A Formal Treatment of anA Formal Treatment of anAbstract Channel Abstract Channel ImplementationImplementation

Using Java Sockets and TCPUsing Java Sockets and TCP

Chryssis Georgiou, University of CyprusPeter Musial, VeroModo, Inc.

Alexander Shvartsman, University of ConnecticutElaine Sonderegger, University of Connecticut

2

Motivation• Abstract models and specifications of

distributed systems allow formal reasoning about their safety properties

• Mapping the functionality of abstract specifications to executable code for target distributed platforms is a challenging and error-prone process

• Formal specifications and faithful implementations of asynchronous communication channels are particularly challenging

3

Related Work• Traditional communication channel models

– Fixed, pre-initialized channels

– Examples• Reliable FIFO channel• Lossy reordering channel

• Josh Tauber’s IOA compiler used Java/MPI to implement pre-initialized channels

4

Our Work• First formal specification of an asynchronous

communication channel with:– Explicit initialization

– Dynamic interconnections with graceful comings and goings

• Implementation of the specification using Java’s interface to TCP sockets

• Proof by forward simulation that the implementation preserves the safety properties of the specification

5

Initialization

ReceiverSender

receiverListeningsenderOpenrespReceiverListeningsend

receivesendsend receive

6

Sender Closing

ReceiverSender

senderClose receive

emptying

receivereceive

closed

senderClosing

7

Receiver Closing

ReceiverSender

receiverClose

Bit Bucket

closed

8

Abstract Channel• Input/Output Automata formalism

• Transitions (where m is a message, i & j are nodes)– input send (m, i, j)

– output receive (m, i, j)

– input receiverListening (j)

– input receiverStopListening (j)

– input senderOpen (i, j)

– output respReceiverListening (i, j)

– input senderClose (i, j)

– internal senderClosing (i, j)

– input receiverClose (i, j)

– internal lose (m)

9

Implementation• Distributed Abstract Channel functionality

among nodes

• Developed a Composite Channel with three types of component automata– JVM-TCP Channel

– Sender Mediator

– Receiver Mediator

• Based on Josh Tauber’s IOA compiler for a Java/MPI interface

10

Node i

Node Automaton

SendMediator

ReceiveMediator

TCPSockets

TCPSockets

ApplicationAutomaton

JVM-TCP

Channel

11

Main Result• Theorem: Composite Channel implements

Abstract ChannelThe set of traces of Composite Channel is a subset of the set of traces of Abstract Channel

• Proved using forward simulation– Established a simulation relation mapping the

states of Composite Channel to the states of Abstract Channel

– Showed the mapping holds for the initial states of each automaton and is maintained by every transition of Composite Channel

12

Summary• First formal specification and implementation

of an abstract asynchronous communication channel with explicit support for dynamic creation and teardown of communication links– Provides a building block for modeling dynamic

distributed applications and systems

– Serves as an aid to automated code generation

• Future Work (supported by an NSF grant)– Bi-directional channels

– Multiple concurrent channels between node pairs

13

Thank You