Classifying Invariant Structures of Step Traces

In the study of behaviours of concurrent systems, traces are sets of behaviourally equivalent action sequences. Traces can be represented by causal partial orders. Step traces, on the other hand, are sets of behaviourally equivalent step sequences, each step being a set of simultaneous actions. Step traces can be represented by relational structures comprising non-simultaneity and weak causality. In this paper, we propose a classification of step alphabets as well as the corresponding step traces and relational structures representing them. We also explain how the original trace model fits into the overall framework.Algorithms and the Foundations of Software technolog

Síntese de Circuitos Assíncronos com Conflitos: uma Abordagem baseada em Regiões

Doutoramento em Engenharia Electrónica e TelecomunicaçõesCircuitos assíncronos são uma área de investigação presentemente com um largo número de pessoas envolvidas, quer na indústria quer nos meios académicos. Após um longo período de actividade marginal, tópicos como especificação, análise, síntese ou verificação merecem a atenção da comunidade científica. Uma média anual de publicações superior a 100 durante a última década é disso mesmo uma prova. A taxionomia habitual de circuitos assíncronos tem por base o modelo de atraso sob o qual se assume aqueles funcionarem correctamente. A classe dos circuitos assíncronos independentes da velocidade (speed independent asynchronous circuits), que estão na base do trabalho apresentado nesta tese, assumem um atraso das portas lógicas finito mas sem limite superior conhecido e um atraso dos fios de interconexão nulo ou pelo menos desprezável face ao atraso das portas. A especificação nesta classe é normalmente feita usando dois tipos de grafos: grafos de estados, um formalismo tendo por base os estados do circuito, e grafos de transições de sinais, uma classe de redes de Petri onde se descreve as relações de causalidade e concorrência entre os eventos _ transições de sinais _ no circuito. Existem disponíveis ferramentas de síntese automática de circuitos assíncronos independentes da velocidade, merecendo Petrify a nossa especial referência. Dois cenários não são contemplados por estas ferramentas, uma vez que infringem uma condição necessária para a existência de uma solução puramente digital independente da velocidade. Um é caracterizado pela existência de não-persistências envolvendo sinais internos ou de saída, situação típica em árbitros e sincronizadores. Uma metodologia de projecto é apresentada que permite a geração de uma solução recorrendo ao uso de ferramentas de síntese para circuitos independentes da velocidade. Um procedimento de transformação toma, à entrada, uma especificação contendo não-persistências e fornece, à saída, um conjunto de componentes especiais, que lidam com as não-persistências, e uma especificação apropriada para alimentar a ferramenta de síntese. Estabelece-se uma relação entre estados não persistentes e regiões concorrentes, que actuam como secções críticas do sistema. Controlando o acesso a essas regiões, por via da introdução de componentes especiais em hardware, parcialmente analógicos, desempenhando o papel de árbitros, transferem-se os conflitos para os árbitros, ficando o resto do circuito deles isento. Na metodologia proposta, toda a transformação toma a forma de um simples produto de sistemas de transições. Isto resulta da possibilidade de representar os vários passos do procedimento de inserção dos árbitros através de factores multiplicativos. O produto de sistemas de transições goza, se visto em termos de isomorfismo e de grafo alcançável a partir do estado inicial, das propriedades comutativa e associativa, pelo que a ordem de processamento é irrelevante para o resultado final O outro cenário corresponde à existência de não-comutatividades entre eventos de entrada. O problema é analisado e diferentes abordagens para o ultrapassar são apresentadas. Uma das abordagens aponta no sentido da transformação das não-comutatividades em não-persistências, aplicando-se de seguida a metodologia desenvolvida para estas. Uma outra abordagem sugere o controlo das não-comutatividades por via da inserção de dispositivos específicos de arbitragem. A análise apresentada deve ser aprofundada por forma a se definir a metodologia mais apropriada para a resolução deste tipo de conflitos..Asynchronous circuits are a subject of research currently with a large number of people involved, both from academy and industry. After a long period of time of marginal activity, topics like speci_cation, analysis, synthesis, veri_cation have deserve attention of the research community. An average of more then 100 papers per year in the last decade in an evidence of that. The common taxonomy of asynchronous circuits is based on the delay model under which they are assumed to properly operate. The class of speed independent asynchronous circuits, which assumes an unbounded gate delay model, that is, gates have a _nite, no upper limited delay while wires interconnecting gates are assumed to have negligible delays, underlies the work presented in this thesis. Speci_cations are usually described using two types of graph models: state graphs, a state-based formalism, and signal transition graphs, a class of Petri nets. Automatic synthesis tools exist, with Petrify deserving our special attention. Two scenarios in speci_cation are not accepted by these tools, because they infringe a speed independent necessary condition. One is characterized by non-persistences involving non-input signals, which are typical in arbiters and synchronizers. A design methodology is presented that allows the use of existing speed independent tools to derive an implementation for such speci_cations. A transformation procedure takes a speci_cation with non-persistences at input and delivers both a net list of special components managing the non-persistences and a speci_cation suitable to feed the logic synthesis tool. Non-persistences are modeled as exclusion relations among regions, which act like critical sections of the system. Introducing special, partial analog components, acting as arbiters, access to these regions are controlled, transferring the con_ict points to the arbiters and leaving the remainder of the speci_cation free from con_icts. In the proposed methodology the overall transformation takes the simple form of products of transition systems. In the region-based model used, the several steps for the insertion of an arbiter into the speci_cation can be represented as transition system factors. Thus the product form can be achieved. Up to reachability and isomorphism, the product of transition systems holds the commutative and associative properties. The order of processing of di_erent non-persistences is thus irrelevant to the _nal result. The other scenario corresponds to the existence of non-commutativities between input events. The problem is analyzed and di_erent approaches to solve it are discussed. One approach suggests the transformation of the non-commutativities into nonpersistences, allowing for the subsequent application of the methodology developed for non-persistences. Another approach suggests the control of non-commutativities by means of the insertion of speci_c arbitration entities. Non-commutativities must however be further analyzed in order to de_ne and develop a proper methodology to solve this kind of con_icts

