Michel Charpentier

Towards a Compositional Approach to the Design and Verification of Distributed Systems

We are investigating a component-based approach for formal design of distributed systems. In this paper, we introduce the framework we use for specification, composition and communication and we apply it to an example that highlights the different aspects of a compositional design, including top-down and bottom-up phases, proofs of composition, refinement proofs, proofs of program texts, and component reuse.

An Experiment in Program Composition and Proof

This paper explores a compositional approach to program specification, development and proof. We apply a theory of composition to a problem in distributed computing with the goal of understanding the strengths and weaknesses of this compositional approach. First, we describe the theory briefly. Then we give a specification of a desired system. Next, we propose a design of the desired system as a composition of components and prove its correctness. Finally, we show how the proof can be reused for a slightly different compositional structure by using the concept of observation.

Examples of Program Composition Illustrating the Use of Universal Properties

This paper uses a theory of composition based on existential and universal properties. Universal properties are useful to describe components interactions through shared variables. However, some universal properties do not appear directly in components specifications and they must be constructed to prove the composed system. Coming up with such universal properties often requires creativity. The paper shows through two examples how this construction can be achieved. The principle used is first presented with a toy example and then applied to a more substantial problem.

Theorems about Composition

Compositional designs require component specifications that can be composed: Designers have to be able to deduce system properties from components specifications. On the other hand, components specifications should be abstract enough to allow component reuse and to hide substantial parts of correctness proofs in components verifications. Part of the problem is that too abstract specifications do not contain enough information to be composed. Therefore, the right balance between abstraction and composability must be found. This paper explores the systematic construction of abstract specifications that can be composed through specific forms of composition called existential and universal.

Composing invariants

We explore the question of the composition of invariance specifications in a context of concurrent and reactive systems. Depending on how compositionality is stated and how invariants are defined, invariance specifications may or may not be compositional. This article first examines two classic forms of invariants and their compositional properties. After pointing out what we see as deficiencies of these two kinds of invariants, two new forms are defined and shown to have useful compositional properties that the more classic forms do not enjoy. The last form, in particular, is shown to be well suited to situations where none of the other three is adapted.

Self-Similar Algorithms for Dynamic Distributed Systems

This paper proposes a methodology for designing a class of algorithms for computing functions in dynamic distributed systems in which communication channels and processes may cease functioning temporarily or permanently. Communication and computing may be interrupted by an adversary or by environmental factors such as noise and power loss. The set of processes may be partitioned into subsets that cannot communicate with each other; algorithms in which all such subsets behave in a similar fashion, regardless of size and identities of processes, are called self-similar algorithms. Algorithms adapt to changing conditions, speeding up or slowing down depending on the resources available. The paper presents necessary and sufficient conditions for the application of a self-similar strategy. Self-similar algorithms are developed for several problems by applying the methodology.

Reasoning about Composition Using Property Transformers and Their Conjugates

Compositional design is concerned with both constructing systems by composing components and with deconstructing systems into proposed sets of components. In bottom-up design, engineers prove system properties given properties of components and a compositional structure. In top-down design, they propose properties of components and a compositional structure given system properties. In this paper we show how the theory of predicate transformers, which has been used so successfully in sequential programming, can be applied to compositional design of systems. The rules of composition we study are more general than the rules employed in sequential programming, and the systems we study are not limited to programs. We exploit theorems about weakest and strongest solutions to equations to obtain a collection of useful predicate transformers, and then we exploit the theory of conjugate transformers to obtain more useful transformers. We show how these transformers are useful for both bottom-up and top-down design.

Abstracting Communication to Reason about Distributed Algorithms

In distributed systems, message passing is a low level representation of communication resulting in intricate designs and proofs. This paper presents a new abstraction to express communication: the observation. This notion provides a more concise expression of programs and properties, and consequently is an effective help in understanding and reasoning about distributed algorithms. Observations are formalized in the Unity framework.

THE OBSERVATION: AN ABSTRACT COMMUNICATION MECHANISM

In this paper, we introduce an observation relation as an abstraction of point-to-point communication in distributed architectures. After showing how its semantics and syntax can be embedded within the UNITY approach, we state general observation properties. Finally, we consider the description and the validation of a distributed mutual exclusion algorithm. The relevant aspect of such a validation is the exclusive use of refinements and observations properties for the proof of these refinements.

Tailoring UNITY to Distributed Program Design

As a general framework, UNITY does not offer any specific facility for the design of distributed systems. For such systems, distribution aspects must be represented at a low level, resulting into intricated models and proofs. To provide a more abstract view of distributed systems, we propose two extensions to UNITY. The first one is an observation relation which is integrated in UNITY semantics to provide an abstract communication mechanism. The second one is a mapping operator which accounts for the true parallelism of distributed systems. The paper illustrates, through different examples, how these extensions can be used to help the design of distributed systems in UNITY.