1

Modeling and Analyzing Distributed Systems Using I/O Automata

Nancy Lynch, MIT

Draper Laboratory, IR&D Mid-Year Meeting

December 11, 2002

2

Project Description

• Develop I/O-automata-based methods and tools for modeling and analyzing distributed systems, with emphasis on systems for military and space applications.

• Methods and tools can be used for:– System documentation/specification– Design validation:

• Simulation • Stating correctness and performance theorems• Proving theorems, manually or with interactive theorem-provers

– Automatic code generation

• Use the methods and tools to describe and analyze Draper’s ACME system.

• Project participants:– MIT: Nancy Lynch, Stephen Garland, Vida Ha, Amittai Axelrod– Draper: Joe Kochocki, Alan Tanzman

3

I/O Automata • Infinite-state, nondeterministic, interacting state machines.• Support modular system description, using parallel composition

and levels of abstraction.• Static description:

– Actions a (input, output, internal)– States s, start states– Transitions (s, a, s')

• Dynamic description:– Execution: s0 a1 s1 a2 s2 …– Trace: Project on external actions.– A implements B: traces(A) traces(B).

• Operations for building automata:– Parallel composition, action hiding.

• Reasoning methods:– Invariant assertions: Property holds in all reachable states.– Simulation relations: Imply one automaton implements another.

4

Reliable FIFO Channel Model

• Signature:– Inputs:

• send(m), m in M

– Outputs:

• receive(m), m in M

• States:– queue, a finite sequence of elements of M, initially empty

• Transitions:– send(m)

• Effect: Add m to end of queue

– receive(m)

• Precondition: m is first on queue

• Effect: remove first element of queue

Channel(M) send(m) receive(m)

5

Example Applications

• Basic distributed algorithms:– Resource allocation, consensus, atomic objects, concurrency

control, group communication,…

• Distributed systems:– Orca distributed shared memory system [Fekete, Kaashoek,

Lynch]

– Transis group communication system [Fekete, Lynch, Shvartsman]

– Ensemble GCS [Hickey, Lynch, van Renesse]

• Algorithms for dynamic networks:– Reconfigurable atomic memory [Lynch, Shvartsman 02]

[Gilbert, Lynch, Shvartsman 02] [Musial, Shvartsman 02]

– Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02]

6

IOA Language + Toolset

• Formally-defined programming/modeling language for describing and analyzing systems modelled as I/O automata.

• Current tools: Simulator, connection to Larch theorem-prover.

• In progress: Invariant detector, connection to Isabelle/HOL theorem-prover, automatic code generator.

• Steve Garland will say more. IO A

7

Additions to I/O Automaton Models

• Timing behavior: TIOA– For describing timeout-based algorithms.

– Local clocks, clock synchronization.

– Timing/performance analysis.

• Hybrid (continuous/discrete) behavior: HIOA– Systems with real world + computer components

– Vehicle control: ground, air, space

– Embedded systems

8

Timed I/O Automata (TIOA)

• Add special time-passage actions, pass(t), to IOA model.

• Example: Reliable FIFO channel that always delivers messages within time d.– send(m)

• Effect: Add (m, now + d) to end of queue

– receive(m)

• Precondition: (m,u) is first on queue (for some u)

• Effect: remove first element of queue

– pass(t)

• Precondition: for all (m,u) in queue, now + t u• Effect: now := now + t

• Can use standard automaton-based reasoning methods:– Invariant: for all (m,u) in queue, now u now + d.

– Inductive proofs.

9

Example Applications

• Distributed algorithms: – Resource allocation, consensus,…

• Timeout-based communication protocols:– TCP, reliable multicast,…

• Performance (latency) analysis:– Group communication systems:

• Using GCS to build TO-Bcast [Fekete, Lynch, Shvartsman]

• Scalable GCS [Khazan, Keidar 01]

– RAMBO reconfiguration atomic memory

• Hybrid (continuous/discrete) systems (toy examples):– RR crossing [Heitmeyer, Lynch, Archer]

– Steam boiler controller

10

Hybrid I/O Automata (HIOA)

• TIOA plus facilities for representing continuous behavior.

• Static description:– States: input, output, internal variables; start states

– Actions: input, output, internal

– Discrete steps (s, a, s')

– Trajectories , mapping time intervals to states

• Dynamic description:– Execution 0 a1 1 a2 2 …

– Trace: Project on external variables, external actions.

– A implements B if traces(A) traces(B).

• Operations: Composition, hiding

• Reasoning methods: Invariants, simulation relations, compositional methods

11

Example Applications

• Ground transportation:– People-mover (Raytheon) [Livadas, Lynch, Weinberg, Delisle].

– California PATH automated highway system: Analysis of platoon maneuvers [Dolginova, Lynch, Lygeros].

• Aircraft control:– TCAS (Lincoln Labs): Models, proofs

[Livadas, Lygeros, Lynch].

– Quanser helicopter system (MIT Aero/Astro). Models, proofs [Mitra, Wang, Feron, Lynch 02].

• Spacecraft:– ACME [Ha, Axelrod, Lynch, Garland, Kochocki, Tanzman 03]

12

TCAS model

Aircraft

Pilot

ChannelConflictresolver

Conflictdetector

Sensor Sensor

Aircraft

Conflictdetector

Conflictresolver

Pilot

Channel

13

Quanser Model Helicopter System[Mitra, Wang, Feron, Lynch 02]

• 3 DoF models manufatured by Quanser

• User Controllers not safe

• Supervisory pitch controller– Sensor inaccuracies

– Actuator delay

– Limited sampling frequency

14

HIOA model of the system

• New language constructs for specifying trajectories

• State models and Activities

• Composition of activities

15

sample

control

command

dequeue

act

0

supervisorplant

sensorsensor usrCtrl

Discrete communication among components

actuator

16Cannot jump from U to outside of R in a single stepSwitch to supervisor : settling phaseRecovery PhaseBack to User mode

Executions in the User and Supervisor modes

17

Future Directions

• Application of HIOA model to verification

– Realistic dynamics, inaccuracies, delays

• Design of safe Supervisory Controller

– For arbitrary user controller

• Language constructs for HIOA

Contributions

• Study systems with more complicated discrete behavior and dynamics.

• Develop a set of ‘useful lemmas’ from control theory to be directly used in invariant proofs

• Partially automate proofs using theorem provers