Successfully reported this slideshow.

Formal Verification of Web Service Interaction Contracts

902 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Formal Verification of Web Service Interaction Contracts

  1. 1. <ul><ul><li>SCC WIP Session 3, Honolulu, HI, USA, July 9, 2008 </li></ul></ul><ul><ul><li>German Shegalov (ex-MPII, Oracle, USA) </li></ul></ul><ul><ul><li>Gerhard Weikum (MPI Informatik, Germany) </li></ul></ul>Formal Verification of Web Service Interaction Contracts funded by
  2. 2. E-Business Scenario Your server command (process id #20) has been terminated. Re-run your command (severity 13) in /opt/www/your-reliable-eshop.biz/mb_1300_db.mb1 place your order!
  3. 3. <ul><li>Non- idempotence (Math 1.0) </li></ul><ul><ul><li>, n > 1 </li></ul></ul><ul><li>Non-idempotence (Web 2.0, ERP, etc.) </li></ul><ul><ul><li>&quot;Request timeout&quot;  &quot;request failure&quot; </li></ul></ul><ul><ul><li>&quot;Request send&quot;  &quot;request resend&quot; </li></ul></ul><ul><ul><li>Anecdotal evidence: “Don't click more than once!” </li></ul></ul><ul><ul><ul><li>8 health insurance id's for a 3 member family </li></ul></ul></ul><ul><ul><ul><li>Order one , get many  ... pay for many  </li></ul></ul></ul>Problem Statement
  4. 4. Transaction recovery is idempotent. However, … Web Client Web Application Server Database Server Timeline Non-idempotent execution ! ACK Purchase Request Order Confirmation Start Transaction SQL Request SQL Response SQL Request SQL Response Commit Transaction ACK Transaction Restart Purchase Request Resubmission
  5. 5. Real-World n -Tier Application Expedia Sabre Server Amadeus Expedia App Server Sabre App Server Amadeus App Server Client Web Server DB 1 DB 2 DB 3 DB 4
  6. 6. IC Framework <ul><li>Components and Guarantees </li></ul><ul><ul><li>Persistent (Pcom): Persistent, testable state & messages </li></ul></ul><ul><ul><li>External (Xcom) (e.g., humans): No recovery </li></ul></ul><ul><ul><li>Transactional (Tcom): Persistance and testability on commit </li></ul></ul><ul><li>Interaction Contracts </li></ul><ul><ul><li>Xcom & Pcom = External IC (XIC) </li></ul></ul><ul><ul><li>Pcom & Pcom = Committed IC (CIC) </li></ul></ul><ul><ul><li>Tcom & Pcom = Transacted IC (TIC) </li></ul></ul><ul><li>Failure model: transient failures, e.g., Heisenbugs </li></ul><ul><li>Exactly-Once Semantics </li></ul><ul><ul><li>Forget rollbacks : exactly-once execution is guaranteed </li></ul></ul>
  7. 7. Pcom Design <ul><li>Redo Log & Recovery Managers </li></ul><ul><li>Piecewise determinism + Logging = Full Determinism </li></ul><ul><li>Unique message id for duplicate elimination </li></ul><ul><li>Deterministic replay recovers Pcom's </li></ul><ul><li>Installation Points speed up replay </li></ul>PCom1 PCom2 C 2 C 2 C 2
  8. 8. Committed IC Sender * EVENT_OK = EVENT   LINK_OUTAGE STABLE_S SENDING INSTALLED_S RECOVERY MSG_LOOKUP PREPARE_PERSISTENCE SNDR_MSG_TM and not (STABLE_OK or INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG SNDR_TRIGGER [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK [SNDR_LAST_LOGGED=='INSTALLED'] INSTALLED_OK/ SNDR_LAST_LOGGED:='INSTALLED' STABLE_OK SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED CIC_SNDR_SC STABLE_S SENDING MSG_LOOKUP SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK INSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED SNDR_CRASH T T STABLE_S SENDING MSG_LOOKUP SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK INSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED CIC_SNDR_SC STABLE_S SENDING MSG_LOOKUP INSTALLED_OK/ SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG SNDR_LAST_LOGGED SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK INSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED T T SNDR_LAST_LOGGED:='INSTALLED' _TM means TIMEOUT
