Automating Commutativity Analysis at the Design Level

1. Automating Commutativity Analysis at the Design Level Greg Dennis, Robert Seater, Derek Rayside, Daniel Jackson MIT CSAIL gdennis@mit.edu

2. Therac-25 (1985-1987) • race conditions when operator typed too quickly • lacked hardware interlocks in previous versions • X-rays delivered without metal target in place • problems eluded testing • 6 major overdoses, 2 deaths

3. Panama (2001) • déjà vu all over again • unexpected data entry • 20%-100% more radiation than prescribed • 28 overdoses, at least 6 attributable deaths

4. Northeast Proton Therapy Center • proton therapy machine at MGH • unlike the Therac or Panama • extensive hardware interlocks • abundant runtime checks • thoroughly reviewed and tested

5. room 2 Master Control Room (MCR) TCR 1 TCR 2 TCR 3 NPTC Overview cyclotron

6. Automatic Beam Scheduler (ABS) Request Queue allocated room 2 room 3 pending room 3 room 1 room 1

7. 1 1 3 3 2 2 1 2 2 TCR Operations • RequestBeam • RequestBeamHighPriority • CancelBeamRequest • ReleaseBeam Request(2) Request(1) ReqHigh(3) Cancel(1) Release(3)

8. 2 2 2 2 2 3 1 3 1 1 3 1 MCR Operations • StepUp • StepDown • Flush • FlushAll StepDown(1) StepUp(1) Flush(3) FlushAll()

9. 2 Request(1) FlushAll() 3 2 2 3 1 2 2 1 Interfering Commands FlushAll() Request(1) Request(1) FlushAll() ≠

10. Commutativity • if not, results can be surprising when commands issued simultaneously.

11. Violations of Commutativity Violation of Diamond Connectivity: Violation of Diamond Equivalence:

12. What We Did OCL Spec of Beam Scheduler Alloy Model Commutativity Properties Alloy Analyzer commutativity properties for each pair of operations Commutativity Matrix

13. OCL Spec context BeamScheduler::cancelBeamRequest(req: BeamRequest) pre: -- BeamRequest is inside the pending request queue self.pendingRequests@pre->exists(r | r == req) post: -- BeamRequest is not inside the pending requests queue not self.pendingRequests->exists(r | r == req) key differences between OCL and Alloy?

14. open util/ordering[OrderID] sig Request { room: Room, priority: Priority } sig Room {} abstract sig Priority {} one sig Service, Normal, High extends Priority {} sig Queue { alloc, pending, requests : set Request, order: requests -> one OrderID }{ requests = alloc + pending } sig OrderID {}

15. Operations pred CancelBeamRequest(q, q': Queue, req: Request) { preCancelBeamRequest(q, req) q'.pending = q.pending - req q'.alloc = q.alloc q'.order = (q.requests – req) <: (q.order) } pred preCancelBeamRequest(q: Queue, req: Request) { req in q.pending } effect of operation as constraint on pre- and post-state we factored out the precondition of each operation into a separate predicate

16. Commutativity Properties assert A_B_Equiv { all si, sa, sb, sab, sba: Queue { A(si,sa) && B(sa,sab) && B(si,sb) && A(sb,sba) => sab = sba } } assert Cancel_StepUp_Equiv { all si, sa, sb, sab, sba: Queue, rq1, rq2: Request { (Invariants(si) && CancelBeamRequest(si, sa, rq1) && StepUp(sa, sab, rq2) && StepUp(si, sb, rq2) && CancelBeamRequest(sb, sba, rq1)) => equivQueues(sab, sba) } }

17. Results TCR Operations TCR Operations MCR Operations 3-100 seconds/analysis, Pentium III 600 MHz, 192 MB RAM

18. ReqHigh(1) 2 Release(2) 1 2 1 Non-commutativity Example Release(2) ReqHigh(1) ReqHigh(1) Release(2) cannot execute

19. Pure Logic Modeling • Could we have modeled commutativity in OCL with built-in state transitions? • "Pure Logic Modeling": • explicit states allows us to "rewind" time and ask about different execution traces • Similar difficulty analyzing these properties with traditional model checker.

20. Conclusions • Practical results from lightweight formal methods • Commutativity analysis is useful • when humans manipulate shared data • Constraint solver effective for this analysis • didn't stretch limits of tool or modelers • Analyzability is important in practice • Pure logic modeling is powerful