Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automating Commutativity Analysis at the Design Level Greg Dennis, Robert Seater, Derek Rayside, Daniel Jackson MIT CSAIL

Published byAnissa Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Automating Commutativity Analysis at the Design Level Greg Dennis, Robert Seater, Derek Rayside, Daniel Jackson MIT CSAIL"— Presentation transcript:

1 Automating Commutativity Analysis at the Design Level Greg Dennis, Robert Seater, Derek Rayside, Daniel Jackson MIT CSAIL gdennis@mit.edu

2 Therac-25 (1985-1987) race conditions when operator typed too quickly lacked hardware interlocks in previous versions X-rays delivered without metal target in place problems eluded testing 6 major overdoses, 2 deaths

3 Panama (2001) déjà vu all over again unexpected data entry 20%-100% more radiation than prescribed 28 overdoses, at least 6 attributable deaths

4 Northeast Proton Therapy Center proton therapy machine at MGH unlike the Therac or Panama extensive hardware interlocks abundant runtime checks thoroughly reviewed and tested

5 TCR 2 NPTC Overview TCR 1TCR 3 room 2 cyclotron Master Control Room (MCR)

6 room 2room 3 Automatic Beam Scheduler (ABS) room 1 room 3 Request Queue allocated pending room 1

7 TCR Operations RequestBeam RequestBeamHighPriority CancelBeamRequest ReleaseBeam Request(1) ReqHigh(3) Request(2) Cancel(1) Release(3) 3 2 1 1 2 13 2 2

8 2 1 3 MCR Operations StepUp StepDown Flush FlushAll StepUp(1)Flush(3) StepDown(1) FlushAll() 2 1 22 1 3 2 1 3

9 Interfering Commands FlushAll()Request(1) 2 1 3 2 3 2 1 FlushAll() 22 ≠

10 Commutativity if not, results can be surprising when commands issued simultaneously.

11 Violations of Commutativity Violation of Diamond Equivalence: Violation of Diamond Connectivity:

12 What We Did Alloy Model Alloy Model OCL Spec of Beam Scheduler OCL Spec of Beam Scheduler Commutativity Properties Commutativity Matrix Alloy Analyzer commutativity properties for each pair of operations

13 OCL Spec context BeamScheduler::cancelBeamRequest(req: BeamRequest) pre: -- BeamRequest is inside the pending request queue self.pendingRequests@pre->exists(r | r == req) post: -- BeamRequest is not inside the pending requests queue not self.pendingRequests->exists(r | r == req) key differences between OCL and Alloy?

14 open util/ordering[OrderID] sig Request { room: Room, priority: Priority } sig Room {} abstract sig Priority {} one sig Service, Normal, High extends Priority {} sig Queue { alloc, pending, requests : set Request, order: requests -> one OrderID }{ requests = alloc + pending } sig OrderID {}

15 Operations pred CancelBeamRequest(q, q': Queue, req: Request) { preCancelBeamRequest(q, req) q'.pending = q.pending - req q'.alloc = q.alloc q'.order = (q.requests – req) <: (q.order) } pred preCancelBeamRequest(q: Queue, req: Request) { req in q.pending } we factored out the precondition of each operation into a separate predicate effect of operation as constraint on pre- and post-state

16 assert A_B_Equiv { all si, sa, sb, sab, sba: Queue { A(si,sa) && B(sa,sab) && B(si,sb) && A(sb,sba) => sab = sba } } assert Cancel_StepUp_Equiv { all si, sa, sb, sab, sba: Queue, rq1, rq2: Request { (Invariants(si) && CancelBeamRequest(si, sa, rq1) && StepUp(sa, sab, rq2) && StepUp(si, sb, rq2) && CancelBeamRequest(sb, sba, rq1)) => equivQueues(sab, sba) } } Commutativity Properties

17 Results RequestReqHighCancelRelease Request xx ReqHigh xx Cancel x Release xxx 3-100 seconds/analysis, Pentium III 600 MHz, 192 MB RAM StepUp xx StepDown xx Flush xxxx FlushAll xxxx TCR Operations MCR Operations

18 Non-commutativity Example Release(2)ReqHigh(1) 1 2 21 Release(2) cannot execute

19 Pure Logic Modeling Could we have modeled commutativity in OCL with built-in state transitions? "Pure Logic Modeling": –explicit states allows us to "rewind" time and ask about different execution traces Similar difficulty analyzing these properties with traditional model checker.

20 Conclusions Practical results from lightweight formal methods Commutativity analysis is useful –when humans manipulate shared data Constraint solver effective for this analysis –didn't stretch limits of tool or modelers Analyzability is important in practice Pure logic modeling is powerful

Download ppt "Automating Commutativity Analysis at the Design Level Greg Dennis, Robert Seater, Derek Rayside, Daniel Jackson MIT CSAIL"

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 1.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 1.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Verification of DSMLs Using Graph Transformation: A Case Study with Alloy Zekai Demirezen 1, Marjan Mernik 1,2, Jeff Gray 1, Barrett Bryant 1 1 Department.

Verification of DSMLs Using Graph Transformation: A Case Study with Alloy Zekai Demirezen 1, Marjan Mernik 1,2, Jeff Gray 1, Barrett Bryant 1 1 Department.
– Seminar in Software Engineering Cynthia Disenfeld

– Seminar in Software Engineering Cynthia Disenfeld
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.

1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.

A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Using UML and Alloy to Specify and Analyze Access Control Features Eunjee Song, Xi Hua SP05-CS681 Project Proposal.

Using UML and Alloy to Specify and Analyze Access Control Features Eunjee Song, Xi Hua SP05-CS681 Project Proposal.
Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
1 Scenario-based Analysis of UML Design Class Models Lijun Yu October 4th, 2010 Oslo, Norway.

1 Scenario-based Analysis of UML Design Class Models Lijun Yu October 4th, 2010 Oslo, Norway.
Real-Time System Requirements & Design Specs Shaw - Chapters 3 & 4 Homework #2: 3.3.1, 3.4.1, Add Error states to Fig 4.1 Lecture 4/17.

Real-Time System Requirements & Design Specs Shaw - Chapters 3 & 4 Homework #2: 3.3.1, 3.4.1, Add Error states to Fig 4.1 Lecture 4/17.

Similar presentations

Ads by Google