Olaf Owe

An Asynchronous Communication Model for Distributed Concurrent Objects

Distributed systems are often modeled by objects that run concurrently, each with its own processor, and communicate by synchronous remote method calls. This may be satisfactory for tightly coupled systems, but in the distributed setting synchronous external calls lead to much waiting; at best resulting in inefficient use of processor capacity, at worst resulting in deadlock. Furthermore, it is difficult to combine active and passive behavior in concurrent objects. This paper proposes an object-oriented solution to these problems by means of asynchronous method calls and conditional processor release points. Although at the cost of additional internal nondeterminism in the objects, this approach seems attractive in asynchronous or unreliable environments. The concepts are integrated in a small object-oriented language with an operational semantics defined in rewriting logic, and illustrated by examples.

Creol: a type-safe object-oriented model for distributed concurrent systems

Object-oriented distributed computing is becoming increasingly important for critical infrastructure in society. In standard object-oriented models, objects synchronize on method calls. These models may be criticized in the distributed setting for their tight coupling of communication and synchronization; network delays and instabilities may locally result in much waiting and even deadlock. The Creol model targets distributed objects by a looser coupling of method calls and synchronization. Asynchronous method calls and high-level local control structures allow local computation to adapt to network instability. Object variables are typed by interfaces, so communication with remote objects is independent from their implementation. The inheritance and subtyping relations are distinct in Creol. Interfaces form a subtype hierarchy, whereas multiple inheritance is used for code reuse at the class level. This paper presents the Creol syntax, operational semantics, and type system. It is shown that runtime type errors do not occur for well-typed programs.

An asynchronous communication model for distributed concurrent objects

Distributed systems are often modeled by objects that run concurrently, each with its own processor and communicate by synchronous remote method calls. This may be satisfactory for tightly coupled systems, but in the distributed setting synchronous external calls seem less satisfactory; at best resulting in inefficient use of processor capacity, at worst resulting in deadlock. Furthermore, it is difficult to combine active and passive behavior in concurrent objects. This paper proposes a solution to these problems by means of asynchronous method calls and conditional processor release points. Although at the cost of additional internal non-determinism in the objects, this approach seems attractive in asynchronous or unreliable environments. The concepts are integrated in a small object-oriented language with an operational semantics defined in rewriting logic, and illustrated by an example of a peer-to-peer network.

ANNA: a language for annotating Ada programs

ANNA is a proposed language extension of Ada to include facilities for formally specifying the intended behavior of Ada programs (or portions thereof) at all stages of program development. Anna programs are Ada programs extended by formal comments. Formal comments in ANNA consist of virtual Ada text and annotations. Anna provides annotations for all Ada constructs, including declarative annotations (for variables, subtypes, subprograms, and packages), statement annotations, annotations of generic units, exception annotations and visibility annotations. (The current Anna design does not include extensions for annotating Ada multi-tasking constructs.) Anna also includes a small number of new predefined attributes, which may appear only in annotations, e.g. the collection attribute of an access type. Since all Anna extensions appear as Ada comments, Anna programs are also legal Ada programs and acceptable by Ada translators. The semantics of annotations are defined in terms of Ada concepts; in particular, many kinds of annotations are generalizations of the Ada constraint concept. This simplifies the training of Ada programmers to use Anna for formal specification of Ada programs. Anna provides a formal framework within which different theories of formal specification may be applied to Ada. This manual also describes a translation of annotations into Ada text for run-time check of consistency with annotations.

Partial logics reconsidered: A conservative approach

Partial functions play an important role in computer science. In order to reason about partial functions one may extend classical logic to a logic supporting partial functions, a so-called partial logic. Usually such an extension necessitates side-conditions on classical proof rules in order to ensure consistency, and introduces non-classical proof rules in order to maintain completeness. These complications depend on the choice of consequence relation and non-monotonic operators. In computer science applications such complications are undesirable, because they affect (semi-) mechanical reasoning methods, and make manual reasoning difficult for computer scientists who are not logicians.By carefully choosing the consequence relation and non-monotonic operators, a simple calculus for partial functions arises. The resulting logic is “healthy” in the sense that “meaningless” formulas (such as top(emptystack) > 1) cannot be concluded, except from contradictory or false assumptions, and a meaningless assumption provides no information. This requires all axioms to be healthy; and as a consequence the “excluded middle” (a V ¬a) must be weakened (to meaningfulas). All the well-known classical rules preserve healthiness and are therefore sound in the logic, provided substitutions are restricted to meaningful terms. This means that program reasoning methods based on classical logic usually can be adapted to the presented partial logic.

