11 research outputs found
Model Checking Paxos in Spin
We present a formal model of a distributed consensus algorithm in the
executable specification language Promela extended with a new type of guards,
called counting guards, needed to implement transitions that depend on majority
voting. Our formalization exploits abstractions that follow from reduction
theorems applied to the specific case-study. We apply the model checker Spin to
automatically validate finite instances of the model and to extract
preconditions on the size of quorums used in the election phases of the
protocol.Comment: In Proceedings GandALF 2014, arXiv:1408.556
The 2011 International Planning Competition
After a 3 years gap, the 2011 edition of the IPC involved a total of 55 planners,
some of them versions of the same planner, distributed among four tracks: the sequential
satisficing track (27 planners submitted out of 38 registered), the sequential multicore
track (8 planners submitted out of 12 registered), the sequential optimal track (12
planners submitted out of 24 registered) and the temporal satisficing track (8 planners
submitted out of 14 registered). Three more tracks were open to participation: temporal
optimal, preferences satisficing and preferences optimal. Unfortunately the number of submitted planners did not allow these tracks to be finally included in the competition.
A total of 55 people were participating, grouped in 31 teams. Participants came
from Australia, Canada, China, France, Germany, India, Israel, Italy, Spain, UK and
USA.
For the sequential tracks 14 domains, with 20 problems each, were selected, while
the temporal one had 12 domains, also with 20 problems each. Both new and past
domains were included. As in previous competitions, domains and problems were
unknown for participants and all the experimentation was carried out by the organizers.
To run the competition a cluster of eleven 64-bits computers (Intel XEON 2.93 Ghz
Quad core processor) using Linux was set up. Up to 1800 seconds, 6 GB of RAM memory and 750 GB of hard disk were available for each planner to solve a problem. This resulted in 7540 computing hours (about 315 days), plus a high number of hours devoted to preliminary experimentation with new domains, reruns and bugs fixing.
The detailed results of the competition, the software used for automating most
tasks, the source code of all the participating planners and the description of domains and problems can be found at the competition’s web page:
http://www.plg.inf.uc3m.es/ipc2011-deterministicThis booklet summarizes the participants on the Deterministic Track of the International
Planning Competition (IPC) 2011. Papers describing all the participating planners
are included
Design and evaluation of safety-critical applications based on inter-vehicle communication
Inter-vehicle communication has a potential to improve road traffic safety and efficiency. Technical feasibility of communication between vehicles has been extensively studied, but due to the scarcity of application-level research, communication\u27s impact on the road traffic is still unclear. This thesis addresses this uncertainty by designing and evaluating two fail-safe applications, namely, Rear-End Collision Avoidance and Virtual Traffic Lights
A comparison of two different model checking techniques
Thesis (MSc)--University of Stellenbosch, 2003.ENGLISH ABSTRACT: Model checking is a computer-aided verification technique that is used to verify properties
about the formal description of a system automatically. This technique has been applied
successfully to detect subtle errors in reactive systems. Such errors are extremely difficult to
detect by using traditional testing techniques. The conventional method of applying model
checking is to construct a model manually either before or after the implementation of a
system. Constructing such a model requires time, skill and experience. An alternative method
is to derive a model from an implementation automatically.
In this thesis two techniques of applying model checking to reactive systems are compared,
both of which have problems as well as advantages. Two specific strategies are compared in
the area of protocol development:
1. Structuring a protocol as a transition system, modelling the system, and then deriving
an implementation from the model.
2. Automatically translating implementation code to a verifiable model.
Structuring a reactive system as a transition system makes it possible to verify the control flow
of the system at implementation level-as opposed to verifying the control flow at abstract
level. The result is a closer correspondence between implementation and specification (model).
At the same time testing, which is restricted to small, independent code fragments that
manipulate data, is simplified significantly.
The construction of a model often takes too long; therefore, verification results may no longer
be applicable when they become available. To address this problem, the technique of automated
model extraction was suggested. This technique aims to reduce the time required to
construct a model by minimising manual input during model construction.
A transition system is a low-level formalism and direct execution through interpretation is feasible. However, the overhead of interpretation is the major disadvantage of this technique.
With automated model extraction there are disadvantages too. For example, differences
between the implementation and specification languages-such as constructs present in the
implementation language that cannot be expressed in the modelling language-make the
development of an automated model extraction tool extremely difficult.
In conclusion, the two techniques are compared against a set of software development considerations.
