemes is evaluated in terms of through- put, packet delivery rate and energy efficiency. Furthermore, the proposed protocol is verified through formal model checking using SPIN. Moreover, a cooperative code allo- cation scheme is proposed targeting at a clustered network where multiple relay nodes can transmit simultaneously. The cooperative communication design is then extended to the routing layer through cross layer routing metrics. Another part of the work aims at enabling concurrent transmissions using cooperative carrier sensing to improve the per- formance in a WLAN network with multiple access points sharing the same channel

    Formal Methods for Autonomous Systems

    Full text link
    Formal methods refer to rigorous, mathematical approaches to system development and have played a key role in establishing the correctness of safety-critical systems. The main building blocks of formal methods are models and specifications, which are analogous to behaviors and requirements in system design and give us the means to verify and synthesize system behaviors with formal guarantees. This monograph provides a survey of the current state of the art on applications of formal methods in the autonomous systems domain. We consider correct-by-construction synthesis under various formulations, including closed systems, reactive, and probabilistic settings. Beyond synthesizing systems in known environments, we address the concept of uncertainty and bound the behavior of systems that employ learning using formal methods. Further, we examine the synthesis of systems with monitoring, a mitigation technique for ensuring that once a system deviates from expected behavior, it knows a way of returning to normalcy. We also show how to overcome some limitations of formal methods themselves with learning. We conclude with future directions for formal methods in reinforcement learning, uncertainty, privacy, explainability of formal methods, and regulation and certification

    Model checking techniques for runtime testing and QoS analysis

    Get PDF
    Los sistemas software y hardware se encuentran cada vez más presentes en nuestras vidas, en multitud de campos de aplicación y de cualquier tamaño. El análisis de estos sistemas es una tarea dura pero necesaria para garantizar que cumplan con sus requisitos. Estos requisitos pueden ser de varios tipos, como evitar comportamientos erróneos u ofrecer un rendimiento satisfactorio. Existen muchas técnicas y herramientas diseñadas para atacar este problema. Por lo general, se aplican distintas técnicas dependiendo del tipo de sistema, fase de desarrollo o tipo de análisis. El model checking es una de estas técnicas de análisis. Un model checker analiza el espacio de estados de un sistema para comprobar si el sistema cumple una propiedad dada. Sin embargo, según aumenta la complejidad del sistema a analizar, su espacio de estados crece rápidamente, hasta llegar a un punto en el que no es factible analizarlo. En esta tesis proponemos una solución integrada basada en model checking para analizar sistemas cuyo comportamiento pueda ser observado en forma de trazas de ejecución. Hemos llamado a esta solución OptySim. Nuestra solución permite acceder a sistemas externos de una forma uniforme, permitiendo realizar distintos tipos de análisis sobre diferentes tipos de sistemas de una forma más homogénea. OptySim trata con un conjunto de trazas de ejecución, que representan un subconjunto del espacio de estados completo del sistema. Para obtener dichas trazas el sistema se ejecuta repetidas veces, posiblemente variando parámetros del sistema de acuerdo a las instrucciones del usuario, generándose una traza por cada ejecución. El contenido de las trazas depende de cada sistema, y además puede variar dependiendo de las necesidades del análisis. Para ello se pueden aplicar una de las proyecciones que se han definido, y que transforman trazas completas en trazas abstractas con una menor, pero suficiente para los propósitos del análisis, cantidad de información. El análisis está guiado por uno o más objetivos establecidos por el usuario, tales como asertos o fórmulas de lógica temporal (LTL), y que le dan al análisis el significado pretendido por el usuario. Los objetivos pueden indicar tanto propiedades deseables del sistema, por ejemplo una meta de rendimiento, como propiedades que no deben ocurrir, por ejemplo una condición de error. OptySim se ha aplicado a varios casos de estudio en varias áreas y con distintos propósitos, para demostrar su utilidad. En primer lugar se ha integrado con el simulador de redes ns-2, para análisis de fiabilidad y rendimiento, optimización de parámetros, y validación y ajuste de modelos. Para el segundo grupo de casos de estudio, se ha integrado con una máquina virtual de Java para analizar programas escritos en dicho lenguaje de programación. En esta ocasión, todos los casos de estudio están enfocados a la depuración de programas
    corecore