Mathai Joseph

Transformation of Programs for Fault-tolerance

In this paper we describe how a program constructed for afault-free system can be transformed into afault-tolerant program for execution on a system which is susceptible to failures. A program is described by a set of atomic actions which perform transformations from states to states. We assume that a fault environment is represented by a programF. Interference by the fault environmentF on the execution of a programP can then be described as afault-transformation ℱ which transformsP into a program ℱ(P). This is proved to be equivalent to the programP□PF, wherePF is derived fromP andF, and □ defines the union of the sets of actions ofP andFP. A recovery transformation ℛ transformsP into a program ℛ(P) =P□R by adding a set ofrecovery actions R, called arecovery program. If the system isfailstop and faults do not affect recovery actions, we have ℱ(ℛ(P))=ℱ(P)□R=P□PF□R We illustrate this approach to fault-tolerant programming by considering the problem of designing a protocol that guarantees reliable communication from a sender to a receiver in spite of faults in the communication channel between them.

P-A logic: a compositional proof system for distributed programs

SummaryThis paper describes a compositional proof system called P-A logic for establishing weak total correctness and weak divergence correctness of CSP-like distributed programs with synchronous and asynchronous communication. Each process in a network is specified using logical assertions in terms of a presuppositionPre and an affirmationAff as a triple {Pre}S{Aff}. For purely sequential programs, these triples reduce to the familiar Hoare triples. In distributed programs, P-A triples allow the behaviour of a process to be specified in the context of assumptions about its communications with the other processes in the network. Safety properties of process communications, and progress properties such as finiteness and freedom from divergence can be proved. An extension of P-A logic allowing proof of deadlock freedom is outlined. Finally, proof rules for deriving some liveness properties of a program from its P-A logic specification are discussed; these properties have the form “Q untilR”, whereQ, R are assertions over communication traces. Other liveness properties may be derived from these properties using the rules of temporal logic.

What's 'real' about real-time systems?

A real-time system is a concurrent computing system whose computations and actions must satisfy time constraints. Guaranteeing that such a system will meet its constraints can be viewed either in terms of an extended model of program correctness or as a problem of scheduling, e.g. establishing a feasible schedule. However, a crucial distinction between real-time and other concurrent programs is not merely that of time, but that the former must often execute on systems with limited resources. The authors give a short account of a limited resource semantics of program execution. The model can serve both as the basis for a formal specification system for real-time programs and to characterize real-time scheduling problems.<<ETX>>

A Compositional Framework for Fault-Tolerance by Specification Transformation

The incorporation of a recovery algorithm into a program can be viewed as a program transformation, converting the basic program into a fault-tolerant version. We present a framework in which such program transformations are accompanied by a corresponding formula transformation which obtains properties of the fault-tolerant versions of the programs from properties of the basic programs. Compositionality is achieved when every property of the fault-tolerant version can be obtained from a transformed property of the basic program. A verification method for proving the correctness of formula transformations is presented. This makes it possible to prove just once that a formula transformation corresponds to a program transformation, removing the need to prove separately the correctness of each transformed program. Keywords: Parallel Algorithms, Distributed Algorithms, Fault-Tolerance, Specification, Verification.

Verification of schedulability for real-time programs

Assume that a real-time programPT consisting of a number of parallel processes is executed on a system having a setPr of processors which are shared between the processes by a real-time schedulerST. Assume that PT must meet some timing deadlines. We show that such an implementation ofPT can be represented as a transformationL(PT) and that the deadlines ofPT will be met if they are satisfied by the timing properties of the transformed program. The condition for feasibility of a real-time program executed under a scheduler is formalized and rules are provided for verification. The schedulerST can be specifiedgenerically and applied to different programs, making it unnecessary to introduce low-level operations such as scheduling primitives into the programming language. Thus real-time program specification and Schedulability can be considered in the same framework and the timing properties of a program can be determined at the specification level. By separating the specification of the scheduler from that of the program, the feasibility of an implementation can be proved by considering a scheduling policy rather than its implementation details.

Dynamic Scheduling in the Presence of Faults: Specification and Verification

A distributed real-time program is usually executed on a limited set of hardware resources and is required to satisfy timing constraints, despite anticipated hardware failures. Static analysis of the timing properties of such programs is often infeasible. This paper shows how to formally reason about these programs when scheduling decisions are made on-line and take into account deadlines, load and hardware failures. We use Timed CCS as a process description language, define a language to describe anticipated faults and apply a version of 5-calculus to specify and verify timing properties. This allows the property of schedulability to be the outcome of an equation-solving problem. And unlike conventional reasoning, the logis is fault-monotonic: if correctness is proved for a number of faults, correctness for any subset of these faults is guaranteed.

ISL: An Interval Logic for the Specification of Real-time Programs

ISL is a linear-time temporal logic for specifying properties of programs in execution intervals which are sequences of states. The end points of intervals are specified using instances of state predicates (or assertions) or time values. Abstract intervals, delimited by formulae over states in a computation, are used as the first step in constructing a timed specification. This is then transformed to incorporate timing, first by logical formulae and then using concrete time domains. Refinements are introduced to define time domains and timing properties and include refinement to programming constructs. We outline a way to specify resource limitations along with the functional and timing properties of programs. The specification method is illustrated with some examples.

Problems, Promises and Performance: Some Questions for Real-time System Specification

This paper considers how different views of real-time program specification and verification arise from different assumptions about the representation of time external to the program, the representation of time in the program and the verification of the timing properties on an implementation. Three different views are compared: real-time programming without time, the synchrony hypothesis and asynchronous real-time programs. Questions about the representation of time are then related to different models of time and their roles at different levels of analysis. The relationship between the development of a program from a specification and its timing characteristics in an implementation is discussed and it is suggested that the formal verification of timing properties can be extended towards the implementation. The need for fault-tolerance in a real-time system is then considered and ways examined of incorporating a formal proof of fault-tolerance along with proof of its timing properties.

A Compositional Approach for Fault-Tolerance Using Specification Transformation

The incorporation of a recovery algorithm into a program can be viewed as a program transformation, converting the basic program into a fault-tolerant version. We present a framework in which such program transformations are accompanied by a corresponding formula transformation which obtains properties of the fault-tolerant versions of the programs from properties of the basic programs. Compositionality is achieved when every property of the fault-tolerant version can be obtained from a transformed property of the basic program.

Formalizing Real-Time Scheduling as Program Refinement

This paper shows how the feasibility of scheduling a realtime program consisting of a number of parallel processes (tasks) can be proved as a step in the refinement of the program from its specification. Verification of this step of refinement makes formal use of methods and results from real-time scheduling theory.