An Approach for Minimizing Spurious Errors in Testing ADA Tasking Programs

We propose an approach for detecting deadlocks and race conditions in Ada tasking software. It is based on an extension to Petri net-based techniques, where a concurrent program is modeled as a Petri net and a reachability graph is then derived and analyzed for desired information. In this approach, Predicate-Action subnets representing Ada programming constructs are described, where predicates and actions are attached to transitions. Predicates are those found in decision statements. Actions involve updating the status of the variables that affect the tasking behavior of the program and updating the Read and Write sets of shared variables. The shared variables are those occurring in sections of the program, called concurrency zones, related to the transitions. Modeling of a tasking program is accomplished by using the basic subnets as building blocks in translating only tasking-related statements and connecting them to produce the total Predicate-Action net model augmented with sets of shared variables. An augmented reachability graph is then derived by executing the net model. Deadlocks and race conditions are detected by searching the nodes of this graph. The main advantage offered by this approach is that the Predicate-Action extension of the net leads to pruning infeasible paths in the reachability graph and, thus, reducing the spurious error reports encountered in previous approaches. Also, this approach enables a partial handling of loops in a practical way. Implementation issues are also discussed in the paper

Performance Bounds for Synchronized Queueing Networks

Las redes de Petri estocásticas constituyen un modelo unificado de las diferentes extensiones de redes de colas con sincronizaciones existentes en la literatura, válido para el diseño y análisis de prestaciones de sistemas informáticos distribuidos. En este trabajo se proponen técnicas de cálculo de cotas superiores e inferiores de las prestaciones de redes de Petri estocásticas en estado estacionario. Las cotas obtenidas son calculables en tiempo polinómico en el tamaño del modelo, por medio de la resolución de ciertos problemas de programación lineal definidos a partir de la matriz de incidencia de la red (en este sentido, las técnicas desarrolladas pueden considerarse estructurales). Las cotas calculadas dependen sólamente de los valores medios de las variables aleatorias que describen la temporización del sistema, y son independientes de los momentos de mayor orden. Esta independencia de la forma de las distribuciones de probabilidad asociadas puede considerarse como una útil generalización de otros resultados existentes para distribuciones particulares, puesto que los momentos de orden superior son, habitualmente, desconocidos en la realidad y difíciles de estimar. Finalmente, las técnicas desarrolladas se aplican al análisis de diferentes ejemplos tomados de la literatura sobre sistemas informáticos distribuidos y sistemas de fabricación. ******* Product form queueing networks have long been used for the performance evaluation of computer systems. Their success has been due to their capability of naturally expressing sharing of resources and queueing, that are typical situations of traditional computer systems, as well as to their efficient solution algorithms, of polynomial complexity on the size of the model. Unfortunately, the introduction of synchronization constraints usually destroys the product form solution, so that general concurrent and distributed systems are not easily studied with this class of models. Petri nets have been proved specially adequate to model parallel and distributed systems. Moreover, they have a well-founded theory of analysis that allows to investigate a great number of qualitative properties of the system. In the original definition, Petri nets did not include the notion of time, and tried to model only the logical behaviour of systems by describing the causal relations existing among events. This approach showed its power in the specification and analysis of concurrent systems in a way independent of the concept of time. Nevertheless the introduction of a timing specification is essential if we want to use this class of models for the performance evaluation of distributed systems. One of the main problems in the actual use of timed and stochastic Petri net models for the quantitative evaluation of large systems is the explosion of the computational complexity of the analysis algorithms. In general, exact performance results are obtained from the numerical solution of a continuous time Markov chain, whose dimension is given by the size of the state space of the model. Structural computation of exact performance measures has been possible for some subclasses of nets such as those with state machine topology. These nets, under certain assumptions on the stochastic interpretation are isomorphic to Gordon and Newell's networks, in queueing theory terminology. In the general case, efficient methods for the derivation of performance measures are still needed. Two complementary approaches to the derivation of exact measures for the analysis of distributed systems are the utilization of approximation techniques and the