>> Shaz Qadeer: Okay. It's my pleasure to welcome Damien Zufferey to MSR today and tomorrow. He's interviewing in the Rice group. Damien did his graduate work in EPFL and at the Institute of Science and Technology in Austria. Currently he's a postdoctoral researcher at MIT. His core area is essentially program verification, but he is remarkably broad in his interests. He has represented EPFL in the ICPC programming competition, and he also has written a paper in the Journal of Theoretical Biology in addition to numerous papers in core verification conferences. And today he is going to tell us about the work he's pursuing in the important area of asynchronous systems. >> Damien Zufferey: Thank you for the introduction, and thank you for coming here. So, yes, I will speak today about work I did in the problem of verification of message-passing systems. Okay. So as Shaz mentioned, I did, okay, my Ph.D. with Tom Henzinger, and now I'm currently a postdoc at [inaudible] in Martin Rinard's group at MIT. And, yes, my research is not only focused on message-passing concurrency that we'll see today, but I also did, for instance, on more core verification like on [inaudible] how to automate separation logic, so reasoning about data structures and memory safety using SMT. So what Shaz mentioned I'll talk about was the question of when do cooperative behaviors occur in systems where known cooperation basically is the best for each individual. And also more to what the system side, where we had a bit of work trying to apply obstruction techniques to large-scale scaling. So the motivation when I started my thesis, I was looking at concurrency in the search-passing system was to look where things are going. And first even on the side of [inaudible] ship, we are going to toward these more and more parallelism within the SIM device than we are also like datacenters where we have more and more reason with these tens of thousands of machines running together. Also I'm sure that everybody in this [inaudible] has some kind of smartphone which itself first contain more -- many processing units, different kinds, but it also mobile is always connected. And more, well, wearables device means we are going to wear more computer on us, also [inaudible] of things that we are going to connect pretty much everything to the Internet. And we are wondering, you know, what are the challenge to do verification and reasoning in that context. So the bird's eye view of verification that you start with some code, some property, and you want to build a system that is able to either tell you, okay, your program is safe and maybe give you a proof of safety or that the program has a bug and give you a contract sample that chose the bug in your program. So the talk will be divided into three part. So the first part maybe I guess many of you have already heard about it, which is the part of the work I did when I was intern this year, so the work on language P about asynchronous event systems, so that's like message-passing currency at the device drivers. Then the second part is mostly work I did during my thesis, projects called -- it's called depth-bounded systems. But the real question is what are the limit of automatic verification when you have systems or you have dynamic process creations. And when you have -- for instance, with this system on your evolving communication topologies. And if time permits, speak about bit of future work. the question of fault tolerance. We are looking at So the first two parts will be asynchronous systems, but at some point there are many interesting problem that need some notion of time. So kind of we cover some notion of time. So the first part here is about this language to program device driver. And here the reasons. So the language is message passing concurrency. So first this already using this abstraction you get rid of a lot of type of error like data races because you don't have shared memory in the language. But it's still challenging to program systems well because you can have many events going [inaudible] with the environment [inaudible] concurrently the same time, so you have many possible schedule in your system and gets to be really hard to debug and test. So here are the contribution is to unifying modeling and programming within the SIM system so that we get not only compilations, so code generation, but you also get verification. And the case they use a USB driver that ships in Windows 8. And this is a collaboration with people within MSR and also within the production team in Microsoft Research in Microsoft. So the motivation of having state machine as a model, that, for instance, if I show you some code that represent what [inaudible] doing, even if it's a short like 20-line snippet, it will take some time to go through it. Now if I show you these fours -- these four state machines, it's fairly easy to figure out what's going on. Start initial state, or this then the door is closed, then someone pressed the open button, so it's -the door is open. When it's open, it closes after some time unless there is an object which [inaudible] which case must remain open. And under the same things, that instead of translating this between and implementing into C, we can turn it into P and exactly pretty much the same machine, but now it's an executable program. So we have the initial state and the four [inaudible] before. And here the difference that we have a little trains of code corresponding for each state. So now this is not only a model but this also actually a program. And in P, not only we have the program but we also have this environment of the program. So, for instance, if you want the user to interpret the system, to press the open door button, or if you want a model of the physical door and the sensor of the doors. And now that you have put everything into the same system, for instance, you can run the model checker and testing. Okay. So now that we have this multiple submission, so how do they interact. So here we have the classical [inaudible] state machine semantic. So each machine come with some mailbox, which is a five [inaudible] buffer. Can receive messages, do some internal computation and send messages to the mailbox. So it's a very simple model. [inaudible] part of the success is that the model is very simple and clean, so it's easy to apply verification on this model. So compared to the first picture that we had earlier, basically within the language, the programming language or the modeling language, we are bringing not only the code but also the property that you want to check the assumptions on the environment. So everything being explicit in the code, which gives you the [inaudible] to do verification and also to compile, to have an executable model. And here one of the key part I think in my opinion of the success of this project is that the language is not really a general-purpose language, real domain-specific language to describe the protocol so that where did the name P come from. So basically directly at the source level inside the driver, we have separation between the control structure of the driver and the data processing part, which mean that we can use appropriate technique for each part. So here we focus on the verification of the controls of the driver. And now that we have isolated the control structures, we can use simple technique, for instance, like an XP [inaudible]. And it can go actually really far because now we -- the language already provide a small [inaudible] model. And it just works. Here we have Randy and Vivek which are in the production team that develop the language and also implement the USB 8 driver into the language. And here in the background we can see the -- it's fairly big state machines. So but if you can imagine tens of thousands of line of code, might actually be much more worse than this. Some statistics. So here -- >>: So one of the nice things with PS, it was able to separate controls from data. >> Damien Zufferey: Yes. >>: So in the context of USB, can you give an example of what is data and what is control? >> Damien Zufferey: Control, for instance, are very [inaudible] this event. For instance, when you plug a device into a machine, it create an event in the system and the system will react to this event. So creating new device state machine. And but only if you want to let data transfer, for instance, you don't need to look at the data, you just [inaudible] message that might tells you what you are doing, for instance, that you need to move some data from point A to point B. But somehow the day are not really [inaudible] DSL. So each -- maybe each state of the DSL [inaudible] entry function. So when you enter a state in the state machine, you execute some part, a snippet of code, which actually performs some action, you're at least calling some -- a routine written in C that will do the data processing part. Yes. >>: To follow up on that question, so you gave an example where the data part is irrelevant but the other parts would be where you have data exactly relevant to what you're saying. >> Damien Zufferey: So here the -- in P you can also -- so this external function that you [inaudible] written in C, you can also give them a model of this function written in P. In the model checker we use this model as part of the verification. So it's some kind of the contract of the [inaudible] that you're calling. And you -- if there is some [inaudible] like that in the contract of this method. >>: But in the USB example, is everything essentially control? >> Damien Zufferey: Most of the property that we check are control related. You want to check, for instance, that when you have this event coming in the system, that the system does not fail because there is no handler for a particular event. So you want to -- we'll allow this type of exception. You want, for instance, also to check that the system eventually handle all the events so that you cannot ignore some event that will sit in the mailbox of our process forever. So it's more like this kind of control property that you need, for instance, for your system not to crash and also to be [inaudible] that you all -- eventually handles all the events. Does that make sense? And so here some statistics, so [inaudible] USB drivers for state machine which [inaudible] two different version of the USB protocol and the device state machine. And here actually the state machine are getting fairly broad, fairly large. But even though of this size we can apply verification and find a huge number of bugs. And the reason is that you started doing verification because the code even runs. So this type of property about the event, checking that the event are appropriately handled can be done even on strings of the state machine. So you don't need the full code to do verification. Yes? >>: What are bugs? >> Damien Zufferey: So here that would be events which are, for instance, not handled which basically -- which lead to runtime errors like, okay, there is a message that you do not expect and might potentially lead to a crush. So, for instance, you need to protect yourself not only for device that follow the specification but also maybe malicious device which are buggy so it sends you messages that are not expected by the protocol. So that was the type of error that you need to protect the system against. >>: Okay. So this is checking [inaudible] by the USB team? >> Damien Zufferey: >>: For the USB model. >> Damien Zufferey: >>: Yes. Yep. Or is it in P, this -- >> Damien Zufferey: Oh, so the P code -- some of the compiler generates something, code on one side [inaudible] checker. And other side it generates some C code which runs as a driver. So from the same model, you have both the verification and the code generation. >>: This clarification may be going back to the same question of what are bugs. What properties are you verifying here? There's correctness, there is progress. I think you alluded to some of this before. >> Damien Zufferey: >>: You know, messages will be processed. >> Damien Zufferey: >>: Yeah. Yeah. But you please talk about -- >> Damien Zufferey: So here -- so actually liveness is trying to [inaudible] property. So for to prove that, for instance, eventually [inaudible] message sort of this kind of [inaudible] property of our infinite trace is trying to [inaudible] to a safety property. For instance, you say there is this kind of big state, which is like domain and loop that we'd receive in and then process them ->>: Your computer -- >> Damien Zufferey: Yep. Then you just say, for instance, I cannot -when I reach -- again, for instance, I started handling one message, and when I recheck in this big loop, I must have processed all these other series of events. So somehow you turn this kind of [inaudible] property is trying to knit into something which is a safety property. Somehow it's easier to check. So here you basically enforce this progress bar, it's somehow bounding the progress, that you must do this progress within this fixed amount of time. So basically it makes the -- it's stronger property but is easier to check. Any other question? Okay. And so what was takeaway message from me? That when you design a programming language, there's basically subspace of tradeoffs, what you want to put [inaudible]. Here, for instance, I took the one possible set of tradeoffs by [inaudible]. But then, for instance, performance, generality, and productivity. So, for instance, [inaudible] performance will get, for instance, something like C. If you want like productivity and generality, you might get something like scripting languages. But the thing which are actually missing [inaudible] P is that you want to add more and more dimension. When you write some code, how easy is it to check that the code that you write is correct. And how here P is giving up a bit on generality because you want language as this core protocol but making much easier to check that the problem is correct because the language [inaudible] semantic, checking the same program but in C [inaudible] semantic of C and we can just make our life simpler by using another language. >>: So is the goal of P that any one of that you create is smart enough to [inaudible]? >> Damien Zufferey: No. So I will get to it because I think -- so [inaudible] is doing a really great job for this domain, but main the trick comes on this slide. I think P is moving some other domain and -- this is my opinion -- basically we need some other verification that can [inaudible]. So maybe first about the P language itself, that the first version, iteration of the language that was the one used for the USB up in Windows 8 now a cleaner version basically again using some [inaudible] Windows Phone but is still for device drivers. But what becomes really interesting now is that there has been some discussion to move out of this world of device driver and basically to move to the question of distributed system and distributed protocols. So there have been some description about adding features on P to implement distributed system protocol and discussion, you know, not in the device driver world anymore but more in the Internet and cloud world. And here, at least my opinion, the language, it's still a good fit, but the verification technology that we use we should start to show some limitation. So, for instance, the language, this unbounded mailbox, it also have a lot of process creation which has two feature basically that gives you an infinite state system which is something that cannot really dealt with by efficient model checker unless what you do is apply some bounding strategies. Yes. >>: On the slide with the table where you're showing how many states have been explored, sorry, does that -- are you doing any state abstraction there or system like constraint, or is that basically saying you've explored the complete state machine that's listed in the left column and that's how big it is? >> Damien Zufferey: No, there is some bounding strategy which is used to deal with the interleavings of the communication to try to steer the search toward what bugs are likely to be. >>: Okay. So this is a sampling model checker. >> Damien Zufferey: Yeah. It's not complete. systematic technical validation. >>: Okay. We call it like Just trying to understand which -- >> Damien Zufferey: And here is actually for the server, there is also some layer of [inaudible] verification to try to check the [inaudible] state machine separately. >>: So you get better coverage of each machine, and when you compose them, you get this ->> Damien Zufferey: >>: Okay. Double guarantee. Yeah. Exactly. Thanks. >> Damien Zufferey: So maybe I can check a few word, that, you know, I said that you can also [inaudible] model to the system, so actually Randy, when he developed the drivers, admitted these [inaudible] rules which all have the assumption on the environment. And there is actually a few -- there tend to be very small rules that, for instance, if I receive a request, I won't receive a new request until I granted the first request. So but is there a lot of this -- there are very small property, but there is like hundreds of them, which are checked, which are used to check the model. Okay. So here