Automating Commutativity Analysis at the Design Level

1
Automating Commutativity Analysis at the Design
Level

• Greg Dennis, Robert Seater,
• Derek Rayside, Daniel Jackson
• MIT CSAIL
• gdennis_at_mit.edu

2
Therac-25 (1985-1987)

• race conditions when operator typed too quickly
• lacked hardware interlocks in previous versions
• X-rays delivered without metal target in place

• problems eluded testing
• 6 major overdoses, 2 deaths

3
Panama (2001)

• déjà vu all over again
• unexpected data entry
• 20-100 more radiation than prescribed
• 28 overdoses, at least 6 attributable deaths

4
Northeast Proton Therapy Center

• proton therapy machine at MGH
• unlike the Therac or Panama
• extensive hardware interlocks
• abundant runtime checks
• thoroughly reviewed and tested

5
NPTC Overview
cyclotron
6
Automatic Beam Scheduler (ABS)
Request Queue
allocated
room 2
room 3
pending
room 3
room 1
room 1
7
TCR Operations

• RequestBeam
• RequestBeamHighPriority
• CancelBeamRequest
• ReleaseBeam

Request(2)
Request(1)
ReqHigh(3)
Cancel(1)
Release(3)
8
MCR Operations

• StepUp
• StepDown
• Flush
• FlushAll

StepDown(1)
StepUp(1)
Flush(3)
FlushAll()
9
Interfering Commands
Request(1)
FlushAll()
Request(1)
FlushAll()
?
10
Commutativity

• if not, results can be surprising when commands
  issued simultaneously.

11
Violations of Commutativity
Violation of Diamond Connectivity
Violation of Diamond Equivalence
12
What We Did
OCL Spec of Beam Scheduler
Alloy Model
Commutativity Properties
Alloy Analyzer
commutativity properties for each pair of
operations
Commutativity Matrix
13
OCL Spec

• context BeamSchedulercancelBeamRequest(req
  BeamRequest)
• pre
• -- BeamRequest is inside the pending request
  queue
• self.pendingRequests_at_pre-gtexists(r r req)
• post
• -- BeamRequest is not inside the pending
  requests queue
• not self.pendingRequests-gtexists(r r req)
• key differences between OCL and Alloy?

14
open util/orderingOrderID sig Request
room Room, priority Priority sig Room
abstract sig Priority one sig Service,
Normal, High extends Priority sig Queue
alloc, pending, requests set Request, order
requests -gt one OrderID requests alloc
pending sig OrderID
15
Operations
pred CancelBeamRequest(q, q' Queue, req
Request) preCancelBeamRequest(q, req)
q'.pending q.pending - req q'.alloc
q.alloc q'.order (q.requests req) lt
(q.order) pred preCancelBeamRequest(q
Queue, req Request) req in q.pending
effect of operation as constraint on pre- and
post-state
we factored out the precondition of each
operation into a separate predicate
16
Commutativity Properties
assert A_B_Equiv all si, sa, sb, sab,
sba Queue A(si,sa) B(sa,sab)
B(si,sb) A(sb,sba) gt sab sba
assert Cancel_StepUp_Equiv all si, sa,
sb, sab, sba Queue, rq1, rq2 Request
(Invariants(si) CancelBeamRequest(si, sa,
rq1) StepUp(sa, sab, rq2) StepUp(si,
sb, rq2) CancelBeamRequest(sb, sba, rq1))
gt equivQueues(sab, sba)
17
Results
TCR Operations
Request ReqHigh Cancel Release
Request x x
ReqHigh x x
Cancel x
Release x x x
TCR Operations
StepUp x x
StepDown x x
Flush x x x x
FlushAll x x x x
MCR Operations
3-100 seconds/analysis, Pentium III 600 MHz, 192
MB RAM
18
Non-commutativity Example
ReqHigh(1)
Release(2)
ReqHigh(1)
Release(2)
cannot execute
19
Pure Logic Modeling

• Could we have modeled commutativity in OCL with
  built-in state transitions?
• "Pure Logic Modeling"
• explicit states allows us to "rewind" time and
  ask about different execution traces
• Similar difficulty analyzing these properties
  with traditional model checker.

20
Conclusions

• Practical results from lightweight formal methods
• Commutativity analysis is useful
• when humans manipulate shared data
• Constraint solver effective for this analysis
• didn't stretch limits of tool or modelers
• Analyzability is important in practice
• Pure logic modeling is powerful