Since a specific technique is not always preferable, guidelines are proposed to help
select the best approach in different circumstances.AFRIKAANSE OPSOMMING: Modeltoetsing is 'n rekenaargebaseerde verifikasietegniek wat gebruik word om eienskappe
rakende 'n formele spesifikasie van 'n stelsel te verifieer. Die tegniek is al suksesvol toegepas
om subtiele foute in reaktiewe stelsels op te spoor. Sulke foute word uiters moeilik opgespoor
as tradisionele toetsings tegnieke gebruik word. Tradisioneel word modeltoetsing toegepas
deur 'n model te bou voor of na die implementasie van 'n stelsel. Om'n model te bou
verg tyd, vernuf en ervaring. 'n Alternatiewe metode is om outomaties 'n model van 'n
implementasie af te lei.
In hierdie tesis word twee toepassingstegnieke van modeltoetsing vergelyk, waar beide tegnieke
beskik oor voordele sowel as nadele. Twee strategieë word vergelyk in die gebied van protokol
ontwikkeling:
1. Om 'n protokol as 'n oorgangsstelsel te struktureer, dit te moduleer en dan 'n implementasie
van die model af te lei.
2. Om outomaties 'n verifieerbare model van 'n implementasie af te lei.
Om 'n reaktiewe stelsel as 'n oorgangsstelsel te struktureer maak dit moontlik om die kontrolevloei
op implementasie vlak te verifieer-in teenstelling met verifikasie van kontrolevloei
op 'n abstrakte vlak. Die resultaat is 'n nouer band wat bestaan tussen die implementasie en
die spesifikasie. Terselfdetyd word toetsing, wat beperk word tot klein, onafhanklike kodesegmente
wat data manupileer, beduidend vereenvoudig.
Die konstruksie van 'n model neem soms te lank; gevolglik, wanneer die verifikasieresultate
beskikbaar word, is dit dalk nie meer toepaslik op die huidige weergawe van 'n implementasie
nie. Om die probleem aan te spreek is 'n tegniek om modelle outomaties van implementasies
af te lei, voorgestel. Die doel van die tegniek is om die tyd wat dit neem om 'n model te bou
te verminder deur handtoevoer tot 'n minimum te beperk. 'n Oorgangsstelsel is 'n laevlak formalisme en direkte uitvoering deur interpretasie is wesenlik.
Die oorhoofse koste van die interpreteerder is egter die grootste nadeel van die tegniek. Daar is
ook nadele wat oorweeg moet word rakende die tegniek om outomaties modelle van implementasies
af te lei. Byvoorbeeld, verskille tussen die implementasietaal en spesifikasietaal=-soos
byvoorbleed konstrukte wat in die implementasietaal gebruik word wat nie in die modeleringstaal
voorgestel kan word nie-vrnaak die ontwikkeling van 'n modelafieier uiters moeilik.
As gevolg word die twee tegnieke vergelyk teen 'n stel van programatuurontwikkelingsoorwegings.
Omdat 'n spesifieke tegniek nie altyd voorkeur kan geniet nie, word riglyne voorgestel
om te help met die keuse om die beste tegniek te kies in verskillende omstandighede
How To Touch a Running System
The increasing importance of distributed and decentralized software architectures entails more and more attention for adaptive software. Obtaining adaptiveness, however, is a difficult task as the software design needs to foresee and cope with a variety of situations. Using reconfiguration of components facilitates this task, as the adaptivity is conducted on an architecture level instead of directly in the code. This results in a separation of concerns; the appropriate reconfiguration can be devised on a coarse level, while the implementation of the components can remain largely unaware of reconfiguration scenarios.
We study reconfiguration in component frameworks based on formal theory. We first discuss programming with components, exemplified with the development of the cmc model checker. This highly efficient model checker is made of C++ components and serves as an example for component-based software development practice in general, and also provides insights into the principles of adaptivity. However, the component model focuses on high performance and is not geared towards using the structuring principle of components for controlled reconfiguration. We thus complement this highly optimized model by a message passing-based component model which takes reconfigurability to be its central principle.
