NEWSLETTER
No. 54, January 2002
Contents
New Books
Modeling and Verification of Parallel Systems Software
Call for Papers
Welcome to the first palindrome year of the millennium! I trust this will mean not that we go backwards and forwards but that we neatly integrate developments--in theory, implementation, and applications--leading to startling new successes. Among the challenging areas of research in automated reasoning is program verification--particularly of parallel programs; Olga Shumsky Matlin has contributed an interesting article on this topic. Also in this issue are announcements for numerous conferences for the year 2002. It promises to be an exciting year, and I hope that you will contribute some of your research results to the AAR Newsletter and to its companion the Journal of Automated Reasoning.
Automated Theorem Proving in Software Engineering
Handbook of Automated Reasoning
For further information, please see the Web page.
Reasoning about parallel programs is surprisingly difficult. Even small parallel programs are difficult to write correctly, and an incorrect parallel program is equally difficult to debug. This characterization has been borne out in experiences with writing the Multi-Purpose Daemon (MPD): despite MPD's small size and apparent simplicity, errors have impeded progress toward correct code. Such a situation led to exploration of program verification techniques.
MPD [1] is a process manager for parallel programs and is itself a parallel program. Its function is to start the processes of a parallel job, manage input and output, deal with faults, provide services to the application, and cause jobs to terminate cleanly. MPD is the sort of process manager needed to run applications that use the standard MPI [3] library for parallelism, although it is not MPI-specific.
Our attempt to use formal verification techniques to ensure correctness of MPD algorithms employs the model checker SPIN [4], which supports design and verification of asynchronous distributed communicating systems. Models of such systems are recorded in a special high-level verification language PROMELA, which can also be used to state some correctness properties of the models. Additional correctness properties are specified by using linear temporal logic (LTL). The verification engine of SPIN is based on on-the-fly reachability analysis with several optimizations and heuristics. The system also includes a simulation environment and a graphical user interface.
The MPD system consists of several types of processes (called daemon, manager, console, and client) that communicate over Unix sockets and pipes. Daemons and managers are connected in a ring. A typical setup of the MPD system is shown in Figure 1.
Figure 1. Daemons with console process, managers, and clients
MPD algorithms execute on daemons and managers. Daemons and managers execute in essentially infinite loop: they receive messages on their connections and perform actions depending on the type of the received message. The actions are relatively simple and typically involve sending another message. Thus, daemons and managers are viewed and modeled in three layers. On the first layer is the main loop that allows to select a message from one of the attached communication connections. The middle layer is the collection of algorithms that are executed in response to each defined message type. The bottom layer is the mechanism that allows messages to travel from one process to another. The real MPD system relies on Unix sockets for communication between the processes, and the operating system provides all the necessary services.
The MPD algorithms that we would like to verify thus reside in the middle layer of the three-tiered model. To proceed with verification, we must model not only the algorithms of interest but also the interprocess communication of the bottom level; that is, we have to create a Promela model of Unix sockets. Success of verification attempts depends on the efficiency of the underlying model, and so creation of an efficient Promela model of sockets was important. Several Promela models of socket handling functions were tried. Finally, we created a reusable general-purpose library of Unix socket functions. The library contains implementations of the socket functions connect, accept, read, write, close, and select. These functions provide the interface between the interprocess communication layer of the three-tiered model and the middle layer where the algorithms reside. A different implementation of the socket library can be used, if desired, without making any changes to the model of the algorithms.
We considered algorithms that reside on different levels of the MPD system. Two related daemon-level algorithms were modeled: an algorithm for simultaneously inserting new members into a ring of daemons and an algorithm for a recovery of the ring after a single nondeterministic daemon failure. Each of the two algorithms was verified against two correctness properties. The first property (state) is a static check that the information contained in the underlying data structures indeed represents a properly connected ring. The second property (trace) is that a special purpose ring traversal algorithm completes after having visited each member of the ring. We also modeled a manager-level algorithm to provide a synchronization service to the client application processes. A correctness property, stating that no client is allowed to proceed past the synchronization point until all clients have reached the synchronization point, was proved for the algorithm with SPIN's aid.
As shown in Table 1, verification succeeded on models of only a small size, especially compared with the real MPD system that can involve hundreds if not thousands of processes. However, since even the most difficult errors can be discovered on models comprising only a few processes, the verification engine of SPIN enables us to verify the algorithms on models that are sufficiently large for our purposes.
Correctness | Maximum | |
Algorithm | Property | Model Size |
Ring insert | state | 4 |
Ring insert | trace | 4 |
Ring recovery | state | 12 |
Ring recovery | trace | 9 |
Synchronization | 14 |
Currently we use SPIN to explore and verify individual MPD algorithms. However, many things take place in parallel in a running MPD system. Daemons enter and leave the ring, as do managers, different client processes request different services from the managers, and several instances of the same algorithm may be executing simultaneously. Correct interaction of these algorithms is also important. We hope to be able to reason formally about MPD models that consist of several related and interdependent algorithms.