actually when we have this feature of process creation and a feature that goes [inaudible] the question of evolving communication topology, that if you were present, the communication of the system is a graph, you can also add and remove edges in the graph by sending, for instance, addresses of processes into the messages. And actually those features in the literature, they're called -- known as mobile processes. And that's the domain I've been investigating, looking at what is possible to do in this setting during my Ph.D. And one of the reason might be, for instance, if -- so what we're doing now, for instance, for the verification, using bounding strategies. So for instance you can bound the number of processes. But maybe in some cases it's not realistic to have a bound. Or if the bound is too high, maybe it's [inaudible] practice. So we have been looking at unbounded systems. And, yeah, this question of when you have process creation, this question of frequent configuration of the [inaudible] because a new process coming to the system start interacting with other component and then the address, like the mailbox, the address of that process, might get sent further down into the system and you create new communication link. And also there might be some [inaudible] property. For instance, you want to track information flow, the communication topology is really something that you might want to know. So here it's [inaudible] those infinite state system is really hard to deal with. But we -- you know, it's not because it's hard it goes away. So [inaudible] that is an important, interesting problem, and we've made some good progress, but the talk maybe at some point, if it gets too technical, just interrupt me, ask question, so that we can make it clear as we go. And, yeah, here is that even though it's hard, in the end we have some very interesting results. Okay. Small motivating example. It's a simplified version of MapReduce. Why MapReduce? Because it's a fairly broadly used general type of computation that run in the cloud. So if we cannot handle that kind of example, we cannot really handle anything. And also it's small enough so that you can fit into size. So you start with some set of data that you want to process. You have some master and some workers, and so you dispatch the data to the workers to do the mapping. Some machine may crash, in which ways you need to find some other machine that is able to [inaudible] and send back the data to this other machine. When the computation is done, you just get at the result, some kind of key-value pairs and [inaudible], and then you do the reduce to keep only the best result. But to make it really interesting, we need to consider not only a few number of jobs that you process in parallel but an unbounded number of jobs. Also the [inaudible] datacenter there is no reason that we should bound this to a small number of worker. So it might be actually simpler to consider an unbounded number of workers. And same for the crashes. And here [inaudible] basically the interesting part is that it can take the system, compute all the reachable state of the system, and give you this very compact representation. Here are four graphs that basically subsume all the reachable set of the system and will give you all the information about communication topology. And also the interesting things that maybe I wish -- that was a kind of a bit of a surprise, that we can go from an infinite state system to a very small representation of all the reachable set of state. So then we thought, okay, maybe we can go further. For instance, since this is an [inaudible] variant you can apply again the [inaudible] system and look what it does to this representation. And here, for instance, we get -- if we just go very abstractly, we have now this four state automata which actually simulate -- in term of traces simulate the original system. And we see how to go much further so that when you have a single transition, you can also track how the graph is changed by the transition. And then we can use that as a basis to build further analysis. >>: What is the automata in this picture as many. >> Damien Zufferey: >>: Will come in two slides. Okay. >> Damien Zufferey: So basically this is -- here the graph is really like the state. So in the graph ->>: Which column is the state on the automata? >> Damien Zufferey: Yeah. Here basically we have -- so you can think of here -- so these four graphs are like the [inaudible] for all the reachable state of the system. And in this representation, you can here the -- the third -- like the transition of the system that can bring you from one state to the other. I mean from one set of state to another set of state, which is more incomparable. So the more we tried to learn together all the state that are somewhat similar in some fashion, and some [inaudible] done by one of this graph. And then actually we do it in a way so that basically you can summarize many states into various small representation, and then you can track how those set of state are changed by the transitions. >>: So each problem is representing a set of states by means of a graph? >> Damien Zufferey: Yes. >>: And a transition is a transition of the system let's say is that it from these states that transition is taken, then you will [inaudible] this set of states. >> Damien Zufferey: >>: Okay. Exactly. Yes. >> Damien Zufferey: And we'll see how we can -- just what are those graphs, how to we represent them, and what we can do with them. So first [inaudible] system is that we have labelled graphs, so each node of the system carries some sort of label which [inaudible] type of the process, local information, like local variables, the program counters, some information on multiple variables. And then some other information which are more like relations, stored models, part of the label of the node, but as edges in the graph. So, for instance, if the master is a list of workers, you would just put edges to the different worker machine. And here we see the restriction that we need a finite state of label, so each -- somewhat each individual process need to be finite state. Okay. And now the transition basically works, the automaton come from words of the code and how do we modify those graphs. So here I'd say we have simple example where the master just spawn the one worker and send a message, and the worker just receive that message and process the message and send a reply. So the way we model that is that first we have the master, which is, for instance, line 4. So when we [inaudible] worker, it's a new node in the graph. So basically somewhat new state machine in the graph. And there is a relation between the two, which is this local variable that contains the address, which is the edge in the graph. Sending a message is actually somewhat similar as spanning some of your processes, just I think some new node in the graph. Here the message can carry the submission address and also the address of the sender. And when you receive, for instance, you can extract the address of the sender and store it into some local variable, which mean that when you have this call to reply, now you know where to send the message back. And so when we started the project, we did a lot of [inaudible] pi calculus, and one of the insights of the pi calculus that you can see in [inaudible] that there is no difference between processes and messages. And also what is called -- what is known as mobility, there's just this ability to addresses carried within message so that we send message and receive message, you also modify the edges in the graph. So the -- yeah. >>: For instance, if I compare [inaudible] in P each -- I have a question about the previous slide. >> Damien Zufferey: Yes. >>: So I understood how you add an edge in the graph. edge get removed from the graph? How does an >> Damien Zufferey: For instance, if you -- for instance, you have this -- well, this address here, this edge here represents the address stored into worker. So if you put a new value into that local variable, that will somehow change the edge. So the previous edge will get removed. And also if you move out of the scope of the local variable, the edge get removed. >>: So what I don't understand is how does that graph represent a set of states? To me it seems to represent exactly a single state. >> Damien Zufferey: Because this graph is a single state. Will come later to how you move from this single state to infinite set of states. >>: So the graph is [inaudible]? >> Damien Zufferey: So this example, yes. We'll see now the interesting question