Table Of ContentLecture Notes in Computer Science 5454
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
University of Dortmund, Germany
Madhu Sudan
Massachusetts Institute of Technology, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max-Planck Institute of Computer Science, Saarbruecken, Germany
Michael Butler
Cliff Jones
Alexander Romanovsky
Elena Troubitsyna (Eds.)
Methods, Models
and Tools
for Fault Tolerance
13
Volume Editors
Michael Butler
University of Southampton
School of Electronics and Computer Science
Highfield, Southampton, SO17 1BJ, UK
E-mail:
Preface
The growing complexity of modern software systems increases the difficulty of
ensuring the overall dependability of software-intensive systems. Complexity of
environments, in which systems operate, high dependability requirements that
systems have to meet, as well as the complexity of infrastructures on which they
rely make system design a true engineering challenge.
Mastering system complexity requires design techniques that support clear
thinking and rigorous validation and verification. Formal design methods help
to achieve this. Coping with complexity also requires architectures that are tol-
erant of faults and of unpredictable changes in environment. This issue can be
addressed by fault-tolerant design techniques. Therefore, there is a clear need of
methods enabling rigorous modelling and development of complex fault-tolerant
systems.
This book addresses such acute issues in developing fault-tolerant systems as:
– Verification and refinement of fault-tolerant systems
– Integrated approaches to developing fault-tolerant systems
– Formal foundations for error detection, error recovery, exception and fault
handling
– Abstractions, styles and patterns for rigorous development of fault tolerance
– Fault-tolerant software architectures
– Development and application of tools supporting rigorous design of depend-
able systems
– Integrated platforms for developing dependable systems
– Rigorous approaches to specification and design of fault tolerance in novel
computing systems
The editors of this book were involved in the EU (FP-6) project RODIN (Rig-
orous Open Development Environment for Complex Systems), which brought
together researchers from the fault tolerance and formal methods communi-
1
ties. In 2007 RODIN organized the MeMoT workshop held in conjunction with
the Integrated Formal Methods 2007 Conference at Oxford University. The aim
of this workshop was to bring together researchers who were interested in the
application of rigorous design techniques to the development of fault-tolerant
software-intensive systems.
We proposed to the authors of the best workshop papers to expand their
work and a number of well-established researchers working in the area to write
invited chapters. This book contains the refereed and revised papers that came
1
The proceedings of the Workshop on Methods, Models and Tools for Fault Tolerance
are at http://rodin.cs.ncl.ac.uk/deliverables.htm
VI Preface
in response. Twelve of the papers are reworked from the workshop; three papers
are invited.
The editors would like to thank the reviewers: Elisabeth Ball, Jeremy Bryans,
Joey Coleman, Alan Fekete, Michael Fisher, John Fitzgerald, Michael Harrison,
Alexei Iliasov, Michael Jackson, Linas Laibinis, Qaisar Ahmad Malik, Annabelle
McIver, Larissa Meinicke, Luc Moreau, Luigia Petre, Martha Plaska, Mike Pop-
pleton, Brian Randell, Colin Snook and Divakar Yadav.
We would particularly like to thank Louise Talbot, who has efficiently handled
the collation of this book.
Both in organizing MeMoT 2007 and in publishing this edited book, we are
aiming to build a network of researchers from the wider community to promote
the integration of dependability and formal methods research. We hope that you
will find this volume interesting and encourage you to join the interest group
of the EU FP-7 Deploy project (Industrial Deployment of System Engineering
Methods Providing High Dependability and Productivity) that in particular aims
at establishing closer collaboration between dependability and formal methods
research.
