‹header›
‹date/time›
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
‹footer›
‹#›
VLSI designers long used this approach successfully.
Systems of two decades ago are just as fast and reliable as today’s systems, in spite of much faster hardware.
Set of machines cooperating towards a common goal.
Horus:  x-kernel influence
Hard to go between two forms of specification.
Abstract Spec: behavioral, global state
Refinement:  design choices (e.g., token or sequencer)
Specification of a reliable totally ordered network.  Formal semantics, yet easy to read and write by programmers.  Easy to see that it provides totally ordered delivery.  It doesn’t say much about how to implement it, leaving freedom to the implementer.
Once you have an implementation, you can prove it correct, as we’ve done for a particular implementation of total order.  We found a subtle bug!
Once you’ve proved a few layers correct, it’s relatively easy to build a correct stack.
First three techniques independent of layering.  Last two beyond capabilities of compiler optimizations, and has involved hand-optimization or significant annotation of code.  This is a difficult and error-prone process.
A protocol layer is a function that takes the current state and an event as input, and produces a new state and zero or more output events.  Those events, in turn, are fed to other layers.
NuPrl is a formal tool that can manipulate formal specifications.  Both the programmer of a protocol layer, as well as a NuPrl expert are necessary to do the manipulations.  An example of a CCP is “the sequence number on the incoming message is the one that is expected”.  In other words, the common case is that no messages are lost, re-ordered, or duplicated.  Other examples are:  “the message is a data message”, “the message is not fragmented”, etc.
TT is “type theory”, the input language to NuPrl.  The partial evaluation is done off-line.  The composition is also done by NuPrl, but can be done fully automatically.  A translator translates TT back into ML.
As NuPrl generates code, it will notice that certain header values are constant.  These constants are hashed together, saving space and processing overhead.
After NuPrl generates the bypass code, it needs to be configured into the system.  The CCPs are combined to decided whether a particular message can go through the bypass code or not.  A Transport module is used in Ensemble to marshal messages and to provide network device independence.
After NuPrl generates the bypass code, it needs to be configured into the system.  The CCPs are combined to decided whether a particular message can go through the bypass code or not.  A Transport module is used in Ensemble to marshal messages and to provide network device independence.
We measured the performance on three different versions of Ensemble.
Paper contains detailed information.
If you’re interested in building a robust system, and willing to use formal methods, …
Thank you for your attention.