Interpreted graph models

A model class called an Interpreted Graph Model (IGM) is defined. This class includes a large number of graph-based models that are used in asynchronous circuit design and other applications of concurrecy. The defining characteristic of this model class is an underlying static graph-like structure where behavioural semantics are attached using additional entities, such as tokens or node/arc states. The similarities in notation and expressive power allow a number of operations on these formalisms, such as visualisation, interactive simulation, serialisation, schematic entry and model conversion to be generalised. A software framework called Workcraft was developed to take advantage of these properties of IGMs. Workcraft provides an environment for rapid prototyping of graph-like models and related tools. It provides a large set of standardised functions that considerably facilitate the task of providing tool support for any IGM. The concept of Interpreted Graph Models is the result of research on methods of application of lower level models, such as Petri nets, as a back-end for simulation and verification of higher level models that are more easily manipulated. The goal is to achieve a high degree of automation of this process. In particular, a method for verification of speed-independence of asynchronous circuits is presented. Using this method, the circuit is specified as a gate netlist and its environment is specified as a Signal Transition Graph. The circuit is then automatically translated into a behaviourally equivalent Petri net model. This model is then composed with the specification of the environment. A number of important properties can be established on this compound model, such as the absence of deadlocks and hazards. If a trace is found that violates the required property, it is automatically interpreted in terms of switching of the gates in the original gate-level circuit specification and may be presented visually to the circuit designer. A similar technique is also used for the verification of a model called Static Data Flow Structure (SDFS). This high level model describes the behaviour of an asynchronous data path. SDFS is particularly interesting because it models complex behaviours such as preemption, early evaluation and speculation. Preemption is a technique which allows to destroy data objects in a computation pipeline if the result of computation is no longer needed, reducing the power consumption. Early evaluation allows a circuit to compute the output using a subset of its inputs and preempting the inputs which are not needed. In speculation, all conflicting branches of computation run concurrently without waiting for the selecting condition; once the selecting condition is computed the unneeded branches are preempted. The automated Petri net based verification technique is especially useful in this case because of the complex nature of these features. As a result of this work, a number of cases are presented where the concept of IGMs and the Workcraft tool were instrumental. These include the design of two different types of arbiter circuits, the design and debugging of the SDFS model, synthesis of asynchronous circuits from the Conditional Partial Order Graph model and the modification of the workflow of Balsa asynchronous circuit synthesis system.EThOS - Electronic Theses Online ServiceEPSRCGBUnited Kingdo