Supporting reconfiguration in a framework is about alleviating the programmer from caring about the peculiarities as much as possible. We utilize the formal description of the component model to provide an algorithm for reconfiguration that retains as much flexibility as possible, while avoiding most problems that arise due to concurrency. This algorithm is embedded in a general four-stage adaptivity model inspired by physical control loops. The reconfiguration is devised to work with stateful components, retaining their data and unprocessed messages. Reconfiguration plans, which are provided with a formal semantics, form the input of the reconfiguration algorithm. We show that the algorithm achieves perceived atomicity of the reconfiguration process for an important class of plans, i.e., the whole process of reconfiguration is perceived as one atomic step, while minimizing the use of blocking of components. We illustrate the applicability of our approach to reconfiguration by providing several examples like fault-tolerance and automated resource control
Cooperative Communications inWireless Local Area Networks: MAC Protocol Design and Multi-layer Solutions
This dissertation addresses cooperative communications and proposes multi-layer solu-
tions for wireless local area networks, focusing on cooperative MAC design. The coop-
erative MAC design starts from CSMA/CA based wireless networks. Three key issues
of cooperation from the MAC layer are dealt with: i.e., when to cooperate (opportunistic
cooperation), whom to cooperate with (relay selection), and how to protect cooperative
transmissions (message procedure design). In addition, a cooperative MAC protocol that
addresses these three issues is proposed. The relay selection scheme is further optimized
in a clustered network to solve the problem of high collision probability in a dense
network. The performance of the proposed schemes is evaluated in terms of through-
put, packet delivery rate and energy efficiency. Furthermore, the proposed protocol is
verified through formal model checking using SPIN. Moreover, a cooperative code allo-
cation scheme is proposed targeting at a clustered network where multiple relay nodes
can transmit simultaneously. The cooperative communication design is then extended to
the routing layer through cross layer routing metrics. Another part of the work aims at
enabling concurrent transmissions using cooperative carrier sensing to improve the per-
formance in a WLAN network with multiple access points sharing the same channel
Formal Methods for Autonomous Systems
Formal methods refer to rigorous, mathematical approaches to system
development and have played a key role in establishing the correctness of
safety-critical systems. The main building blocks of formal methods are models
and specifications, which are analogous to behaviors and requirements in system
design and give us the means to verify and synthesize system behaviors with
formal guarantees.
This monograph provides a survey of the current state of the art on
applications of formal methods in the autonomous systems domain. We consider
correct-by-construction synthesis under various formulations, including closed
systems, reactive, and probabilistic settings. Beyond synthesizing systems in
known environments, we address the concept of uncertainty and bound the
behavior of systems that employ learning using formal methods. Further, we
examine the synthesis of systems with monitoring, a mitigation technique for
ensuring that once a system deviates from expected behavior, it knows a way of
returning to normalcy. We also show how to overcome some limitations of formal
methods themselves with learning. We conclude with future directions for formal
methods in reinforcement learning, uncertainty, privacy, explainability of
formal methods, and regulation and certification
Model checking techniques for runtime testing and QoS analysis
Los sistemas software y hardware se encuentran cada vez más presentes en nuestras vidas, en multitud de campos de aplicación y de cualquier tamaño. El análisis de estos sistemas es una tarea dura pero necesaria para garantizar que cumplan con sus requisitos. Estos requisitos pueden ser de varios tipos, como evitar comportamientos erróneos u ofrecer un rendimiento satisfactorio.
Existen muchas técnicas y herramientas diseñadas para atacar este problema. Por lo general, se aplican distintas técnicas dependiendo del tipo de sistema, fase de desarrollo o tipo de análisis. El model checking es una de estas técnicas de análisis. Un model checker analiza el espacio de estados de un sistema para comprobar si el sistema cumple una propiedad dada. Sin embargo, según aumenta la complejidad del sistema a analizar, su espacio de estados crece rápidamente, hasta llegar a un punto en el que no es factible analizarlo.
En esta tesis proponemos una solución integrada basada en model checking para analizar sistemas cuyo comportamiento pueda ser observado en forma de trazas de ejecución. Hemos llamado a esta solución OptySim. Nuestra solución permite acceder a sistemas externos de una forma uniforme, permitiendo realizar distintos tipos de análisis sobre diferentes tipos de sistemas de una forma más homogénea.
OptySim trata con un conjunto de trazas de ejecución, que representan un subconjunto del espacio de estados completo del sistema. Para obtener dichas trazas el sistema se ejecuta repetidas veces, posiblemente variando parámetros del sistema de acuerdo a las instrucciones del usuario, generándose una traza por cada ejecución. El contenido de las trazas depende de cada sistema, y además puede variar dependiendo de las necesidades del análisis. Para ello se pueden aplicar una de las proyecciones que se han definido, y que transforman trazas completas en trazas abstractas con una menor, pero suficiente para los propósitos del análisis, cantidad de información.
El análisis está guiado por uno o más objetivos establecidos por el usuario, tales como asertos o fórmulas de lógica temporal (LTL), y que le dan al análisis el significado pretendido por el usuario. Los objetivos pueden indicar tanto propiedades deseables del sistema, por ejemplo una meta de rendimiento, como propiedades que no deben ocurrir, por ejemplo una condición de error.
OptySim se ha aplicado a varios casos de estudio en varias áreas y con distintos propósitos, para demostrar su utilidad. En primer lugar se ha integrado con el simulador de redes ns-2, para análisis de fiabilidad y rendimiento, optimización de parámetros, y validación y ajuste de modelos. Para el segundo grupo de casos de estudio, se ha integrado con una máquina virtual de Java para analizar programas escritos en dicho lenguaje de programación. En esta ocasión, todos los casos de estudio están enfocados a la depuración de programas