A long-term goal of this project is to model and verify MPD algorithms and then translate them into C or another programming language, while preserving the verified properties. Ideally, translation should be automated. In order to allow this to happen, the Promela model must not be overly abstract. We compared the C implementation of the barrier algorithm with its specification in Promela. The comparison suggests that the automated translation is feasible.
The Promela implementation of the the Unix socket library, models of the verified MPD algorithms and a technical report [2] with a more detailed description of the project are available at on the Web site.
1. R. Butler, W. Gropp, and E. Lusk. ``Components and interfaces of a process management system for parallel programs.'' Parallel Computing, 27:1417-1429, 2001.
2. O. S. Matlin, E. Lusk, W. McCune. ``SPINning Parallel Systems Software.'' Preprint ANL/MCS-P921-1201. Argonne National Laboratory, 2001.
3. Message Passing Interface Forum. ``MPI2: A message passing interface standard.'' International Journal of High Performance Computing Applications,12(1-2):1-299, 1998.
4. Spin Home Page. http://netlib.bell-labs.com/netlib/spin.
Workshop on Complexity in Automated Deduction
Definition, design, implementation and application:
Specialization and integration:
Authors are invited to submit an extended abstract of up to 10 pages. Researchers interested in attending the workshop without giving a talk are invited to send a position paper of 1--2 pages. All submissions should be sent to the Program Chairs (strategies02@cs.uiowa.edu) in Postscript before April 22, 2002. Accepted contributions will be included in the workshop proceedings, which will be available at the workshop and on the Web.
Based on the submissions, the Program Chairs will consider the possibility of a postworkshop publication (e.g., a special issue of a journal or a volume in a series of electronic proceedings), where authors may submit full versions of the workshop papers. This may involve another call for papers and refereeing process.
Attendance is by invitation only but late requests for participation will be considered.
For further information, please see the STRATEGIES 2002 Web site and the CADE 2002 Web site.
Information about AiML-2002 can be obtained at the Web site.
A workshop on "Hybrid Logics" will take place at LICS 2002, on July 25, 2002, in Copenhagen, Denmark. Hybrid logic is a branch of modal logic in which it is possible to directly refer to worlds, times, states, or whatever the elements of the (Kripke) model are meant to represent. Although they date back to the late 1960s and have been sporadically investigated ever since, it is only in the 1990s that work on them really got into its stride. The workshop is relevant to a wide range of people, including those interested in description logic, feature logic, applied modal logics, temporal logic, and labeled deduction. Moreover, the workshop is devoted to exploring ideas Prior first introduced 30 years ago: it will be an ideal opportunity to see how his ideas have been developed in the intervening period. Contributions in the form of an extended abstract (up to 10 A4 size pages) should be sent in PostScript format to carlos@science.uva.nl before April 26, 2002. Please note that all workshop contributors are required by the LICS organizers to register for FLoC 2002. Visit the Web site for further information.
There will also be a mini-workshop on QBF.
In conjunction with the symposium, there will be an SAT Solver Competition (BDD packages welcome). SAT solvers and benchmarks are due March 6, 2002. See the symposium home page for further details.
For further information, please see the Web site.
Submissions are invited in two categories: (A) full research paper, and (B) work in progress report. Submissions under category A are due February 22, 2002; they will be fully refereed, and accepted papers will be published as a volume of Springer-Verlag's Lecture Notes in Computer Science series. Submissions under category B are due May 17, 2002; they will not be formally refereed, but their content and relevance will be reviewed. Those submissions accepted will be published in a NASA technical report. Unless otherwise requested, submissions rejected under category A will also be considered for inclusion under category B. Papers should be no more than 16 pages. Details are available from the Web page.
Specific topics for ADG 2002 include the following:
Potential participants of ADG 2002 are invited to submit an extended abstract (3 or more pages) or a full paper by June 3, 2002. Electronic submissions are preferred, and should be sent to the chairman Franz.Winkler@risc.uni-linz.ac.at. Authors of the extended abstracts and full papers accepted for presentation at the workshop will be invited to submit their full or revised papers for publication in the proceedings of ADG 2002 after the workshop. It is expected that the accepted papers will be published as a volume in the LNAI series by Springer-Verlag.
For further details, please see the Web site.
Amy Felty has issued a call for papers for a special issue of the Journal of Aumated Reasoning on proof-carrying code and related approaches that use formal reasoning to enhance safety and reliability of software. Topics of interest include original results and study of tools and methods for proof generation, proof checking, and their integration with code generation/compilation. Manuscripts should be unpublished works and not submitted elsewhere. Revised and enhanced versions of papers published in conference proceedings that have not appeared in archival journals are eligible for submission. All submissions will be reviewed according to the usual standards of scholarship and originality. The deadline for submissions is February 22, 2002.
For further information, please see the Web site.
prepared by Gail W. Pieper January 2002