process analysis toolkit pat is a spin-like self-contained environment for system specification,...
TRANSCRIPT
Process Analysis Toolkit• PAT is A SPIN-like self-contained environment for system specification, visualized simulation and automated verification. • PAT is designed for supporting multiple domain specific languages.• PAT embeds complementary model checking algorithms, e.g., reachability analysis by depth/breadth first search, SCC-based LTL verification, on-the-fly refinement checking, etc.• PAT is available at
http://pat.comp.nus.edu.sg
CSP@PAT for Concurrent Systems• The modeling language combines high-level compositional operators from process algebra with program-like codes. • PAT supports a variety of fairness notions for distributed algorithms, process-level weak/strong fairness, event-level weak/local strong/global strong fairness, etc. PAT outperforms SPIN for verification with fairness. • PAT has been applied to many recently develop distributed algorithms (bug found!) and others.
WS@PAT for Web Services• WS@PAT supports specialized intermediate languages for Web Service Choreography and Orchestration, which abstract WS-CDL and WSBPEL. • WS@PAT checks conformance between Choreography and Orchestration using an on-the-fly refinement checking algorithm.• WS@PAT verifies implementability of choreography by syntactic analysis and generates prototype orchestration.
Fairness: Motivating Examples
• Peterson’s algorithm– Bounded by-pass requires weak process-level
weak fairness• Population Protocols– Leader election in complete network graph
(requires weak fairness)– Leader election in network rings (requires strong
global fairness)– Token circulation in rings (requires strong global
fairness)
Process-level Fairness
• Process-level weak fairness (e.g., SPIN)– Each process must make infinite progress if always
possible.
• Process-level strong fairness (e.g., CHESS) – Each process must make infinite progress if
repeated possible.
Weak Action Fairness
• <>[] a is enabled => []<> a is engaged• Weak action fairness vs. process-level weak
fairness
Strong Local Fairness
• []<> a is enabled => []<> a is engaged• Strong local fairness vs weak action fairness
Strong Global Fairness
• If a step is infinitely often enabled, it must be taken infinitely.
• Strong global fairness vs. strong local fairness
Verification under Fairness
• Setting 1: one notion of fairness is applied to the whole system.– Verification under fairness = Loop searching, i.e.,
given a (liveness) property, a counterexample is a fair loop which fails the property.
– Fair loop searching = Fair SCC searching, i.e., an on-the-fly model checking algorithm based Tarjan’s algorithm
Pros and Cons
• Pro: no additional user inputs.• Con:– sometimes overwhelming, e.g., the eventual
leader detector.– Partial order reduction is applicable to only
verification under weak action fairness or weaker.
Verification under Fairness
• Setting 2: individual actions are annotated with fairness constraints.– The same SCC-based verification is used to identify
fair SCCs.• Pros– Different parts of the system may have different
fairness,– Partial order reduction is possible.
• Con: need users to annotate fairness with the relevant actions.
Verification under Fairness
• Setting 3: design a fair scheduler to generate only fair executions
• Pros– Smaller state graph, – Nested depth-first-search is possible,– Infinite state systems may become finite.
• Con: the fair scheduler needs additional data structure to guarantee.