Process Analysis Toolkit• PAT is A SPIN-like self-contained environment for system specification, visualized simulation and automated verification. • PAT is designed for supporting multiple domain specific languages.• PAT embeds complementary model checking algorithms, e.g., reachability analysis by depth/breadth first search, SCC-based LTL verification, on-the-fly refinement checking, etc.• PAT is available at

http://pat.comp.nus.edu.sg

CSP@PAT for Concurrent Systems• The modeling language combines high-level compositional operators from process algebra with program-like codes. • PAT supports a variety of fairness notions for distributed algorithms, process-level weak/strong fairness, event-level weak/local strong/global strong fairness, etc. PAT outperforms SPIN for verification with fairness. • PAT has been applied to many recently develop distributed algorithms (bug found!) and others.

WS@PAT for Web Services• WS@PAT supports specialized intermediate languages for Web Service Choreography and Orchestration, which abstract WS-CDL and WSBPEL. • WS@PAT checks conformance between Choreography and Orchestration using an on-the-fly refinement checking algorithm.• WS@PAT verifies implementability of choreography by syntactic analysis and generates prototype orchestration.

Fairness: Motivating Examples

• Peterson’s algorithm– Bounded by-pass requires weak process-level

weak fairness• Population Protocols– Leader election in complete network graph

(requires weak fairness)– Leader election in network rings (requires strong

global fairness)– Token circulation in rings (requires strong global

fairness)

Process-level Fairness

• Process-level weak fairness (e.g., SPIN)– Each process must make infinite progress if always

possible.

• Process-level strong fairness (e.g., CHESS) – Each process must make infinite progress if

repeated possible.

Weak Action Fairness

• <>[] a is enabled => []<> a is engaged• Weak action fairness vs. process-level weak

fairness

Strong Local Fairness

• []<> a is enabled => []<> a is engaged• Strong local fairness vs weak action fairness

Strong Global Fairness

• If a step is infinitely often enabled, it must be taken infinitely.

• Strong global fairness vs. strong local fairness

Verification under Fairness

• Setting 1: one notion of fairness is applied to the whole system.– Verification under fairness = Loop searching, i.e.,

given a (liveness) property, a counterexample is a fair loop which fails the property.

– Fair loop searching = Fair SCC searching, i.e., an on-the-fly model checking algorithm based Tarjan’s algorithm

Pros and Cons

• Pro: no additional user inputs.• Con:– sometimes overwhelming, e.g., the eventual

leader detector.– Partial order reduction is applicable to only

verification under weak action fairness or weaker.

Verification under Fairness

• Setting 2: individual actions are annotated with fairness constraints.– The same SCC-based verification is used to identify

fair SCCs.• Pros– Different parts of the system may have different

fairness,– Partial order reduction is possible.

• Con: need users to annotate fairness with the relevant actions.

Verification under Fairness

• Setting 3: design a fair scheduler to generate only fair executions

• Pros– Smaller state graph, – Nested depth-first-search is possible,– Infinite state systems may become finite.

• Con: the fair scheduler needs additional data structure to guarantee.

Experiments