159 research outputs found
Timed Runtime Monitoring for Multiparty Conversations
We propose a dynamic verification framework for protocols in real-time distributed systems. The framework is based on Scribble, a tool-chain for design and verification of choreographies based on multiparty session types, developed with our industrial partners. Drawing from recent work on multiparty session types for real-time interactions, we extend Scribble with clocks, resets, and clock predicates constraining the times in which interactions should occur. We present a timed API for Python to program distributed implementations of Scribble specifications. A dynamic verification framework ensures the safe execution of applications written with our timed API: we have implemented dedicated runtime monitors that check that each interaction occurs at a correct timing with respect to the corresponding Scribble specification. The performance of our implementation and its practicability are analysed via benchmarking
Embedding Session Types in HML
Recent work on the enhancement of multiparty session types with logical annotations enable the effective verification of properties on (1) the structure of the conversations, (2) the sorts of the messages, and (3) the actual values exchanged. In [3] we extend this work to enable the specification and verification of mutual effects of multiple cross-session interactions. Here we give a sound and complete embedding into the Hennessy-Milner logic to justify the expressiveness of the approach in [3] and to provide it with a logical background that will enable us to compare it with similar approaches
Meeting Deadlines Together
This paper studies safety, progress, and non-zeno properties of Communicating Timed Automata (CTAs), which are timed automata (TA) extended with unbounded communication channels, and presents a procedure to build timed global specifications from systems of CTAs. We define safety and progress properties for CTAs by extending the properties studied in communicating finite-state machines to the timed setting. We then study non-zenoness for CTAs; our aim is to prevent scenarios in which the participants have to execute an infinite number of actions in a finite amount of time. We propose sound and decidable conditions for these properties, and demonstrate the practicality of our approach with an implementation and experimental evaluations of our theory
On Resolving Non-determinism in Choreographies
Choreographies specify multiparty interactions via message passing. A realisation of a choreography is a composition of independent processes that behave as specified by the choreography. Existing relations of correctness/completeness between choreographies and realisations are based on models where choices are non-deterministic. Resolving non-deterministic choices into deterministic choices (e.g., conditional statements) is necessary to correctly characterise the relationship between choreographies and their implementations with concrete programming languages. We introduce a notion of realisability for choreographies - called whole-spectrum implementation - where choices are still non-deterministic in choreographies, but are deterministic in their implementations. Our notion of whole spectrum implementation rules out deterministic implementations of roles that, no matter which context they are placed in, will never follow one of the branches of a non-deterministic choice. We give a type discipline for checking whole-spectrum implementations. As a case study, we analyse the POP protocol under the lens of whole-spectrum implementation
A model of actors and grey failures
Existing models for the analysis of concurrent processes tend to focus on
fail-stop failures, where processes are either working or permanently stopped,
and their state (working/stopped) is known. In fact, systems are often affected
by grey failures: failures that are latent, possibly transient, and may affect
the system in subtle ways that later lead to major issues (such as crashes,
limited availability, overload). We introduce a model of actor-based systems
with grey failures, based on two interlinked layers: an actor model, given as
an asynchronous process calculus with discrete time, and a failure model that
represents failure patterns to inject in the system. Our failure model captures
not only fail-stop node and link failures, but also grey failures (e.g.,
partial, transient). We give a behavioural equivalence relation based on weak
barbed bisimulation to compare systems on the basis of their ability to recover
from failures, and on this basis we define some desirable properties of
reliable systems. By doing so, we reduce the problem of checking reliability
properties of systems to the problem of checking bisimulation
Amending Contracts for Choreographies
Distributed interactions can be suitably designed in terms of choreographies.