  9. 9. Committed IC Receiver MSG_RECOVERY STABLE_R INSTALLED_R MSG_RECEIVED RECOVERY MSG_PROCESSED RCVR_INSTALL_TM/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; ( RCVR_STABLE_TM or RCVR_ND [MSG_ORDER_MATTERS] ) [not ICIC and RCVR_LAST_LOGGED=='']/ RCVR_LAST_LOGGED:='STABLE'; SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T CIC_RCVR_SC MSG_RECEIVED RECOVERY MSG_PROCESSED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; [not ICIC and RCVR_LAST_LOGGED=='']/ RCVR_LAST_LOGGED:='STABLE'; SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T SEND_MSG or IS_INSTALLED/ SEND_MSG or IS_INSTALLED/ INSTALLED STABLE_R INSTALLED_R MSG_RECEIVED RECOVERY MSG_PROCESSED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; STABLE SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T CIC_RCVR_SC MSG_RECEIVED RECOVERY MSG_PROCESSED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T SEND_MSG or IS_INSTALLED/ STABLE SEND_MSG or IS_INSTALLED/ INSTALLED * EVENT_OK = EVENT   LINK_OUTAGE, _TM means TIMEOUT RCVR_LAST_LOGGED:='INSTALLED'
  10. 10. CIC Verification <ul><li>Safety: a value is logged at most once </li></ul><ul><ul><li>For all log values v  { 'stable', 'installed' } </li></ul></ul><ul><ul><li>AG ( written ( log )  log = v  AX AG ¬( written ( log )  log = v ) ) </li></ul></ul><ul><li>Liveness: CIC terminates </li></ul><ul><ul><li>for timeouts < 30 steps </li></ul></ul><ul><ul><li>F < n eventually after at most n steps </li></ul></ul><ul><ul><li>AF < 500 AG ¬ failures  AF <700 CIC installed </li></ul></ul><ul><li>Together: exactly once! </li></ul>
  11. 11. IC's & Web Service <ul><li>Web server reply's commits app servers' reply order </li></ul><ul><li>AG websrvr_rep:send_msg   i=1,2 ( appsrvr i : rcvr_log=’stable'  appsrvr i : rcvr_log=’installed' ) </li></ul>HTML_PROMPT USER1_REQ @USER1_SC XACT_UPDATE <TIC_AC BROWSER_INPUT <XIC_I_AC BROWSER_OUTPUT <XIC_O_AC APPSRVR2_REP <CIC_AC APPSRVR1_REQ <CIC_AC APPSRVR2_REQ <CIC_AC APPSRVR1_REP <CIC_AC WEBSRVR_REP <CIC_AC WEBSRVR_REQ <CIC_AC CUSTOMER BUTTON_CLICKED HTML_REPLY CLICK_CAPTURED WEBSRVR_REQ_RCVD APPSRVR1_REQ_RCVD APPSRVR2_REP_RCVD APPSRVR1_REP_RCVD WEBSRVR_REP_RCVD LOCAL_FAILURES BROWSER_CRASH, XACT_{USER, INTERNAL}_ABORT, BROWSER_WEBSRVR_LINK_OUTAGE GLOBAL_FAILURES WEBSERVER_CRASH, APPSERVER{1;2}_CRASH, DBSRVR_CRASH, WEB_APP{1,2}_LINK_OUTAGE, APP1_DB_LINK_OUTAGE XACT_COMMITTED APPSRVR2_REQ_RCVD USER1_REQ @USER1_SC XACT_UPDATE <TIC_AC BROWSER_INPUT <XIC_I_AC BROWSER_OUTPUT <XIC_O_AC APPSRVR2_REP <CIC_AC APPSRVR1_REQ <CIC_AC APPSRVR2_REQ <CIC_AC APPSRVR1_REP <CIC_AC WEBSRVR_REP <CIC_AC WEBSRVR_REQ <CIC_AC CUSTOMER LOCAL_FAILURES BROWSER_CRASH, XACT_{USER, INTERNAL}_ABORT, BROWSER_WEBSRVR_LINK_OUTAGE GLOBAL_FAILURES WEBSERVER_CRASH, APPSERVER{1;2}_CRASH, DBSRVR_CRASH, WEB_APP{1,2}_LINK_OUTAGE, APP1_DB_LINK_OUTAGE
  12. 12. Summary <ul><li>Generic IC framework specification </li></ul><ul><ul><li>STATEMATE: Statetcharts </li></ul></ul><ul><li>Formal verification at IC and app level </li></ul><ul><ul><li>STATEMATE: Model Checking </li></ul></ul><ul><li>IC implementation for PHP & Internet Explorer </li></ul><ul><ul><li>EOS </li></ul></ul><ul><li>Rigorous recovery guarantees based on the formal verified models </li></ul>
  13. 13. EOS Demo USER 1 Backend Server Frontend Server B2B_LINK B2C_LINK
  14. 14. Thank You! <ul><ul><li>German Shegalov <german.shegalov@acm.org> </li></ul></ul><ul><ul><li>Gerhard Weikum <weikum@mpi-inf.mpg.de> </li></ul></ul>?