Program Synthesis for Software-Defined Networking

Software-defined networking (SDN) is revolutionizing the networking industry, but even the most advanced SDN programming platforms lack mechanisms for changing the global configuration (the set of all forwarding rules on the switches) correctly and automatically. This seemingly-simple notion of global configuration change (known as a network update) can be quite challenging for SDN programmers to implement by hand, because networks are distributed systems with hundreds or thousands of interacting nodes---even if the initial and final configurations are correct, naïvely updating individual nodes can lead to bugs in the intermediate configurations. Additionally, SDN programs must simultaneously describe both static forwarding behavior, and dynamic updates in response to events. These event-driven updates are critical to get right, but even more difficult to implement correctly due to interleavings of data packets and control messages. Existing SDN platforms offer only weak guarantees in this regard, also opening the door for incorrect behavior. As an added wrinkle, event-driven network programs are often physically distributed, running on several nodes of the network, and this distributed setting makes programming and debugging even more difficult. Bugs arising from any of these issues can cause serious incorrect transient behaviors, including loops, black holes, and access-control violations.This thesis presents a synthesis-based approach for solving these issues. First, I show how to automatically synthesize network updates that are guaranteed to preserve specified properties. I formalize the network updates problem and develop a synthesis algorithm based on counterexample-guided search and incremental model checking. Second, I add the ability to reason about transitions between configurations in response to events, by introducing event-driven consistent updates that are guaranteed to preserve well-defined behaviors in this context. I propose network event structures (NESs) to model constraints on updates, such as which events can be enabled simultaneously and causal dependencies between events. I define an extension of the NetKAT language with mutable state, give semantics to stateful programs using NESs, and discuss provably-correct strategies for implementing NESs in SDNs. Third, I propose a synchronization synthesis approach that allows correct "parallel composition" of several event-driven programs (processes)---the programmer can specify each sequential process, and add a declarative specification of paths that packets are allowed to take. The synthesizer then inserts synchronization among the distributed controller processes such that the declarative specification will be satisfied by all packets traversing the network. The key technical contribution here is a counterexample-guided synthesis algorithm that furnishes network processes with the synchronization required to prevent any races causing specification violations. An important component of this is an extension of network event structures to a more general programming model called event nets based on Petri nets. Finally, I describe an approach for implementing event nets in an efficient distributed way on modern SDN hardware. For each of the core components, I describe a prototype implementation, and present results from experiments on realistic topologies and properties, demonstrating that the tools handle real network programs, and scale to networks of 1000+ nodes

Translating Asynchronous Games for Distributed Synthesis (Full Version)

In distributed synthesis, we generate a set of process implementations that, together, accomplish an objective against all possible behaviors of the environment. A lot of recent work has focussed on systems with causal memory, i.e., sets of asynchronous processes that exchange their causal histories upon synchronization. Decidability results for this problem have been stated either in terms of control games, which extend Zielonka's asynchronous automata by partitioning the actions into controllable and uncontrollable, or in terms of Petri games, which extend Petri nets by partitioning the tokens into system and environment players. The precise connection between these two models was so far, however, an open question. In this paper, we provide the first formal connection between control games and Petri games. We establish the equivalence of the two game models based on weak bisimulations between their strategies. For both directions, we show that a game of one type can be translated into an equivalent game of the other type. We provide exponential upper and lower bounds for the translations. Our translations make it possible to transfer and combine decidability results between the two types of games. Exemplarily, we translate decidability in acyclic communication architectures, originally obtained for control games, to Petri games, and decidability in single-process systems, originally obtained for Petri games, to control games

Methods and tools for the integration of formal verification in domain-specific languages