is how do we -- when do you have unbounded [inaudible] you can add as many node as you want in the graph. So how do we have a compact representation of these infinite graphs. So that's what's coming. >>: [inaudible]. >> Damien Zufferey: Yeah. I mean, sure, you could repeat forever and that will just create some new node in the graph so the graph [inaudible]. But if you keep an explicit representation, it will never -- it will blow up and it will go forever. So we need to do something smarter. And it will come. Just bear with me. So the first, for instance, we compare with P [inaudible] difference that, okay, P are these unbounded mailbox. But it's not actually [inaudible] sometime that's very dangerous things to do [inaudible] in this ability. So that we verified two state machine in one FIFO we can just build a Turing machine. So that's something we want to avoid. So to make our life simpler, we just abstract the mailbox by forgetting about the order of the messages. So we still have unbounded mailbox in our model, but we just don't remember the order between the messages. But now the interesting part come is that when we keep on adding processes, we need some kind of [inaudible] processes and message are the same. So if unbounded [inaudible] mailbox which is a chain of messages are bad, unbounded chain of processes are also bad as well. So we need [inaudible]. So we still want to have a restriction that captures a large class of examples. So we started collecting some examples. So we come from the -- it's a simple part of the computation. So we were speaking a lot at that time with the people at TPFL working the Scala laboratory, so we got the example from them. And also in the literature. For instance, pi calculus. So the first application to verification was actually the GSM handover protocol. So we collected example, and then we ask what are those example in common. And so here let's come this discussion, what's called depth boundedness. Is that most of the system the communication topology is some kind of similar to a tree. The restriction that we impose is that in all the reachable set of state you need a bound on the longest acyclic path in the graph. So you can still have cycle in the communication, but they must be bounded cycles. But, for instance, here you can have a process, and you can have an infinite number of nodes [inaudible] infinite bounded number of workers for one master. Donald Roland Meyer was already working before us on the problem, so that's where the name come from, from one of his paper. So here the intuition is some more processes, infinitely many processes in parallel are kind of harmless and easy to deal with, but infinitely many process like chain is something which is much harder. So we want ->>: The graph for one strongly connected component, you would just pick -- to apply that definition, you would pick some basic orientation and that's the definition of the longest, basically that? >> Damien Zufferey: >>: You get all the path in the graph. Because presumably the worker communicates back. >> Damien Zufferey: >>: Yeah. Yeah. So there will always be cycles -- >> Damien Zufferey: Okay. We -- we -- it's just as the paper. So, yeah, you have cycles. Actually we look [inaudible] the acyclic graph. So we just [inaudible] in the undirected graph. So we just [inaudible]. So when you have like back-and-forth edges, it does not change. And now the intuition for the problem is simpler because when you have this problem ->>: So why is it simpler? >> Damien Zufferey: >>: Yes. What's the [inaudible]? >> Damien Zufferey: >>: Is it simpler for depth bounded systems? Okay. That's -- no. >> Damien Zufferey: So the intuition is -- so we are asynchronous system. So the intuition that capturing the asynchronous system, for instance, if you can add more limit to your system if you don't schedule them because you are allowed to because it's that close, then you get the small -- same thing at the smaller system. For instance, if we have a transition, like the master sending a job to the worker, now we just go back, but we make the system much larger. Then the exact same transition can also be taken. So what's the formalization? It's known as [inaudible] transition systems. Which we did in one of the main -- as a workhorse, if you want to prove [inaudible] result of an infinite system, so it mean that you have an ordering between the state of your system. So here, for instance, the ordering is adding more element into the system, and it's ordering a simulation of relation. So for anything that a small state can do, a larger state can also do. And here the ordering is graph embedding. Also just if this graph is smaller because it's a subgraph. And here you prove [inaudible] same property. For instance, [inaudible] the order. So if you start doing state specific [inaudible] and numerating state, what that mean concretely is that at some point in time you will see state which are comparable, so you cannot have like infinite state which are incomparable in this ordering, and that's something that someone [inaudible] much easier. And that's the basic of the algorithm that we use. So maybe there is the reason why [inaudible] is that all the transition that I show you before can be captured at this [inaudible], this very abstract model that, for instance, transition that where the master send the task to the worker, it's like changing the edge in the graph, you know, the worker is a reference to the job it must process. And the way you apply that to end graph is that you look for matching in the graph. And then you just replace the part of match. So basically if you make this graph bigger, this matching will still exist. So basically that's why the ordering is also this simulation relation. Because adding more node in this graph [inaudible] original matching. >>: Is there some ring here to the left-hand side can't have a negative -- I guess can't have a negative pattern? >> Damien Zufferey: Maybe I can show you some example later if you want, but [inaudible] to the system so that you can have not only something that you look for as much but also something that prevents the match. So like as you said, negative pattern. And there is some order. It's called monotonic abstraction. So maybe I should just go with the main part and then later we can just go into the system. And here the [inaudible], okay, there is this framework of [inaudible] systems, the algorithm for the systems. So [inaudible] just implement and try. They're not that -- desirability is not efficiency. So even though now we know that the problem is somewhat simpler, we still don't have any kind of algorithm or analysis that we can apply to the system. And so the original algorithm is basically a backwards search. So you start from zero state and you go backward until you reach the initial state. So if backwards does not work, we try to do it the other way. So we start from initial state, do -- configure the successor, and again and again, and at some point you have all the set of reachable state. And now checking error is just making sure that the error state is disjoint from this set. But the problems that since we can add processes, this set is not finite. So it's infinite. So we need to do something a bit smarter. And here that's where this monotonicity condition becomes interesting. Because when we, for instance, explore the initial state, we know that basically all the [inaudible] smaller than this state, cannot do anything more. So just checking one state basically cover all the state which are smaller than this one. So then basic computing the post, even we compute the post on the finite number of elements, we can cover a lot of state. And the goal of the analysis here is just basically to cover all the state space by just looking at finite number of elements. And here the challenges are first how do we represent those element, because it can be an infinite class, so we need something here to be able to represent this state. And also about the algorithm and the method that we use. So here [inaudible]. Now we have something that compare to the standard algorithm that works much better in practice but a bit not as good in theory, so we are to apply abstraction to make it work again. And also checking error state, now we just [inaudible] ordering if you find something that contains error [inaudible]. >>: But in this case when you apply the abstraction, supposing you find that you're able to reach the error, is it possible that it's -the abstraction was too coarse? >> Damien Zufferey: In this example, I mean, since the abstraction, we