December 2008 Michael Butler
Cliff Jones
Alexander Romanovsky
Elena Troubitsyna
Table of Contents
Part I: Formal Reasoning about Fault Tolerant
Systems and Protocols
Graphical Modelling for Simulation and Formal Analysis of Wireless
Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
A. Fehnker, M. Fruth, and A.K. McIver
Reasoning about System-Degradation and Fault-Recovery with Deontic
Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Pablo F. Castro and T.S.E. Maibaum
Temporal Verification of Fault-Tolerant Protocols . . . . . . . . . . . . . . . . . . . . 44
Michael Fisher, Boris Konev, and Alexei Lisitsa
Design and Verification of Fault-Tolerant Components . . . . . . . . . . . . . . . . 57
Miaomiao Zhang, Zhiming Liu, Charles Morisset, and
Anders P. Ravn
Dynamically Detecting Faults via Integrity Constraints . . . . . . . . . . . . . . . 85
Ian J. Hayes
Part II: Fault Tolerance: Modelling in B
Event-B Patterns for Specifying Fault-Tolerance in Multi-agent
Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Elisabeth Ball and Michael Butler
Formal Reasoning about Fault Tolerance and Parallelism in
Communicating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Linas Laibinis, Elena Troubitsyna, and Sari Leppa¨nen
Formal Development of a Total Order Broadcast for Distributed
Transactions Using Event-B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Divakar Yadav and Michael Butler
Model-Based Testing Using Scenarios and Event-B Refinements . . . . . . . . 177
Qaisar A. Malik, Johan Lilius, and Linas Laibinis
Part III: Fault Tolerance in System Development
Process
Recording Process Documentation in the Presence of Failures . . . . . . . . . . 196
Zheng Chen and Luc Moreau
VIII Table of Contents
DREP: A Requirements Engineering Process for Dependable Reactive
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Sadaf Mustafiz and J¨org Kienzle
Documenting the Progress of the System Development . . . . . . . . . . . . . . . . 251
Marta Plaska, Marina Wald´en, and Colin Snook
↪
Fault Tolerance Requirements Analysis Using Deviations in the
CORRECT Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Andrey Berlizev and Nicolas Guelfi
Part IV: Fault Tolerant Applications
Step-Wise Development of Resilient Ambient Campus Scenarios . . . . . . . 297
Alexei Iliasov, Budi Arief, and Alexander Romanovsky
Using Inherent Service Redundancy and Diversity to Ensure Web
Services Dependability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Anatoliy Gorbenko, Vyacheslav Kharchenko, and
Alexander Romanovsky
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Graphical Modelling for Simulation and Formal
Analysis of Wireless Network Protocols
1 2 3
A. Fehnker , M. Fruth , and A.K. McIver
1 ⋆
National ICT Australia, Sydney, Australia
2 A. Fehnker, M. Fruth, and A.K. McIver
[9,8] incorporating some measure of random faults, however simulation in this
context suffers from a number of well-documented problems [7,3] — most notable
is that accurate channel models validated against physical data do not normally
feature. This leads to unrealistic results of performance analyses, which can vary
widely between different simulators.
An alternative to simulation is formal modelling and analysis, which is nor-
mally ideally suited to investigating complex protocols, and gives access to
profiles of performance which exhaustively range over worst- and best-case be-
haviour. Inclusion of realistic models of wireless communication implies appeal
to analytical formulae to determine the effect on performance of the spatial re-
lationships between nodes, such as the distance and density of near neighbours.
These context-dependent details however are not easily added to textual-style
formal modelling languages, and indeed they militate against a clear and mod-
ular specification style.
In this paper we overcome these difficulties by proposing a simple graphical
style of specification. We exploit the observations that (a) the distance between
and density of nodes in a network is the major factor impacting on the integrity of
wireless communication (together with physical parameters such as transmission
strength); that (b) this unreliability can be abstracted to a probability that
packets are lost; and that (c) the simplest way to express the crucial spatial
relationships is graphically, so that the details of the abstracted probabilities are
suppressed, and computed automatically from the graphical representation.
Besides its simplicity, the graphical style has other benefits in that it allows
designers to visualise various performance indicators such as best- or worst-
case signal strength between pairs of nodes, or the nodes’ individual power con-
sumption. Similarly the critical events occurring in a sample experiment may be
“stepped through” in a typical debugging style. Finally — unlike other graphical
visualisation tools — it acts as a “bridge” between formal analysis and the more
conventional simulation, providing the option to investigate performance using
probabilistic model checking, or to carry out more traditional system-wide sim-
ulation experiments. In both cases realistic models for wireless communication
play a fundamental role.
Our specific contributions are
1. CaVi a graphical user interface specialised for modelling networks compris-
ing wireless nodes. The tool gives immediate access to crucial performance
indicators such as signal strength between pairs of nodes;
2. A translation from a CaVi model to either a formal transition-style model
suitable for model checking in the PRISM model checker [10] or as input
to the recently-developed Castalia simulator [1]. Castalia is novel in that it
incorporates an accurate wireless channel model. The PRISM models are
the first such formal models which take network topology into account. At
present both Castalia and PRISM capture only flooding and gossiping pro-
tocols [5,6].
In Sec. 2 and Sec. 3 we describe the context of wireless applications, and the
challenges that arise in their formal modelling. In Sec. 4 we describe a well-known
