Clara Benac Earle

Verifying Erlang Code: A Resource Locker Case-Study

In this paper we describe an industrial case-study on the development of formally verified code for Ericssons AXD 301 switch. For the formal verification of Erlang software we have developed a tool to apply model checking to communicating Erlang processes. We make effective use of Erlangs design principles for large software systems to obtain relatively small models of specific Erlang programs. By assuming a correct implementation of the software components and embedding their semantics into our model, we can concentrate on the specific functionality of the components. We constructed a tool to automatically translate the Erlang code to a process algebra with data. Existing tools were used to generate the full state space and to formally verify properties stated in the modal µ-calculus.As long as the specific functionality of the component has a finite state vector, we can generate a finite state space, even if the state space of the real Erlang system is infinite. In this paper we illustrate this by presenting a case-study based on a piece of software in Ericssons AXD 301 switch, which implements a distributed resource locker algorithm. Some of the key properties we proved are mutual exclusion and non-starvation for the program.

Honesty and trust revisited: the advantages of being neutral about other's cognitive models

Open distributed systems pose a challenge to trust modelling due to the dynamic nature of these systems (e.g., electronic auctions) and the unreliability of self-interested agents. The majority of trust models implicitly assume a shared cognitive model for all the agents participating in a society, and thus they treat the discrepancy between information and experience as a source of distrust: if an agent states a given quality of service, and another agent experiences a different quality for that service, such discrepancy is typically assumed to indicate dishonesty, and thus trust is reduced. Herein, we propose a trust model, which does not assume a concrete cognitive model for other agents, but instead uses the discrepancy between the information about other agents and its own experience to better predict the behavior of the others. This neutrality about other agents’ cognitive models allows an agent to obtain utility from lyres or agents having a different model of the world. The experiments performed suggest that this model improves the performance of an agent in dynamic scenarios under certain conditions such as those found in market-like evolving environments.

A unified semantics for future Erlang

The formal semantics of Erlang is a bit too complicated to be easily understandable. Much of this complication stems from the desire to accurately model the current implementations (Erlang/OTP R11-R14), which include features (and optimizations) developed during more than two decades. The result is a two-tier semantics where systems, and in particular messages, behave differently in a local and a distributed setting. With the introduction of multi-core hardware, multiple run-queues and efficient SMP support, the boundary between local and distributed is diffuse and should ultimately be removed. In this paper we develop a new, much cleaner semantics, for such future implementations of Erlang. We hope that this paper can stimulate some much needed debate regarding a number of poorly understood features of current and future implementations of Erlang.

Translating Erlang to /spl mu/CRL

The language Erlang has been developed by Ericsson to implement large switching systems. Erlang is nowadays used by several companies for complex embedded systems. The language /spl mu/CRL is a process algebra with data. Several verification tools are available for /spl mu/CRL and other process algebras, including a tool to create labelled transition systems from /spl mu/CRL specifications. By having a translation from Erlang to /spl mu/CRL we can apply the verification tools for process algebras and labelled transition systems to industrial code. The translation is aware of the major design component in the switching software. This knowledge is used to ensure that the size of the labelled transition system generated by the tools is smaller than with a naive translation.

Development of a verified Erlang program for resource locking

In this paper, we describe a tool to verify Erlang programs and show, by means of an industrial case study, how this tool is used. The tool includes a number of components, including a translation component, a state space generation component and a model checking component. To verify properties of the code, the tool first translates the Erlang code into a process algebraic specification. The outcome of the translation is made more efficient by taking advantage of the fact that software written in Erlang builds upon software design patterns such as client–server behaviours. A labelled transition system is constructed from the specification by use of the μCRL toolset. The resulting labelled transition system is model checked against a set of properties formulated in the μ-calculus using the Caesar/Aldébaran toolset.As a case study we focus on a simplified resource manager modelled on a real implementation in the control software of the AXD 301 ATM switch. Some of the key properties we verified for the program are mutual exclusion and non-starvation. Since the toolset supports only the regular alternation-free μ-calculus, some ingenuity is needed for checking the liveness property “non-starvation”. The case study has been refined step by step to provide more functionality, with each step motivated by a corresponding formal verification using model checking .

