overview of the oasis research proofs of safety properties of distributed java applications

OASIS

Modocop in the OASIS project: Active Objects, Semantics, Internet and Security

INRIA in Sophia-Antipolishttp://www.inria.fr/oasis

• Overview of the OASIS research• Proofs of safety properties of distributed Java applications• Platform for static analysis and verification of distributed Java

Eric Madelaine, 13-02-2002

OASIS

Oasis at a glance

concurrence /distribution

security

Semantics and proofs

Static analysis / Model Checking

Java/XML Environment

Formal Models

Implementation & optimizations

Library

Specif

icatio

ns

Environments

Objec

tsDistributed

OASIS

Parallel, Distributed, Concurrent, Mobileprogramming

Sequential Multithreaded Distributed

• Transparent distribution, remote object creation• Method call -> asynchronous communication• Futures & wait-by-necessity• Mobility: Migration of active objects• XML descriptors for deployment

Sun Microsystems

OASIS

C3D: distributed-//-collaborative

OASIS

Ongoing Work

• Secure and efficient meta-computing– Security at application level (appli. VPN)

– Group communication

• Formal definition of the ProActive model– ASP: object model a la Abadi-Cardelli

• Equivalence proofs between Sequential and Parallel programs

• Deterministic subset of the model

– Behavioural semantics, and relation with the object model

– Property verification via model-checking

OASIS

A component generator for domain-specific languages

object-oriented & XML-centric

Microsoft

W3C

• Openness: conform to W3C standards (DTD, Schemas)

• Reuse: an homogeneous approach (exportable GUI)

• Integration: component-based architecture

• Adaptability: visitor design patterns & AOP

• Environments for Java (& Javacard), Bytecode.

OASIS

OASIS

Modocop in the OASIS project:

• Overview of the OASIS research

• Proofs of safety properties of distributed Java applications

• Platform for static analysis and verification of distributed Java

OASIS

Proofs of safety properties of concurrent/distributed Java applications• Context :

Multi-threaded Java JCSP (processes & channels a la CSP) ProActive (asynchronous messages, creation and migration of active objects) Specific frameworks: AAA, Voyager, Aglets, ...

• Criteria : High level primitives for distribution/communication, formal semantics Distributed implementation

ProActive

OASIS

ProActive: behavioural semantics

• Active objects = processes, parameterised, with dynamic creation.

• Distant method calls = asynchronous messages, stored in request queues.

• Object behaviour = each active object controls the activation of the requests in its queue.

• Return values = asynchronous messages, wait by necessity.

• Migration is transparent.

OASIS

ProActive : finite models

• Pragmatics : Model checkers deal with finite representations.

Hierarchical networks of finite transition systems (all analysis functions ought to be compositional).

Abstract and approximate finite structures (as in CADP or Bandera).

Finite representation of request queues.

OASIS

ProActive : academic example

(work done with Rabea Boulifa)

• Dining Philosophers :– Rewritten in ProActive, distributed style– Finite configuration– Proof of (absence of) deadlock– Proof of boundness of requests queues– Proof of liveness

OASIS

ProActive : academic example

(pictures)

OASIS

Proactive : a bigger example(work with Tomas Barros)

• Electronic tax services in Chile– Specification, and reference implementation in

ProActive

– Finite instantiation : already too big for brute force reachability analysis

– Properties (of specification) :• deadlock analysis, partial specifications (scenarios)

– Properties (of ref. implementation) :• equivalence with the corresponding component in the

specification

OASIS

Modocop in the OASIS project:

• Overview of the OASIS research

• Proofs of safety properties of distributed Java applications

• Platform for static analysis and verification of distributed Java

OASIS

Platform for verification

• Static analysis, verification and model-checking of Java and ProActive applications (source or bytecode)

• Generic : tools reusable for other OO languages

• Modular : external tools connected through standard formats or APIs, various functions combined for an application

• Practical : source level diagnoses

OASIS

Platform for verificationSchema

OASIS

Conclusion

Work in Modocop :

• Analysis platform for Java and ProActive (with Lande)

• Behavioural semantics (R. Boulifa)

• Connection with external verification tools and model-checker (E. Madelaine + stage DEA)

• Realistic case study