designed it, yes, I can make example that will be too coarse. For all the communication part in the example we look at we did not find any such examples. Yes. >>: How about -- I think I have a question [inaudible] I still don't see how if your communication graph has bounded basically that then your states -- they're simply state spaces [inaudible]. >> Damien Zufferey: is ->>: Well founded. >> Damien Zufferey: >>: So basically it's how you prove that this ordering Well founded. Yeah. >> Damien Zufferey: So -- >>: But what is -- I mean so I just don't understand how even if you have [inaudible] state space [inaudible]. >> Damien Zufferey: So if your cycles basically [inaudible] cycle bounded in length. The fact that first there is no descending chains, so there was from that part, is just because if you remove node in the graph at some point you have DMT graph and you cannot go smaller than that. And now to answer your question which is about why you don't have like this infinitely many incomparable graphs, in the tree that's extremely hard to prove. I mean, there is basically kind of just one paper about proving that. And we use some theorem like extension of [inaudible] tree theorem with orderings. Or also there is very strongly with tree automaton, some constriction of tree automaton that you need. So basically you take your graph, you try to turn it into some kind of tree where you basically closure of a tree, where you allow not only to have edges from children -- parent to children but you can solve the edges to ancestors. And then you can tree automatons more to recognize the sets of state and identify this theorem with ordering and trees and from this [inaudible]. But, I mean, it is true that is very -- let's say it's conflicted proof. >>: Just I guess the question to you is, yeah, the simulation relationship also taken into account that this smaller -- this smaller graph is simulating this bigger one. So what does that mean, that ->> Damien Zufferey: So that you -- >>: -- that these three processes simulate -- or these two processes -- >> Damien Zufferey: transition -- So you -- but if you can prove for every >>: The other way, the larger graph is relating this one. on the right ->>: Oh, right. >>: Yeah. Yeah. >> Damien Zufferey: >>: The thing So -- Yes. >> Damien Zufferey: So that's some -- basically when you look at here, so the semantics applying a transition basically is looking for a match, and unless we have this blocking pattern, which maybe we can get later, if you don't have blocking pattern, then adding more nodes in the graph does not remove the existing match. So that's the intuition behind the monotonicity. >>: But the elevator at the top of this cone is actually the smallest. So in that sense you need to ->> Damien Zufferey: >>: The smallest graph, though. >> Damien Zufferey: >>: No, it's the biggest one. Not necessarily. [inaudible]. Smaller graph than the other elements [inaudible]. >> Damien Zufferey: So here now each -- basically each graph represent a sets of graph, that which will be welcome here, what's -- what is this element at the top and what does it represent. So here -- so we need this -- we have this significant set of graph, so how do we represent. Let's look at the property of those graphs. And, for instance, you know, it's a partial order, so you can add the limit. Maybe at some point you get even incomparable graphs. But we look at very specific set of graphs which are called directed sets. So if you know that you have two elements which are incomparable, you can get one which is bigger than the two. So just add more stuff until you cover the two. And those sets are very well behaved. So we also consider [inaudible] and we felt the [inaudible] people have called that ideals. So now we have some more intuition how to represent [inaudible] sets. We just need to figure out what is the [inaudible] top. So basically here that's what we call nested graphs. So the way you present infinite set of graphs is that you just mark some nodes, maybe some kind of generation of regular expression but [inaudible]. So you mark some set of node, something that you can just go P many time. And also we allow this to be nested. So here, for instance, this represent [inaudible] server and some client. So you have unbounded number of client, and each client can have an unbounded number of requests pending. So that's how you can get both unbounded number of processes and unbounded mailbox. Okay. So here actually I don't know if people know between that stuff. Basically this is really the key difference for this existing model of Petri nets that you cannot do in Petri nets and you can do here. Okay. So now we have everything we need, so we have this analysis. We have the representation of this infinite set, and so we implemented and then tried. And that's, yeah, when [inaudible] interesting surprise that you go from this infinite set of sate and actually you have this very, very small representation of all the reachable set of state. So because of this system and this monotonicity property, they have this somewhat built in some kind of regularity that you can exploit. And this irregularity actually really give you this small representation. Okay. In practice it looks more like this. same -- so I tell you ->>: So if that's somewhat the [inaudible] example. >> Damien Zufferey: Actually, that's -- well, I tell you that now, for instance, if we can track changes in the graph, for instance, when you apply, so here what I show you basically looks the same graph but if we just expend everything and we have all -- when we take a transition, you just have the changes. So here is not something that you can anymore read with a human, but still something that the computer can deal with it. Yes. >>: So this theorem that you said that if you have bounded [inaudible] so that's the theorem that you proved, or is it [inaudible]? >> Damien Zufferey: So what was known -- so we first -- when we started working on that, we find this result. What we didn't know is that Roland Meyer had the same result. But what we had that Roland Meyer did not, add that this -- how to represent these infinite graphs. So Roland Meyer just proved that the ordering of this property, but he did not have the -- basically at that point he was interested only in the theoretical result and did not try to apply it, so he did not add this, how to represent those infinite graphs, which is basically the -now the element that you need if you want to apply analysis and go beyond just this set of the results. >>: [inaudible] theorem a general theorem on both [inaudible] and because you built on top of well-founded orders ->> Damien Zufferey: >>: -- is the [inaudible] you had, but -- >> Damien Zufferey: >>: Yes. Yeah. So basically -- This proof is sort of -- I mean, your proof is for this system. >> Damien Zufferey: Yes. Exactly. I mean, there is a lot of very interesting literature, but you have to go like in ordering theory in lab that you can just leverage and use. So somewhere there is a lot of -- it's like saying that, you know, since there was a [inaudible] interpretation, you can fit everything [inaudible] interpretation. So here there is this [inaudible] framework, which is very powerful, but if you want to use, there is still a lot of work to do. Especially if you want to do have something that kind of -- some notion of efficiency. And here maybe just if we look inside, you see the same graphs, but now transition basically are these mapping in blue that tells you how the graph change over time. So now so it's a good time to pause and consider. I say it might make sense to look at unbounded systems because, for instance, even in the case of the bound being too high, it not make you -- unbounded system do not make your life simpler. And here actually [inaudible] same things happen. So if I did a small scaling test in that simple example, I just bounded the number of inputs that the system processes. And then I show you here the time it takes to compute the set of reachable states. And the number of ideals, so the number of graphs that you need to represent the set of reachable states. And as you would expect when you're bounding your state's explosion, and actually here since we're very generic class of system, this graph is actually bad so it goes very well to some sites, like seven, then you have just two more element and just blows up. On the other hand, when you go to the limit, turn out to be a much simpler problem actually in term of running time. And also what was very interesting was that the part that was kind of new in the [inaudible] the representation of doing things set of state is actually smaller than a representation of finite set of state. pretty cool result. And that was And then we use it to build on further analysis. So I'll tell you that in this graph when you repeat it -- when you [inaudible] on this part of the [inaudible] it just means that you have many elements. Now we can do more. We can just associate a counter value that says not only how -- exactly how not only many but that just count how many element you get. And if you combine the two [inaudible] abstraction. So we apply that to prove termination of systems. Also interesting things, just do software engineering, for instance, there is notion of state machine interfaces. So if there is -- for instance, you have a lock object, there is a sequence of event of method call which is legal, which is locking and unlocking and alternating the two. And that's easily something that you can easily capture your state machine. And here if you apply analysis, we can basically get the generalization of this concept. But when you have like multiple object together, for instance, you have a collection and you have many territories pointing to that collection, so if that collection -- when in territory decide to remove an element of the collection, even though it's [inaudible] territory to invalidate all the territories pointing to SIM collection. So some model call changes [inaudible] that's something that we can capture using this analysis. So we called that dynamic package interfaces. Yes. Oh. And, yeah, we have implemented all that, available the Web. And we have [inaudible] using models different distributed system, mostly coming from actors example. >>: Question, Damien, one previous slide. >> Damien Zufferey: Yes. >>: Are you saying that your modeling the state machine interferes using the same sort of pi calculus to bounded processes? >> Damien Zufferey: >>: Do you think that that is a natural model for this kind of stuff? >> Damien Zufferey: >>: Yes. Pi calculus, no. The graphs, yes. Okay. >> Damien Zufferey: So some here actually we don't really care that much about the graph, rather about the language. Because, for instance, if you have, yeah, exactly that [inaudible] element will be one transition, and then this will say that you -- the order transition of other territories iterating becomes invalid. So somehow you can capture the language of this not only with a single object but the language of the sets of objects using that representation. >>: So the contribution of this paper that you have there, was that a look at a piece of code and extract the model ->> Damien Zufferey: >>: So here -- [inaudible] automatically use it in this abstract language? >> Damien Zufferey: Yeah. So exactly. So here the contribution is not theoretical because it's just the same information we had before [inaudible]. But actually it's more like on the implementation side. Actually here the [inaudible] support that, just take snapshot of the heap. So run the code using basically just calling all the methods, and each time take snapshot of the heap. And then just compare the snapshot of the heap basically to build this graph [inaudible]. So somehow it's a simpler way of being able to build the transition systems not only by looking at [inaudible] in the code but looking at execution of four pieces of code and just by looking at the start and the end result. So basically then it's a way of making analysis. So here this runs on real code, so the previous examples work on models. Here the analysis runs on the [inaudible] code. So it's more like how to implement and make this work. Also one interesting -- so this graph model, mostly the motivation came from [inaudible] of heap graph and that's pointer [inaudible], then actually you can also look at shared memory. So for instance what I told you this strict [inaudible] abstraction, we use it to prove progress of, for instance, log algorithm, like Treiber's stack, Michael/Scott queue. So those are -- so proving progress in this algorithm tend to be very tricky because there is interferences [inaudible] particularly one process can make some action that will make an order process fail and retry. But here we have an analysis since it track like all the interaction between the object, it's still precise enough to prove termination of -- I mean to prove progress for this example. >>: Those examples are not test founded, right? >> Damien Zufferey: So here -- so what we do, because for this we don't prove the functional correctness, that the queue is a queue. So we just prove progress. So we forget about the ordering of the element inside of queue or inside the stack. So that it preserve termination. To prove progress actually is enough. And ->>: [inaudible]. >> Damien Zufferey: >>: So maybe a bit of comparison. I have a -- I have a somewhat philosophical question -- >> Damien Zufferey: >>: Yeah. Yes. -- about this part of a graph. >> Damien Zufferey: Yes. >>: So the kind of techniques that you describe right now, they fall into the class where you try to construct a representation of the set of reachable states in some -- something, you know, that a computer understand and a human being will just not be able to make any sense of it, that's one class of techniques. The other class of techniques is basically [inaudible] where you try to capture the set of reachable states as a [inaudible] that a human being can understand and the -- I mean, for this class of techniques, the problem that has always been is that it works on models and you have to make a lot of simplified [inaudible] and there's a story about how to convert the bad from the models to the implementation that are running the hardware, it's very [inaudible]. So do you have some thoughts based on your experience on how to make this kind of tooling be part of real software engineering given that there will always remain a gap between models and implementations? >> Damien Zufferey: Okay. So -- so here I think to apply it, I think if you look at the approach in the dynamic packaging interface, somewhat tried to mix come kind of runtime and static analysis together. So you can do some running the system basically to get some traces from which you extract some transition in abstract system and then run the static analysis on both transition. So from over here you might need to do work to prove that the transition you extract from the execution actually enough to prove some -- to give you some guarantee. But starting by looking at execution, difference, for instance, that the [inaudible] like the termination analysis runs on models, the DPI really runs on the code. So basically it's a mix of -- it's a dynamic runtime analysis with the static analysis. >>: In the case of the work that you did for the dynamic package interfaces, were you able to -- I mean, if you're using dynamic analysis, then you get [inaudible] only a few traces. >> Damien Zufferey: >>: Yeah. Can you actually conclude about all behaviors in that case? >> Damien Zufferey: So in that case, no, we don't have a completeness theorem. So what we try -- so in practice we had both the models so that we [inaudible] were complete models, and then we had their implementation running on the real code, and we just compared the output. They tend to -- they match really well in practice. But so more basically, yeah, you are limited by the number of traces you explore. So in practice there is a threshold of a few thousand traces that worked pretty well. But, no, at that point you -- when you start mixing runtime and static and dynamic analysis, you don't have any kind of completeness. But we have something that can be applied, so... >>: Is your philosophical question about do you want to find the right way to write invariance about system with dynamic processes, or is the right thing to do to figure out how to abstract systems with dynamic? Is that the philosophical? >>: Yeah. I mean, the thing is that traditionally you can write invariance on real implementation and you can try to push them through. Typically. But you for some reason -- I don't know. >> Damien Zufferey: So here basically -- yeah. I mean, there is the opposite approach that people have taken, these maybe session types. When you first watch what you expect the system to be doing, and then you just make it into a simple -- a language which is simple enough that you can check that the system is actually doing that. So basically you write top-level protocol, and then the protocol using a language that can be projected in components with a protocol, and then you can select what people call BFRL types. But we do the other approach that -- for instance, it's not clear that what's the right language to write those invariants. So instead of writing invariance, say can we just take the system and figure out what the system is doing. So that's the way we do the [inaudible] approach. Because yet [inaudible] yeah. That would be the first part. Comparison is that if you have a good language to write the invariant of the system, then you can use SMT solver, for instance, to push the proof through. But since you pick concurrent [inaudible] that would be like challenge VCC approach. Then if you look -- yes? >>: So Murphy would be under that second bullet? 