Les langages dédiés de modélisation (DSMLs) sont de plus en plus utilisés dans les phases amont du développement des systèmes complexes, en particulier pour les systèmes critiques embarqués. L’objectif est de pouvoir raisonner très tôt dans le développement sur ces modèles et, notamment, de conduire des activités de vérification et validation (V and V). Une technique très utilisée est la vérification des modèles comportementaux par exploration exhaustive (model-checking) en utilisant une sémantique de traduction pour construire un modèle formel à partir des modèles métiers pour réutiliser les outils performants disponibles pour les modèles formels. Définir cette sémantique de traduction, exprimer les propriétés formelles à vérifier et analyser les résultats nécessite une expertise dans les méthodes formelles qui freine leur adoption et peut rebuter les concepteurs. Il est donc nécessaire de construire pour chaque DSML, une chaîne d’outils qui masque les aspects formels aux utilisateurs. L’objectif de cette thèse est de faciliter le développement de telles chaînes de vérification. Notre contribution inclut 1) l’expression des propriétés comportementales au niveau métier en s’appuyant sur TOCL (Temporal Object Constraint Language), une extension temporelle du langage OCL; 2) la transformation automatique de ces propriétés en propriétés formelles en réutilisant les éléments clés de la sémantique de traduction; 3) la remontée des résultats de vérification grâce à une transformation d’ordre supérieur et un langage de description de correspondance entre le domaine métier et le domaine formel et 4) le processus associé de mise en oeuvre. Notre approche a été validée par l’expérimentation sur un sous-ensemble du langage de modélisation de processus de développement SPEM, et sur le langage de commande d’automates programmables Ladder Diagram, ainsi que par l’intégration d’un langage formel intermédiaire (FIACRE) dans la chaîne outillée de vérification. Ce dernier point permet de réduire l’écart sémantique entre les DSMLs et les domaines formels. ABSTRACT : Domain specific Modeling Languages (DSMLs) are increasingly used at the early phases in the development of complex systems, in particular, for safety critical systems. The goal is to be able to reason early in the development on these models and, in particular, to fulfill verification and validation activities (V and V). A widely used technique is the exhaustive behavioral model verification using model-checking by providing a translational semantics to build a formal model from DSML conforming models in order to reuse powerful tools available for this formal domain. Defining a translational semantics, expressing formal properties to be assessed and analysing such verification results require such an expertise in formal methods that it restricts their adoption and may discourage the designers. It is thus necessary to build for each DSML, a toolchain which hides formal aspects for DSML end-users. The goal of this thesis consists in easing the development of such verification toolchains. Our contribution includes 1) expressing behavioral properties in the DSML level by relying on TOCL (Temporal Object Constraint Language), a temporal extension of OCL; 2) An automated transformation of these properties on formal properties while reusing the key elements of the translational semantics; 3) the feedback of verification results thanks to a higher-order transformation and a language which defines mappings between DSML and formal levels; 4) the associated process implementation. Our approach was validated by the experimentation on a subset of the development process modeling language SPEM, and on Ladder Diagram language used to specify programmable logic controllers (PLCs), and by the integration of a formal intermediate language (FIACRE) in the verification toolchain. This last point allows to reduce the semantic gap between DSMLs and formal domains

Methods and tools for the integration of formal verification in domain-specific languages

Domain specific Modeling Languages (DSMLs) are increasingly used at the early phases in the development of complex systems, in particular, for safety critical systems. The goal is to be able to reason early in the development on these models and, in particular, to fulfill verification and validation activities (V and V). A widely used technique is the exhaustive behavioral model verification using model-checking by providing a translational semantics to build a formal model from DSML conforming models in order to reuse powerful tools available for this formal domain. Defining a translational semantics, expressing formal properties to be assessed and analysing such verification results require such an expertise in formal methods that it restricts their adoption and may discourage the designers. It is thus necessary to build for each DSML, a toolchain which hides formal aspects for DSML end-users. The goal of this thesis consists in easing the development of such verification toolchains. Our contribution includes 1) expressing behavioral properties in the DSML level by relying on TOCL (Temporal Object Constraint Language), a temporal extension of OCL; 2) An automated transformation of these properties on formal properties while reusing the key elements of the translational semantics; 3) the feedback of verification results thanks to a higher-order transformation and a language which defines mappings between DSML and formal levels; 4) the associated process implementation. Our approach was validated by the experimentation on a subset of the development process modeling language SPEM, and on Ladder Diagram language used to specify programmable logic controllers (PLCs), and by the integration of a formal intermediate language (FIACRE) in the verification toolchain. This last point allows to reduce the semantic gap between DSMLs and formal domains