computation of bounds. Approximate values for the performance parameters are in general more efficiently derived than the exact ones. On the other hand, "exactness" only exists in theory! In other words, numerical algorithms must be applied in practice for the computation of exact values, therefore making errors is inevitable. Performance bounds are useful in the preliminary phases of the design of a system, in which many parameters are not known accurately. Several alternatives for those parameters should be quickly evaluated, and rejected those that are clearly bad. Exact (and even approximate) solutions would be computationally very expensive. Bounds become useful in these instances since they usually require much less computation effort. The computation of upper and lower bounds for the steady-state performance of timed and stochastic Petri nets is considered in this work. In particular, we study the throughput of transitions, defined as the average number of firings per time unit. For this measure we try to compute upper and lower bounds in polynomial time on the size of the net model, by means of proper linear programming problems defined from the incidence matrix of the net (in this sense, we develop structural techniques). These bounds depend only on the mean values and not on the higher moments of the probability distribution functions of the random variables that describe the timing of the system. The independence of the probability distributions can be viewed as a useful generalization of the performance results, since higher moments of the delays are usually unknown for real cases, and difficult to estimate and assess. From a different perspective, the obtained results can be applied to the analysis of queueing networks extended with some synchronization schemes. Monoclass queueing networks can be mapped on stochastic Petri nets. On the other hand, stochastic Petri nets can be interpreted as monoclass queueing networks augmented with synchronization primitives. Concerning the presentation of this manuscript, it should be mentioned that chapter 1 has been written with the object of giving the reader an outline of the stochastic Petri net model: its definition, terminology, basic properties, and related concepts, together with its deep relation with other classic stochastic network models. Chapter 2 is devoted to the presentation of the net subclasses considered in the rest of the work. The classification presented here is quite different from the one which is usual in the framework of Petri nets. The reason lies on the fact that our classification criterion, the computability of visit ratios for transitions, is introduced for the first time in the field of stochastic Petri nets in this work. The significance of that criterion is based on the important role that the visit ratios play in the computation of upper and lower bounds for the performance of the models. Nevertheless, classical important net subclasses are identified here in terms of the computability of their visit ratios from different parameters of the model. Chapter 3 is concerned with the computation of reachable upper and lower bounds for the most restrictive subclass of those presented in chapter 2: marked graphs. The explanation of this fact is easy to understand. The more simple is the model the more accessible will be the techniques an ideas for the development of good results. Chapter 4 provides a generalization for live and bounded free choice nets of the results presented in the previous chapter. Quality of obtained bounds is similar to that for strongly connected marked graphs: throughput lower bounds are reachable for bounded nets while upper bounds are reachable for 1-bounded nets. Chapter 5 considers the extension to other net subclasses, like mono-T-semiflow nets, FRT-nets, totally open deterministic systems of sequential processes, and persistent nets. The results are of diverse colours. For mono-T-semiflow nets and, therefore, for general FRT-nets, it is not possible (so far) to obtain reachable throughput bounds. On the other hand, for bounded ordinary persistent nets, tight throughput upper bounds are derived. Moreover, in the case of totally open deterministic systems of sequential processes the exact steady-state performance measures can be computed in polynomial time on the net size. In chapter 6 bounds for other interesting performance measures are derived from throughput bounds and from classical queueing theory laws. After that, we explore the introduction of more information from the probability distribution functions of service times in order to improve the bounds. In particular, for Coxian service delay of transitions it is possible to improve the throughput upper bounds of previous chapters which held for more general forms of distribution functions. This improvement shows to be specially fruitful for live and bounded free choice nets. Chapter 7 is devoted to case studies. Several examples taken from literature in the fields of distributed computing systems and manufacturing systems are modelled by means of stochastic Petri nets and evaluated using the techniques developed in previous chapters. Finally, some concluding remarks and considerations on possible extensions of the work are presented