From Object-Orientation to Formal Methods

The development of the programming languages Simula I and Simula 67 is briefly described. An attempt is made also to explain the cultural impact of the languages, in particular the object oriented

Verification of concurrent objects with asynchronous method calls

Current object-oriented approaches to distributed programs may be criticized in several respects. First, method calls are generally synchronous, which leads to much waiting in distributed and unstable networks. Second, the common model of thread concurrency makes reasoning about program behavior very challenging. A model based on concurrent objects communicating by means of asynchronous method calls has been proposed to combine object orientation and distribution in a more satisfactory way. This paper introduces a reasoning system for this model, focusing on simplicity and modularity. We believe that a simple and compositional proof system is paramount to allow verification of real programs. The proposed proof rules are derived from the Hoare rules of a standard sequential language by means of a semantic encoding preserving soundness and relative completeness.

A Run-Time Environment for Concurrent Objects With Asynchronous Method Calls

A distributed system may be modeled by objects that run concurrently, each with its own processor, and communicate by remote method calls. However objects may have to wait for response to external calls; which can lead to inefficient use of processor capacity or even to deadlock. This paper addresses this limitation by means of asynchronous method calls and conditional processor release points. Although at the cost of additional internal nondeterminism in the objects, this approach seems attractive in asynchronous or unreliable distributed environments. The concepts are illustrated by the small object-oriented language Creol and its operational semantics, which is defined using rewriting logic as a semantic framework. Thus, Creol specifications may be executed with Maude as a language interpreter, which allows an incremental development of the language constructs and their operational semantics supported by testing in Maude. However, for prototyping of highly nondeterministic systems, Maudes deterministic engine may be a limitation to practical testing. To overcome this problem, a rewrite strategy based on a pseudo-random number generator is proposed, providing Maude with nondeterministic behavior.

Observable behavior of distributed systems : component reasoning for concurrent objects

Abstract Distributed and concurrent object-oriented systems are difficult to analyze due to the complexity of their concurrency, communication, and synchronization mechanisms. Rather than performing analysis at the level of code in, e.g., Java or C++, we consider the analysis of such systems at the level of an abstract, executable modeling language. This language, based on concurrent objects communicating by asynchronous method calls, avoids some difficulties of mainstream object-oriented programming languages related to compositionality and aliasing. To facilitate system analysis, compositional verification systems are needed, which allow components to be analyzed independently of their environment. In this paper, a proof system for partial correctness reasoning is established based on communication histories and class invariants. A particular feature of our approach is that the alphabets of different objects are completely disjoint. Compared to related work, this allows the formulation of a much simpler Hoare-style proof system and reduces reasoning complexity by significantly simplifying formulas in terms of the number of needed quantifiers. The soundness and relative completeness of this proof system are shown using a transformational approach from a sequential language with a non-deterministic assignment operator.

Lazy behavioral subtyping

Abstract Inheritance combined with late binding allows flexible code reuse but complicates formal reasoning significantly, as a method call’s receiver class is not statically known. This is especially true when programs are incrementally developed by extending class hierarchies. This paper develops a novel method to reason about late bound method calls. In contrast to traditional behavioral subtyping, reverification of method specifications is avoided without restricting method overriding to fully behavior-preserving redefinition. The approach ensures that when analyzing the methods of a class, it suffices to consider that class and its superclasses. Thus, the full class hierarchy is not needed, and incremental reasoning is supported. We formalize this approach as a calculus which lazily imposes context-dependent subtyping constraints on method definitions. The calculus ensures that all method specifications required by late bound calls remain satisfied when new classes extend a class hierarchy. The calculus does not depend on a specific program logic, but the examples in the paper use a Hoare style proof system. We show soundness of the analysis method. The paper finally demonstrates how lazy behavioral subtyping can be combined with interface specifications to produce an incremental and modular reasoning system for object-oriented class hierarchies.