01 star abstractions. So Murphy has like >> Damien Zufferey: Yeah. So here -- okay. This is not complete, so I did not really include all the different abstraction that you can build. So more actually if you look at 01 star abstraction, so what happen. So in my case the system that we have behave like a 01 to something, and then we have some [inaudible] technique that go to infinity, so 0 something abstraction, so in many case actually we can subsume that type of abstraction, 01 star abstraction. But we don't have like a fixed [inaudible] but if it's the widening or the acceleration that tells you when you go to infinity. And that depends on the runtime, I mean, how the system -- how is the code. So for some reason it's something more general and complete version of the 01 star abstraction. >>: That wasn't my question, but I thought that you made the point that you could have nestings [inaudible]. >> Damien Zufferey: So the nesting is really something that you need. So, for instance, we compare like two vector addition system with Petri nets, which have been not quite successfully as concurrent program because can't just have this -- place that number of token, just count how many process you have. If you want to have both an unbounded number of process and unbounded neighbors, okay, we -- if you want, I can give you technical [inaudible] basically it does not fit into a single Petri net. Basically because you have counters for the number of process, and then if you want to have had the mailbox, which is not bounded or processed, each time increments the counter by one, you need to introduce a new counter, which is how many messages are there for this process. So here that's where you need the nesting, so that when you have the -somewhat this multiple dimension of unboundedness. It comes particularly when you have this tree-like topology. That, for instance, you have just one step, which is like the Petri net, you have like many processes, but if you want to count -- if you want to go further down some kind of hierarchy, you need something like the bounded systems. So I think that's one of the reason why there's many [inaudible] trying to fit concurrent message-passing system into Petri net, but it's only like fragments which are kind of quite not the same but very close because fundamentally you have a problem, and here I think we address the problem. >>: So does your system do -- would it subsume [inaudible] Dubois '94? >> Damien Zufferey: So here this related to the question of [inaudible]. In this system you have these universal transitions. I mean, that's also something -- so we look at -- so this paper you mention and also some other cache currency protocol. But some time you have some kind of universal transitions. If nobody else has done something, that can take it ->>: [inaudible]. >> Damien Zufferey: Yeah. Here we're kind of blocking -- so we can -okay. Gets a bit complicated. The short answer is that we can have -basically we can add guards. So, for instance, if nobody else has sent a request, you can do some things, which is really universal. So we can have this notion of guarded. This becomes, again, an abstraction. For instance, we apply that, for instance, to prove -- we can prove something like [inaudible] protocol safety so that you really have isolation. Now the graph that it generates tends to be not so nice. So it works well for safety, but we have not tried to apply this for analysis on that, because the abstraction [inaudible] to keep many safety properties that might not be -- that may be too coarse to allow this for the analysis, like termination in progress. But, yeah, so that if you want maybe I can just I think I have. So yeah. You have transitions side and right-hand side [inaudible] we can add some pattern that if you can find this pattern, not be fired. show -- jump to this. on top of the left-hand some guards, which is the transition should So the way of still preserving the monotonicity of the system is just one phase basically which is called unfolding. So you map the left-hand side here, would be here, and then you look at all the possible mappings of the guards. So here mean that would be somewhat that need here would be here. So we just remove that node, and then at that point the guards don't know much anymore and you apply your transition. And it's called monotonic abstraction. And it gives you [inaudible] this global transition over the whole system. But since it's global [inaudible] system, it's not really monotonic again. And the result depend on the examples. >> >>: Okay. [inaudible]. >> Damien Zufferey: >>: Yeah. [inaudible]. >> Damien Zufferey: Yep. So basically the intuition is that somewhat -- so if there was not this node, the transition could fire. And since you may need to keep some monotonicity, so you need to make your transitions still fire when know things. You just remove them. >> Shaz Qadeer: I think we should let Damien finish his talk. >> Damien Zufferey: Okay. Okay. So just maybe quickly a bit of future work. Exactly, I mean, this question, for instance, this monotonicity of the system that we need for this analysis is actually a restriction when you look at other kind of systems. So especially [inaudible] I mean, if you think of application large scale system, you will encounter failure of machines. So we [inaudible]. And if you want still to be able to prove some property, the systems, many of them needs times. So, for instance, that was captured by the FLP impossibility result. So if you don't have time, you cannot solve consensus. So some of the [inaudible] is not really well suited to deal, for instance, if we want to deal with this [inaudible] algorithm. But they are still very interesting because when they are using critical places. The fact that you're willing to afford the cost of replication and redundancy mean that you really probably care that your system is correct. So that's a good target for verification. But the method that we have basically could prove 50 but cannot prove any kind of [inaudible] single systems. And you might also want to prove progress. And still very challenging. So not only as before we had this kind of explosion of the schedule due to the concurrency, but if we had fault, we have one more nondeterministic [inaudible] when due process crashes, when [inaudible] develops. Also we have this parametric number of systems. as before but worse. So basically the same So here actually we think that we should do things differently. That's if you in the time -- instead of trying to add time on top of [inaudible] let's try to go the other way around and start a model where you really have true notion of time, which is synchronous model, prove something in this synchronous model, and then you need some tool then do some [inaudible] proof to say that the result you proved in the synchronous model still [inaudible] in the asynchronous system. And the reason of having these different models, they are really much easier to reason about. And they have encapture -- I mean, they are different nice properties. Let people call communication closed so that basically messages are sent and received within the same round. So if you agree to accept the [inaudible], you can just remove the mailbox and uphold the [inaudible] before because of the mailbox [inaudible] buffer just disappear. And so you have something which is really much easier to reason about. Also, if you have this round model that everybody takes up at the same time, you get rid of the interleaving problem. So here we have something, a much nicer model. And here it becomes much easier to add, for instance, crashes, other type of fault, like [inaudible]. But since the -- now we have this round -- this very strong notion of time, it's still much simpler to reason about. And the reason we started looking at this very strong model of synchronous, that if you look at the literature of [inaudible] algorithm, many