Section: New Results

Case Studies and Practical Applications

Mutual Exclusion Protocols

Participants : Radu Mateescu, Wendelin Serwe.

Mutual exclusion protocols are an essential building block of concurrent systems to ensure proper use of shared resources in the presence of concurrent accesses. Many variants of mutual exclusion protocols exist for shared memory, such as Peterson's or Dekker's well-known protocols. Although the functional correctness of these protocols has been studied extensively, relatively little attention has been paid to their performance aspects.

In 2011, we considered a set of 27 mutual exclusion protocols for up to sixteen processes with a shared memory and coherent local caches. We specified each protocol in Lotos NT , using a set of generic modules to describe shared variables, the cache protocol, and the overall architectures (in total, $13,600$ lines of Lotos NT code). Then, we compositionally added Markov delays modeling the latencies of read/write accesses on shared variables, so as to obtain the Interactive Markov Chain (Imc ) corresponding to each protocol (up to 1.6 billion states and 2.7 billion transitions for the black-white bakery protocol  [73] for four processes).

We verified functional properties using the same set of Mcl  [18] formulas for each protocol (in total, 380 lines of Mcl ). The mutual exclusion property was easy to express as an Mcl  formula, but other properties (livelock and starvation freedom, independent progress, and unbounded overtaking) turned out to be quite involved because they belong to the $\mu$-calculus fragment of alternation depth two; fortunately, we succeeded in expressing them using the infinite looping operator of Mcl , which can be checked in linear time. In particular, it was challenging to express these properties using a parameter $N$ for the number of processes.

Finally, using the performance evaluation tools of Cadp (i.e., Bcg_Steady for small numbers of processes and Cunctator for larger numbers of processes), we computed the steady-state throughputs of critical section accesses by varying several parameters (relative speeds of processes, ratio between the time spent in critical and non-critical sections, etc.).

These experiments enabled us to compare the protocols according to their efficiency (steady-state throughputs) and study also their scalability for an increasing number of processors. We observed that symmetric protocols are more robust when the difference in execution speed between processes is large, which confirms the importance of the symmetry requirement originally formulated by Dijkstra  [56] . The quantitative results corroborated those of functional verification: the presence of (asymmetric) starvation of processes, detected using temporal formulas, was clearly reflected in their steady-state throughputs. Our results also corroborate experimental measures found in the literature  [48] .

The Platform 2012 Architecture

Participant : Wendelin Serwe.

In the context of the Multival contract (see §  7.1 ), STMicroelectronics studied Platform 2012 , a many-core programmable accelerator for ultra-efficient embedded computing in nanometer technology. This flexible and configurable multi-cluster platform fabric targets a range of emerging video, imaging, and next-generation immersive multimodal applications. Configurability options include the number of clusters, the number and type of processing elements (Pe ) per cluster, specialization of the architecture and instruction-set of the Pe s, and finally, support of hardware-accelerated Pe s. The platform is supported by a rich programming environment which embodies a range of platform programming models.

In 2011 we focused on the Dtd (Dynamic Task Dispatcher) hardware block that assigns a set of application tasks on a set of Pe s. It is called dynamic because each task itself might add tasks to the set of those to be dispatched by the Dtd . The Dtd is synthesized from a C++ model, optimized to generate an efficient hardware block. Due to the intrinsic complexity of the Dtd , STMicroelectronics was interested in the co-simulation of this C++ code with a formal model of the Dtd .

In a first step, we generalized the Lotos NT model of the Dtd developed in 2010 to allow the handling of an arbitrary number of Pe s ($1,200$ lines of Lotos NT ). We also modeled as Lotos NT processes the different sets of tasks corresponding to various applications. To express the operations provided by the Dtd , we had to include a call-stack in the model of each Pe , as a means of circumventing the static-control constraints of Cæsar forbidding recursion over parallel composition. STMicroelectronics judged Lotos NT to be essential in modeling the Dtd , because using Lotos instead would have been extremely difficult, requiring complex continuations with numerous parameters. We also wrote twelve scenarios ($1,000$ lines of Lotos NT ) describing applications to be dispatched by the Dtd . For each scenario and for up to six Pe s, we generated the corresponding Lts (up to 100 million states and 500 million transitions).

Then, for each generated Lts , we verified several properties, such as the correctness of assertions inserted in the model (by checking the set of transition labels), the termination of the scenario, or that each task is executed exactly once. We expressed the latter properties using the Mcl language [18] and verified them using the Evaluator  4 model checker. This allowed us to point out a difference between our implementation and the one from the architect, highlighting a high sensibility on the order of terms in an equation, revealing an under-specified mechanism. We also verified the correctness of a complex optimization.

Having gained confidence in the Lotos NT model, we applied the Exec/Cæsar framework to co-simulate the C++ and Lotos NT models of the Dtd , a challenge being the connection of the asynchronous Lotos NT model with the synchronous C++ model, because one step of the C++ model corresponds, in general, to several transitions of the Lotos NT model.