Ada as a design specification language

The primary thesis objective is research into current approaches to design specification languages, emphasizing Ada. Requirements specification is touched upon. Design specification is explored and related to requirements and implementation. The role of language in design is discussed, as well as objectives of the design specification and features that a specification language should provide in order to meet those objectives. Formal language is contrasted with natural language. Some formal specification languages are described, both Ada related and not Ada related. The secondary objective, the thesis project, is to illustrate a design specification in a formal language, Ada. The purpose of the project is to compare the Ada expression of an example design with the natural language specification for the same system

On the engineering of crucial software

The various aspects of the conventional software development cycle are examined. This cycle was the basis of the augmented approach contained in the original grant proposal. This cycle was found inadequate for crucial software development, and the justification for this opinion is presented. Several possible enhancements to the conventional software cycle are discussed. Software fault tolerance, a possible enhancement of major importance, is discussed separately. Formal verification using mathematical proof is considered. Automatic programming is a radical alternative to the conventional cycle and is discussed. Recommendations for a comprehensive approach are presented, and various experiments which could be conducted in AIRLAB are described

Software Engineering and Petri Nets

This booklet contains the proceedings of the Workshop on Software Engineering and Petri Nets (SEPN), held on June 26, 2000. The workshop was held in conjunction with the 21st International Conference on Application and Theory of Petri Nets (ICATPN-2000), organised by the CPN group of the Department of Computer Science, University of Aarhus, Denmark. The SEPN workshop papers are available in electronic form via the web page:http://www.daimi.au.dk/pn2000/proceeding

Formal semantics for LIPS (Language for Implementing Parallel/distributed Systems)

This thesis presents operational semantics and an abstract machine for a point-to-point asynchronous message passing language called LIPS (Language for Implementing Parallel/ distributed Systems). One of the distinctive features of LIPS is its capability to handle computation and communication independently. Taking advantage of this capability, a two steps strategy has been adopted to define the operational semantics. The two steps are as follows: • A big-step semantics with single-step re-writes is used to relate the expressions and their evaluated results (computational part of LIPS). • The developed big-step semantics has been extended with Structural Operational Semantics (SOS) to describe the asynchronous message passing of LIPS (communication part of LIPS). The communication in LIPS has been implemented using Asynchronous Message Passing System (AMPS). It makes use of very simple data structures and avoids the use of buffers. While operational semantics is used to specify the meaning of programs, abstract machines are used to provide intermediate representation of the language's implementation. LIPS Abstract Machine (LAM) is defined to execute LIPS programs. The correctness of the execution of the LIPS program/expression written using the operational semantics is verified by comparing it with its equivalent code generated using the abstract machine. Specification of Asynchronous Communicating Systems (SACS) is a process algebra developed to specify the communication in LIPS programs. It is an asynchronous variant of Synchronous Calculus of Communicating Systems (SCCS). This research presents the SOS for SACS and looks at the bisimulation equivalence properties for SACS which can be used to verify the behaviour of a specified process. An implementation is said to be complete when it is equivalent to its specifications. SACS has been used for the high level specification of the communication part of LIPS programs and is implemented using AMPS. This research proves that SACS and AMPS are equivalent by defining a weak bisimulation equivalence relation between the SOS of both SACS and AMPS

High integrity hardware-software codesign

Programmable logic devices (PLDs) are increasing in complexity and speed, and are being used as important components in safety-critical systems. Methods for developing high-integrity software for these systems are well-known, but this is not true for programmable logic. We propose a process for developing a system incorporating software and PLDs, suitable for safety critical systems of the highest levels of integrity. This process incorporates the use of Synchronous Receptive Process Theory as a semantic basis for specifying and proving properties of programs executing on PLDs, and extends the use of SPARK Ada from a programming language for safety-critical systems software to cover the interface between software and programmable logic. We have validated this approach through the specification and development of a substantial safety-critical system incorporating both software and programmable logic components, and the development of tools to support this work. This enables us to claim that the methods demonstrated are not only feasible but also scale up to realistic system sizes, allowing development of such safety-critical software-hardware systems to the levels required by current system safety standards