Such abstractions can be thought of as global descriptions of the coordination
of several distributed parties. Global assertions define contracts for
choreographies by annotating multiparty session types with logical formulae to
validate the content of the exchanged messages. The introduction of such
constraints is a critical design issue as it may be hard to specify contracts
that allow each party to be able to progress without violating the contract. In
this paper, we propose three methods that automatically correct inconsistent
global assertions. The methods are compared by discussing their applicability
and the relationships between the amended global assertions and the original
(inconsistent) ones.Comment: In Proceedings ICE 2011, arXiv:1108.014
Structure and Behaviour of Virtual Organisation Breeding Environments
This paper provides an outline of a formal approach that we are developing
for modelling Virtual Organisations (VOs) and their Breeding Environments
(VBEs). We propose different levels of representation for the functional
structures and processes that VBEs and VOs involve, which are independent of
the specificities of the infrastructures (organisational and technical) that
support the functioning of VBEs. This allows us to reason about properties of
tasks performed within VBEs and services provided through VOs without
committing to the way in which they are implemented
Travel Planning Ability in Right Brain-Damaged Patients: Two Case Reports
Planning ability is fundamental for goal-directed spatial navigation. Preliminary findings
from patients and healthy individuals suggest that travel planning (TP)—namely,
navigational planning—can be considered a distinct process from visuospatial planning
(VP) ability. To shed light on this distinction, two right brain-damaged patients without
hemineglect were compared with a control group on two tasks aimed at testing VP
(i.e., Tower of London-16, ToL-16) and TP (i.e., Minefield Task, MFT). The former requires
planning the moves to reach the right configuration of three colored beads on three
pegs, whereas the latter was opportunely developed to assess TP in the navigational
environment when obstacles are present. Specifically, the MFT requires participants to
plan a route on a large carpet avoiding some hidden obstacles previously observed.
Patient 1 showed lesions encompassing the temporoparietal region and the insula; she
performed poorer than the control group on the ToL-16 but showed no deficit on the
MFT. Conversely, Patient 2 showed lesions mainly located in the occipitoparietal network
of spatial navigation; she performed worse than the control group on the MFT but not on
the ToL-16. In both cases performances satisfied the criteria for a classical dissociation,
meeting criteria for a double dissociation. These results support the idea that TP is a
distinct ability and that it is dissociated from VP skills
The Reversible Temporal Process Language
Reversible debuggers help programmers to quickly find the causes of misbehaviours in concurrent programs. These debuggers can be founded on the well-studied theory of causal-consistent reversibility, which allows one to undo any action provided that its consequences are undone beforehand. Till now, causal-consistent reversibility never considered time, a key aspect in real world applications. Here, we study the interplay between reversibility and time in concurrent systems via a process algebra. The Temporal Process Language (TPL) by Hennessy and Regan is a well-understood extension of CCS with discrete-time and a timeout operator. We define revTPL, a reversible extension of TPL, and we show that it satisfies the properties expected from a causal-consistent reversible calculus. We show that, alternatively, revTPL can be interpreted as an extension of reversible CCS with time
A Theory of Composing Protocols
In programming, protocols are everywhere. Protocols describe the pattern of interaction (or communication) between software systems, for example, between a user-space program and the kernel or between a local application and an online service. Ensuring conformance to protocols avoids a significant class of software errors. Subsequently, there has been a lot of work on verifying code against formal protocol specifications. The pervading approaches focus on distributed settings involving parallel composition of processes within a single monolithic protocol description. However we observe that, at the level of a single thread/process, modern software must often implement a number of clearly delineated protocols at the same time which become dependent on each other, e.g., a banking API and one or more authentication protocols. Rather than plugging together modular protocol-following components, the code must re-integrate multiple protocols into a single component.
We address this concern of combining protocols via a novel notion of ‘interleaving’ composition for protocols described via a process algebra. User-specified, domain-specific constraints can be inserted into the individual protocols to serve as ‘contact points’ to guide this composition procedure, which outputs a single combined protocol that can be programmed against. Our approach allows an engineer to then program against a number of protocols that have been composed (re-integrated), reflecting the true nature of applications that must handle multiple protocols at once.
We prove various desirable properties of the composition, including behaviour preservation: that the composed protocol implements the behaviour of both component protocols. We demonstrate our approach in the practical setting of Erlang, with a tool implementing protocol composition that both generates Erlang code from a protocol and generates a protocol from Erlang code. This tool shows that, for a range of sample protocols (including real-world examples), a modest set of constraints can be inserted to produce a small number of candidate compositions to choose from.
As we increasingly build software interacting with many programs and subsystems, this new perspective gives a foundation for improving software quality via protocol conformance in a multi-protocol setting
- …