This case study enabled us to discover and correct a few bugs in Cadp and led to a publication in an international conference [39] .

The Self-configuration Protocol

Participant : Gwen Salaün.

Cloud computing emerged a few years ago as a major topic in modern programming. It leverages hosting platforms based on virtualization, and promises to deliver resources and applications that are faster and cheaper with a new software licensing and billing model based on the pay-per-use concept.

Distributed applications in the cloud are composed of a set of virtual machines (Vm s) running a set of interconnected software components. However, the task of configuring distributed applications is complex as each Vm includes many parameters either for local configuration (e.g., pool size, authentication data) or remote interconnection (e.g., Ip address and port to access a server). Existing deployment solutions are often specific to certain applications and rarely take into account these configuration parameters, which are usually managed by dedicated scripts that do not work fully automatically.

Together with Xavier Etchevers, Thierry Coupaye (Orange labs), Fabienne Boyer, and Noël de Palma (Inria Grenoble), we worked on the verification of an innovative self-configuration protocol [34] that automates the configuration of distributed applications in the cloud without requiring any centralized server nor a scripting effort. The high degree of parallelism involved in this protocol making its design difficult and error-prone, we decided to specify the protocol using Lotos NT and to verify it with Cadp . So doing, we detected a major bug, which was corrected in the reference Java implementation. The Lotos NT specification also served as a workbench to experiment with several possible communication models, which helped us to avoid an erroneous design.

These results have been published in [44] .

Realizability of Choreographies

Participants : Matthias Güdemann, Gwen Salaün.

The specification and the analysis of interactions among distributed components play an important role in service-oriented computing. In order to facilitate the integration of independently developed components (named peers) that may reside in different organizations, it is necessary to provide a global contract that the peers participating in a service composition should adhere to. Such a contract is called choreography. One important problem in a top-down development process is figuring out whether a choreography specification can be implemented by a set of peers that communicate via message passing. Given a choreography specification, it would be desirable to generate peers automatically by projecting the global choreography specification to each peer ignoring all messages that are not sent or received by that peer. However, generation of peers that precisely implement a choreography specification is not always possible, i.e., there are choreographies that are not implementable by a set of distributed peers. This problem is known as realizability.

In 2011, we considered the following aspects of the realizability problem:

• In collaboration with Gregor Gössler (Inria Grenoble) we studied the realizability of choreographies for peers interacting asynchronously through message buffers. Although this problem is generally undecidable for unbounded buffers, we proposed techniques to check whether peers interacting asynchronously with finite buffers can realize a choreography, and if so, for which buffer sizes. These results have been published in [36] .

• In collaboration with Pascal Poizat (Lri , Orsay), we proposed an approach to check the realizability of choreographies using the interaction model of Bpmn (Business Process Modeling Notation) 2.0. While being a standard for the abstract specification of business workflows and collaboration between services, Bpmn has only been recently extended into Bpmn  2.0 to support choreographies. Our approach is based on a model transformation into Lotos NT and the use of equivalence checking. We implemented a prototype of our approach using the Eclipse Bpmn  2.0 editor and Cadp . These results have been published in [43] .

• In collaboration with Meriem Ouederni (Lina , Nantes), we studied the automatic synthesis of monitors to enforce realizability, using Cadp to check equivalence between the choreography and an automatically obtained distributed implementation.

Other Case Studies

Participants : Hubert Garavel, Frédéric Lang, Radu Mateescu, Gwen Salaün, Wendelin Serwe, Damien Thivolle.

• In the context of the Topcased project (see §  7.2 ), we studied how Cadp can be used to verify avionics protocols. In 2011, we prepared two lectures summarizing our prior results on four avionic protocols, namely a ground/plane communication protocol based on Tftp (Trivial File Transfer Protocol) [14] , the Bite (Built In Test Equipment)/Cms (Central Maintenance Function), the Atc (Air Traffic Control) system, and the Afn (Air Traffic System Facilities Notification).

• Our prior work (2009–2010) with Fabienne Boyer and Olivier Gruber (Université Joseph Fourier Grenoble) on modeling and verification using Lotos NT and Cadp of the Synergy reconfiguration protocol led to a publication in an international conference [31] .

Other teams also used the Cadp toolbox for various case studies. To cite only recent work not already described in previous Vasy activity reports, we can mention:

• behavior analysis of malware by rewriting-based abstraction  [51] ;

• safety verification of fault-tolerant distributed components  [46] ;

• verification of mobile ad hoc networks  [57] ;

• model checking Erlang applications  [59] ;

• model-checking dataflow in service compositions  [63] ;

• verification of a key chain based Ttp transparent Cem protocol  [65] ;

• semantics tuning of Uml/SysMl   [69] ;

• atomicity maintenance in Epcreport of Ale   [70] ;

• cost analysis of semantic composability validation  [71] ;

• rigorous development of prompting dialogs  [75] ;

• scalably verifiable cache coherence  [76] .