Automating Commutativity Analysis at the Design Level

Greg Dennis, Robert Seater,Derek Rayside, Daniel Jackson

MIT CSAILgdennis@mit.edu

Therac-25 (1985-1987)

• race conditions when operator typed too quickly

• lacked hardware interlocks in previous versions

• X-rays delivered without metal target in place

• problems eluded testing

• 6 major overdoses, 2 deaths

Panama (2001)

• déjà vu all over again

• unexpected data entry

• 20%-100% more radiation than prescribed

• 28 overdoses, at least 6 attributable deaths

Northeast Proton Therapy Center

• proton therapy machine at MGH

• unlike the Therac or Panama

• extensive hardware interlocks

• abundant runtime checks

• thoroughly reviewed and tested

TCR 2

NPTC Overview

TCR 1 TCR 3

room 2

cyclotron Master Control Room (MCR)

room 2room 3

Automatic Beam Scheduler (ABS)

room 1

room 3

Request Queue

allocated

pending

room 1

TCR Operations

• RequestBeam• RequestBeamHighPriority• CancelBeamRequest• ReleaseBeam

Request(1) ReqHigh(3)Request(2) Cancel(1) Release(3)

3

2

1

1

2

1 3

2

2

2

1

3

MCR Operations

• StepUp• StepDown• Flush• FlushAll

StepUp(1) Flush(3)StepDown(1) FlushAll()

2

1

22

1

3

2

1

3

Interfering Commands

FlushAll() Request(1)

2

1

3

2

3

2

1

Request(1)

Request(1)

FlushAll()

FlushAll()

2

2

≠

Commutativity

•

• if not, results can be surprising when commands issued simultaneously.

Violations of Commutativity

Violation ofDiamond Equivalence:

Violation ofDiamond Connectivity:

What We Did

AlloyModel

AlloyModel

OCL Spec ofBeam Scheduler

OCL Spec ofBeam Scheduler

Commutativity Properties

Commutativity Properties

CommutativityMatrix

AlloyAnalyzer

commutativity properties for each pair of operations

OCL Spec

context BeamScheduler::cancelBeamRequest(req: BeamRequest) pre: -- BeamRequest is inside the pending request queue self.pendingRequests@pre->exists(r | r == req)

post: -- BeamRequest is not inside the pending requests queue not self.pendingRequests->exists(r | r == req)

key differences between OCL and Alloy?

open util/ordering[OrderID]

sig Request { room: Room, priority: Priority}

sig Room {}

abstract sig Priority {}one sig Service, Normal, High extends Priority {}

sig Queue { alloc, pending, requests : set Request, order: requests -> one OrderID}{ requests = alloc + pending}

sig OrderID {}

Operations

pred CancelBeamRequest(q, q': Queue, req: Request) { preCancelBeamRequest(q, req) q'.pending = q.pending - req q'.alloc = q.alloc q'.order = (q.requests – req) <: (q.order)}

pred preCancelBeamRequest(q: Queue, req: Request) { req in q.pending} we factored out the precondition of each

operation into a separate predicate

effect of operation as constraint on pre- and post-state

assert A_B_Equiv { all si, sa, sb, sab, sba: Queue { A(si,sa) && B(sa,sab) && B(si,sb) && A(sb,sba) => sab = sba } }

assert Cancel_StepUp_Equiv { all si, sa, sb, sab, sba: Queue, rq1, rq2: Request { (Invariants(si) && CancelBeamRequest(si, sa, rq1) && StepUp(sa, sab, rq2) && StepUp(si, sb, rq2) && CancelBeamRequest(sb, sba, rq1)) => equivQueues(sab, sba) }}

Commutativity Properties

Results

Request ReqHigh Cancel Release

Request x x

ReqHigh x x

Cancel x

Release x x x

3-100 seconds/analysis, Pentium III 600 MHz, 192 MB RAM

StepUp x x

StepDown x x

Flush x x x x

FlushAll x x x x

TCR Operations

TC

R O

per

atio

ns

MC

R O

per

atio

ns

Non-commutativity Example

Release(2) ReqHigh(1)

1

2

2

1

ReqHigh(1)

ReqHigh(1)

Release(2)

Release(2)

cannot execute

Pure Logic Modeling

• Could we have modeled commutativity in OCL with built-in state transitions?

• "Pure Logic Modeling":– explicit states allows us to "rewind" time and

ask about different execution traces

• Similar difficulty analyzing these properties with traditional model checker.

Conclusions

• Practical results from lightweight formal methods

• Commutativity analysis is useful– when humans manipulate shared data

• Constraint solver effective for this analysis– didn't stretch limits of tool or modelers

• Analyzability is important in practice

• Pure logic modeling is powerful