Analysis of distributed multi-periodic systems to achieve consistent data matching

Distributed real-time architecture of an embedded system is often described as a set of communicating components. Such a system is data flow (for its description) and time-triggered (for its execution). This work fits in with these problematics and focuses on the control of the time compatibility of a set of interdependent data used by the system components. The architecture of a component-based system forms a graph of communicating components, where more than one path can link two components. These paths may have different timing characteristics but the flows of information which transit on these paths may need to be adequately matched, so that a component uses inputs which all (directly or indirectly) depend on the same production step. In this paper, we define this temporal data-matching property, we show how to analyze the architecture to detect situations that can cause data matching inconsistencies, and we describe an approach to manage data matching that uses queues to delay too fast paths and timestamps to recognize consistent data

Automated Verification of Asynchronous Communicating Systems with TLA+

Verifying the compatibility of communicating peers is a crucial issue in critical distributed systems. Unlike the synchronous world, the asynchronous world covers a wide range of message ordering paradigms (e.g. FIFO or causal) that are instrumental to the compatibility of peer compositions. We propose a framework that takes into account the variety of asynchronous communication models and compatibility properties. The notions of peer, communication model, system and compatibility criteria are formalized in TLA+ to benefit from its verification tools. We present an implemented toolchain that generates TLA+ specifications from the behavioral descriptions of peers and checks compatibility of the composition with respect to given communication models and compatibility criteria

A Data Oriented Approach for Real-Time Systems

International audienceDistributed real-time systems often have to maintain the temporal validity of data. In this paper we present a modelling framework centered on data where a so-called observation relation represents and abstracts the interactions between variables. An observation is a relation between variables, an image and its sources, where the image values depend on past values of the sources. The system architecture is seen as a set of observation relations describing the flow of values between variables. The observation relations are parametrized with timed constraints that limit the time shift between the variables and specify the availability of timely sound values. At this level of abstraction, the designer gives a specification of the system based on timed properties about the timeline of data such as their freshness, latency etc. We proceed to an analysis of the feasibility of such a specification and we formally analyze the correctness of an implementation with respect to a specification. In order to prove the feasibility of an observationbased model, we build a finite state transition system which is bi-similar to the specification. The existence of an infinite execution in this system proves the feasibility of the specification. Possible implementations are described as a set of interacting components which control the flow of values in the system. A finite system is built to prove the correctness of the implementation by model checkin

Maximal Group Membership in Ad Hoc Networks

International audienceThe notion of Group communication has long been introduced as a core service of distributed systems. More recently, this notion appeared with a somewhat different meaning in the field of mobile ad hoc systems. In this context, we study the group membership problem. After specifying the basic safety properties of such groups and a maximality criterion based on cliques, we propose a group membership algorithm. Lastly, with respect to this criterion, we compare our algorithm with two group membership algorithms for ad hoc environments. Moreover, a formal description in TLA+ has been programmed and verified by model-checking for small networks

La composition de services dans le monde asynchrone Formalisation et vérification en TLA+

International audienceLes architectures orientées services (SOA) permettent de répondre à deux défis importants du génie logiciel : la rutilisabilité et la décomposition. Néanmoins elles amènent de nouveaux problème, notamment liés à la répartition des services et la non-centralisation du contrôle. Les services étant indépendants et autonomes, il faut s’assurer que mis ensemble ils sont capables de communiquer et que leurs interactions n’introduisent pas de mauvais fonctionnement global. Dans le monde asynchrone, plus proche de la réalité, cette vérification devient non triviale, et cela d’autant plus qu’il existe de multiples modèles asynchrones, plus ou moins libéraux dans ce qu’ils autorisent. Nous exposons dans ce papier nos travaux en cours autour des modèles asynchrones et de la vérification des compositions de services paramétrées par ces modèles

Proving a Non-Blocking Algorithm for Process Renaming with TLA+

National audienceShared-memory concurrent algorithms are well-known for being difficult to write, ill-adapted to test, and complex to prove. Wait-free concurrent objects are a subclass where a process is never prevented from progressing, whatever the other processes are doing (or not doing). Algorithms in this subclass are often non intuitive and among the most complex to prove. This paper presents the analysis and the proof of a wait-free concurrent algorithm that is used to rename processes. By its adaptive and non-blocking nature, the renaming algorithm resists to test, because of the cost of covering all its states and transitions even with a small input set. Thus, a proof has been conducted in Open image in new window and verified with TLAPS, the Open image in new window Proof System. This algorithm is itself based on the assembly of wait-free concurrent objects, the splitters, that separate processes. With just two shared variables and three assignments, a splitter seems a simple object but it is not linearizable. To avoid explicitly in-lining it and dealing with its internal state, the proof of the renaming algorithm relies on replacing the splitter with a sequential specification that is proved correct with TLAPS and verified complete by model-checking on finite instances

Inference of Channel Priorities for Asynchronous Communication

International audienceIn distributed systems, the order in which the messages are received by the processes is crucial to ensure the expected behavior. This paper presents a communication model which allows for restrictions on the deliveries of a channel depending on the availability of messages in other channels. This corresponds to prioritizing some channels over others. It relies on a framework able to verify if a given system satisfies a user defined LTL (Linear Temporal Logic) property with different priorities. We also propose to automatically infer the channel priorities so that the system does not infringe on this temporal property

Asynchronous Message Orderings Beyond Causality

International audienceIn the asynchronous setting, distributed behavior is traditionally studied through computations, the Happened-Before posets of events generated by the system. An equivalent perspective considers the linear extensions of the generated computations: each linear extension defines a sequence of events, called an execution. Both perspective were leveraged in the study of asynchronous point-to-point message orderings over computations; yet neither allows us to interpret message orderings defined over executions. Can we nevertheless make sense of such an ordering, maybe even use it to understand asynchronicity better? We provide a general answer by defining a topology on the set of executions which captures the fundamental assumptions of asynchronicity. This topology links each message ordering over executions with two sets of computations: its closure, the computations for which at least one linear extension satisfies the predicate; and its interior, the computations for which all linear extensions satisfy it. These sets of computations represent respectively the uncertainty brought by asynchronicity – the computations where the predicate is satisfiable – and the certainty available despite asynchronicity – the computations where the predicate must hold. The paper demonstrates the use of this topological approach by examining closures and interiors of interestingorderings over executions