Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Models for the Verification of Distributed Java Objects Eric Madelaine work with Tomás Barros, Rabéa Boulifa, Christophe Massol OASIS Project, INRIA Sophia Antipolis June 2004

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Goals Analysis and verification software platform for behavioural properties of distributed applications. Long term goal: full language, usable by non-specialists Automatic tools = static analysis, model-checkers, equivalence / preorder checkers. Graphical / Logical Specifications Code analysis Model Automatic tools, diagnostics, etc.

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Plan Distributed objects in ProActive Parameterized hierarchical models Extracting models Compositional verification Components

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 ProActive : distributed activities Active objects communicate by Remote Method Invocation. Each active object: has a request queue (always accepting incoming requests) has a body specifying its behaviour (local state and computation, service of requests, submission of requests) manages the « wait by necessity » of responses (futures)

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 !S_m(args) request served (executed and removed) response received !S_m(args) ProActive : communication method call Current objectRemote object request arriving in the queue !Q_m(args) ?Q_m(args) !R_m(val) ?R_m(val) !Q_m(args) ?Q_m(args) ?R_m(val) response sent back !R_m(val)

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 ProActive : High level semantics Independence wrt. distribution Guarantee and Synchrony of delivery : –RdV mechanism ensures the delivery of requests, and of responses. Determinism / Confluence : –Asynchronous communication and processing do not change the final result of computation. ASP Calculus: D. Caromel, L. Henrio, B. Serpette, “Asynchronous and Deterministic Objects”, POPL’2004

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Methodology: Challenges Specification language : » usable by non-specialists Automatic verification : » construction of models from source code » integrated software Standard, state-of-the-art model checkers : » finite state models, » hierarchical models, compositional construction

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Methodology : Snapshot Informal Requirements Model Checker Source Code Architecture (parameterized) Properties (parameterized) Instantiations (abstractions) Abstract Source Code Data Abstraction Architecture (parameterized) Static Analysis Validate the model Correctness of the implementation (model-checking) Correctness of the implementation (preorder)

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Model (1) : Synchronisation Networks Labelled Transition Systems (LTS) Synchronisation Network (Net) with T= with  v  L T, v=[l t,  1,…,  n ],  i  I i  idle,, l t  A G Synchronisation product : builds a global LTS from a Net of arity n, and n argument LTSs. Arnold 1992 : synchronisation networks Lakas 1996 : Lotos open expressions => Boulifa 2003, Model generation for distributed Java programs, Fidji’03

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Parameterized actions (with typed variables) pA Parameterized LTS (pLTS) with state variables v s, and labels l=(b,  (x), e) Synchronisation Network (Net) with pT = with H n = {(pI i,K i )} i a finite set of holes  v  L T, v=[l t,  1 k1,…,  n kn ],  i ki  pI i  idle, k i  K i, l t  A G Instantiation : for a finite abstract domain D v pLTS x D v  LTS pNet x D v  Net Barros, Boulifa, Madelaine “Parameterized Models for Distributed Java Objects”, Forte 2004, Madrid. (2) Parameterized Networks Finite Network

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Graphical Models

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Large case-study: Electronic Invoices in Chile

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Electronic Invoices in Chile Barros, Madelaine “Formalisation and Verification of the Chilean electronic invoice system”, INRIA report RR-5217, june parameterized automata / 4 levels of hierarchy state explosion: grouping, hiding, reduction by bisimulation : – instantiating 7 parameters yields > millions of states...

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Parameterized Properties True/False + diagnostic Logical parameterized LTS Parameterized temporal logics

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Extracting models by static analysis

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Extended Call Graphs Encodes both the usual control flow usual in MCG (resolution of class analysis and method calls), and the data flow relative to interesting parameters (pieces of bytecode instructions); identifies ProActive objets (activities, remote calls, futures). Complex static analysis : –class analysis –alias analysis –object topology

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Model generation : key points Static topology : finite number of parameterized activities. For each Active Object Class : –parameterized network of LTSs (one for each method) –method calls = synchronisation messages –remote calls : “wait by necessity” using proxy processes –requests queue : the main potential blow-up…! Property : starting from source code with abstracted data (simple types), we have a procedure that builds a finite parameterized model. AjAj QjQj serve PjPj Req use

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Consumer Network

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Buffer Network Buf.Body put Buf.Queue get

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Electronic Invoices in Chile Barros, Madelaine “Formalisation and Verification of the Chilean electronic invoice system”, INRIA report RR-5217, june parameterized automata / 4 levels of hierarchy state explosion: grouping, hiding, reduction by bisimulation

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Distributed Components

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Fractal hierarchical model : composites encapsulate primitives, which encapsulates Java code Component Identity Binding Controller Lifecycle Controller Content Controller Content Controller

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Fractal + ProActive Components for the GRID An activity, a process, … potentially in its own JVM 2. Composite component C 1. Primitive component Java + Legacy 3. Parallel and composite component D Composite: Hierarchical, and Distributed over machines Parallel: Composite + Broadcast (group)

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Components : correct composition Behaviour is an essential part of a component specification. Model of components : – primitive = pLTS – composite = pNet – state-less component = static pNet – controller = transducer Correctness of composition : – implementation preorder ? Content Controller

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Conclusions Parameterized, hierarchical model. Graphical language. Validated with a realistic case-study. Ongoing development : instantiation tool, graphical editor, generation of model from ProActive source code. Incorporation within a verification platform ( ACI-SI Fiacre : INRIA-Oasis, INRIA-Vasy, ENST-Paris, SVF )

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Perspectives Refine the graphical language, extend to other ProActive features, formalize the abstractions. (Direct) parameterized verification. Behavioural specifications of components, correct compositions.

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Algorithm… rules

Eric MadelaineOSMOSE -- WP2 -- Prague June 2004 Call rule If o is remote, we simply generate a send message ! o.Q_m(this, f, args) encoding the method name, its status and its (abstracted) param. with future var. else the message !o. Call_m(args) is sent to the method proccess and according to the return value is void or no the response is awaited or no.