eJason: An Implementation of Jason in Erlang

In this paper we describe eJason, a prototype implementation of Jason, the well-known agent-oriented programming language, in Erlang, a concurrent functional programming language. The reason for choosing Erlang as the implementation vehicle is the surprising number of similarities between Jason and Erlang, e.g., both have their syntactical roots in logic programming, and share an actor-based process and communication model. Moreover, the Erlang runtime system implements lightweight processes and fast message passing between processes. Thus, by mapping Jason agents and agent-to-agent communication onto Erlang processes and Erlang process-to-process communication, we can create a very high-performing Jason implementation, potentially capable of supporting up to a hundred thousand concurrent actors. In this paper we describe in detail the implementation of Jason in Erlang, and provide early feedback on the performance of the implementation.

Property-based testing: the ProTest project

The ProTest project is an FP7 STREP on property based testing. The purpose of the project is to develop software engineering approaches to improve reliability of service-oriented networks; support fault-finding and diagnosis based on specified properties of the system. And to do so we will build automated tools that will generate and run tests, monitor execution at run-time, and log events for analysis. The Erlang / Open Telecom Platform has been chosen as our initial implementation vehicle due to its robustness and reliability within the telecoms sector. It is noted for its success in the ATM telecoms switches by Ericsson, one of the project partners, as well as for multiple other uses such as in facebook, yahoo etc. In this paper we provide an overview of the project goals, as well as detailing initial progress in developing property based testing techniques and tools for the concurrent functional programming language Erlang.

Verifying fault-tolerant Erlang programs

In this paper we target the verification of fault tolerant aspects of distributed applications written in Erlang. Erlang is unusual in several respects. First, it is one of a few functional languages that is used in industry. Secondly the programming language contains support for concurrency and distribution as well as including constructs for handling fault-tolerance.Erlang programmers, of course, mostly work with ready-made language components. Our approach to verification of fault tolerance is to verify systems built using two central components of most Erlang software, a generic server component with fault tolerance handling, and a supervisor component that restarts failed processes.To verify Erlang programs built using these components we automatically translate them into processes of the μCRL process algebra, generate their state spaces, and use a model checker to determine whether they satisfy correctness properties specified in the μ-calculus.The key observation of this paper is that, due to the usage of these higher-level design patterns (supervisors and generic servers) that structure process communication and fault recovery, the state space generated from a Erlang program, even with failures occurring, is relatively small, and can be generated automatically. Moreover the method is independent from the actual Erlang program studied, and is thus reusable.We demonstrate the approach in a case study where a server, built using the generic server component, implements a locking service for a number of client processes, and show that the server tolerates client failures.

Property-Based Testing of JSON Based Web Services

This article describes a systematic approach to testing behavioural aspects of Web Services that communicate using the JSON data format. As a key component, the Quviq QuickCheck property-based testing tool is used to automatically generate a large number of test cases from an abstract description of the service behaviour in the form of a finite state machine. The same behavioural description is also used to decide whether the execution of a test case is successful or not. To generate random JSON data for populating tests we have developed a new library, jsongen, which given a characterisation of the JSON data as a JSON schema, automatically derives a QuickCheck generator which is capable of generating an infinite number of JSON values that validate against the schema.

Verification of timed erlang programs using mcerlang

There is a large number of works that apply model checking to timed specifications, however, there are far fewer attempts at model checking concurrent programs for which correct timed behaviour is crucial. In this work we explore the formal verification of timed programs written in the Erlang concurrent programming language, in its full complexity, using the McErlang model checker. We have extended the McErlang model checker with a timed semantics, similar to the timed semantics Lamport has developed for TLA and TLC, but with a few notable differences. In the paper we present the resulting semantics, its implementation in McErlang, and evaluate it using a number of examples. Among the examples is a process supervision component for controlling the processes in an Erlang application, which provides fault-tolerance.