algorithm actually written in that form. Even though they run into the mass -- on top of asynchronous system, the way the algorithm [inaudible] structures, they follow these kind of multiple phases. For instance, [inaudible] you might send process some messages, and then depending on the amount of process you receive, you might do some update. And even think of [inaudible], which is asynchronous algorithm, it has these different phases. First elects the leader, then it try to send a value once you agree to every processes and get the result, and if you get enough result [inaudible]. So [inaudible] run on asynchronous system, it's structures and runs. So that we want to -- something we want to apply to make our life easier, or the verification process, the verification side, so we have started on the direction. And something that we still need to work on is the refinement proof from the round based model down to the asynchronous systems. So there is actually reasons why people have been working on this round-based model is that there are, for instance, what people called predicates layer, which is a generic way of implementing the illusion of runs on top of [inaudible] systems. So we could maybe just implement that. But if you look at those paper, there's some multitheoretical constructions and unlikely to work in practice [inaudible] to get something which applicable, we need to specialize the [inaudible] proof to the algorithms. And, yeah, there is very -- a lot of interesting work in that direction in how to automatically transform an algorithm expressed in these round systems to have something that trends on an actual asynchronous system. Okay. That's all for the future work. And I'm happy to take any more question, make clear any point and [inaudible]. Thank you for attention. [applause]. >> Shaz Qadeer: More questions? >>: CSP a long time ago broke through, did a number of new things. Are any of those theorems and these formalisms that were used [inaudible] are they still relevant today or are they just so taken for granted these days we don't think about it? >> Damien Zufferey: Honestly, the bang and question mark notation from just P state much better than the pica code notation. But I think on the other end, if like in the term of insight of the modeling systems, we read a bit about CSP, but I think pica calls and that kind of formalism, which is somebody [inaudible] systems more relevant. If you give me some more precise question about CSP, I can compare. But roughly I think [inaudible] insight of decoupling processes and accuracies and names is actually very -- I mean, that's really something we use. >>: So everything you described is really to verifying the programs are correct. >> Damien Zufferey: Yeah. >>: And that means you have kind of a pretty long period of time to think about answering that question [inaudible] yes or no. But if you were to take some parts of this analysis and make them dynamic, then maybe -- we were talking about this earlier -- maybe find some way of doing a partial [inaudible] partially computing the same analysis and then making some adjustments to the protocol that's executing, especially if it's delivering messages or something. >> Damien Zufferey: So what -- yeah. >>: Do you think that this would be something you could do? there -- do you have any intuition? Is >> Damien Zufferey: I mean, there is this idea of [inaudible] when you start -- you mix -- so you destroy the current set of your system or some partial set and then use that as initial state of the static analysis. And basically you reduce more like breadth for search so that you explore all the possibility. But not very deep in time, just for like the near feature. Because basically you try to avoid the exponential blowup of data dependent [inaudible] explosion by just looking at the near future. And if you don't find anything but within the -- this near future, you say, okay, just let it run. If you find something bad, you just steer the execution of your program to automatic execution that does not contain this error and then you basically restart by [inaudible] the static analysis using the current time of the systems. You just -- you continually run the static analysis part. But just exploring short-term future, and if you find bug in short-term future, maybe it's not [inaudible] and you can just -- but so I know it has been applied in this [inaudible] because, for instance, my -- I have delay between sending and receiving messages. And if you are like really [inaudible] 20, hundred milliseconds delay following a near future exploration that might be already enough. >>: So you had five seconds for getting the Internet state version of this? >> Damien Zufferey: >>: No, I think it was even simpler. It was -- It was some number of seconds. >> Damien Zufferey: Yeah, it was very short. >>: One second, okay. It was five [inaudible] and one second. So I guess if you -- so you'd be under a second, let's do this kind of analysis is what you expect if you did a bounded version? >> Damien Zufferey: I mean, it really -- but if you do the bounded version mean that there are very few transition to look at. >>: I think it'd be really neat to put this in like a VM or something [inaudible]. >> Damien Zufferey: Yeah. [inaudible] I cannot answer without trying. I mean, I said the bounded -- bounding the horizon is definitely a very interesting -- because especially for [inaudible] you have some small gap of time between when you send a message and when you have to take some action to do replying. That's already maybe ->>: Am I understanding that you want to build this bounded horizon thing from the current state of the [inaudible]? >> Damien Zufferey: Yes. Yeah. >>: But, I mean, in a distributed system, knowing the current state, the state is distributed, right? >> Damien Zufferey: >>: Yeah. Capturing that is very hard. >> Damien Zufferey: So that's -- here you restrict your set of property that you want to really [inaudible] as local to do one process. >>: I see. >> Damien Zufferey: I think there have been some work in that direction by [inaudible]. >>: That's what [inaudible] static [inaudible] that's why you need based on sums I'm sure on what the -- >> Damien Zufferey: >>: Yeah. -- other machines might be at. >> Damien Zufferey: So, for instance, if you know that [inaudible] replicated and every machine run the same code, for instance, that's an assumption that you can use so that you have some idea even of what the other machine are doing because you know they run the same code as you. >>: I see. >> Damien Zufferey: So that assumption that can [inaudible] even though -- so you only see your goal state, but you have some idea of what the other might be doing by the messages that you receive. But, yeah, then you really need to restrain the set of property -- I mean, visually you -- if you find some error which would affect [inaudible] system. But since it's local, might be too late to send a message to the components that you are going to crush. >>: [inaudible] this round base view, did you come across this work by [inaudible] on time triggered architectures? It kind of sounds -- so this is basically build a communication layer that forces rounds and by upfront scheduling when you can communicate. So you can't -- you no longer just have this kind of arbitrary asynchrony. But you commit to hardware that says this guy has this point in time [inaudible] in a message and that's it. >> Damien Zufferey: >>: So yeah. [inaudible] this kind of rounds. >> Damien Zufferey: I don't know exactly at the hardware level. I've seen the version like [inaudible] called visual synchrony [inaudible] this notion of round. So I can't compare to visual synchrony and say [inaudible] we wanted to leave something weaker because they really guarantee that not only this notion of round, which is like total ordering on messages, but also you have like every message get delivered. So I think we can find something [inaudible] which might be weaker. So we can still get -you can still get progress, for instance, without I think all the messages being delivered. And especially for network which is congested, and then you've got messages, maybe you still -- if you have an abstraction layer that forces all the message to be delivered, that might slow you down quite a lot. So [inaudible] want something weaker that -- I don't know exactly I can compare with the hardware, but at least on the software side I think we need something weaker than already what exist in term of view of rounds. >> Shaz Qadeer: [inaudible]. [applause]. >> Damien Zufferey: Thank you.