  15. 15. Transaction Recovery <ul><li>At most once semantics </li></ul><ul><li>Recovery: Redo All, Undo Uncommitted </li></ul><ul><ul><li>LSN < PageLSN : skip redo </li></ul></ul><ul><ul><li>LSN > PageLSN : skip undo` </li></ul></ul><ul><li>BEGIN TRANSACTION </li></ul><ul><li>/* LSN = 1: log undo and redo*/ </li></ul><ul><ul><li>UPDATE Accounts SET balance = balance – 100 WHERE Number = 1 </li></ul></ul><ul><li>/* LSN = 2: log undo and redo*/ </li></ul><ul><ul><li>UPDATE Accounts SET balance = balance + 100 WHERE Number = 2 </li></ul></ul><ul><li>/* LSN = 3: log commit; force to disk (~10 5 slower)*/ </li></ul><ul><li>COMMIT TRANSACTION </li></ul>Transfer €100 from 1 to 2 (LSN=0) (LSN=3) 2000 2 1000 1 Balance Number Accounts 2100 2 900 1 Balance Number Accounts
  16. 16. Statecharts [Harel'87, UML' 97] Step-wise refinement INIT ЕND S 1 S 3 E[C]/A S 2 E 23 / A 23 [OK] [!OK]
  17. 17. 2PC Message Sequence Coordinator DB i force-log begin Timeline prepare force-log prepared commit force-log commit force-log commit force-log end ack yes
  18. 18. PA-2PC Coordinator
  19. 19. PA-PC Cohort
  20. 20. External IC
  21. 21. Committed IC Monitor <ul><li>Statechart = Behavioral View </li></ul><ul><ul><li>Finite State Automaton (FSA) + </li></ul></ul><ul><ul><li>Nesting + Orthogonal substates + </li></ul></ul><ul><ul><li>E [ C ]/ A transitions: on E vent while C ondition </li></ul></ul><ul><ul><ul><li>Leave source, enter target, execute A ction </li></ul></ul></ul><ul><ul><ul><li>E.g., A = E' means generate event E' </li></ul></ul></ul><ul><ul><li>Configuration = set of entered states </li></ul></ul><ul><ul><li>Execution context = variable valuation </li></ul></ul><ul><ul><ul><li>Step i : conf i  ctxt i  conf i+1  ctxt i+1 </li></ul></ul></ul>CIC_SC SENDING RECEIVING (not SNDR_CRASH) [not active(CIC_SNDR_AC) ]/ start!(CIC_SNDR_AC) SENDING RECEIVING (not RCVR_CRASH) [not active(CIC_RCVR_AC)]/ start!(CIC_RCVR_AC) SNDR_S RCVR_S
  22. 22. Committed IC Activities <ul><li>Activitychart = Functional View </li></ul>CIC_AC @CIC_SC FAILURE_PRONE_ENVIRONMENT RCVR_CRASH SNDR_CRASH LINK_OUTAGE CIC_SNDR_AC CIC_RCVR_AC SEND_MSG STABLE INSTALLED @CIC_SNDR_SC @CIC_RCVR_SC EXTERNAL_APP_LOGIC SNDR_TRIGGER MSG_PROCESSED GET_MSG SYSTEM_ADMINISTRATOR ICIC TIMEOUTS
  23. 23. CIC's Informal Design <ul><li>CIC sender (Pcom) obligations </li></ul><ul><ul><li>Persist state before send </li></ul></ul><ul><ul><li>Tag message with a MSN </li></ul></ul><ul><ul><li>Resend on timeout until stable ack </li></ul></ul><ul><ul><li>Resend on receiver's &quot;get msg&quot; </li></ul></ul><ul><ul><li>Forget interaction on installed ack </li></ul></ul><ul><li>CIC receiver (Pcom) obligations </li></ul><ul><ul><li>Eliminates duplicates using MSN's </li></ul></ul><ul><ul><li>Persists interaction before stable ack </li></ul></ul><ul><ul><li>&quot;gets msg&quot; if msg is not in log after failure </li></ul></ul><ul><ul><li>Ensures autonomous recovery before installed ack </li></ul></ul>
  24. 24. Verification Run-Times ~10 hours ~10 6 Nondeterministic Timeout Not terminated ~10 7 Integer Timeout 1-user WS safety ~10 hours ~10 5 Nondeterministic Timeout ~10 hours ~10 6 Integer Timeout IC-level liveness ~1sec. ~10 3 Nondeterministic Timeout ~5 seconds ~10 4 Integer Timeout IC-level safety Verification Time OBDD size Property/Specification Type
  25. 25. Experiment Setup Backend Server P4 3Ghz, 1GB Frontend Server P4 3Ghz, 1GB shared count 1234  1235 private count 2  3 private count 2  3 private count 2  1 private count 2  3 POST (ICIC) action=increment b2b=true 1235 <html> <p>Privatel Count: 3 <p>Shared Count: 1235 </html> POST (ICIC) action=increment Web Client <ul><li>eBay-like auction service </li></ul><ul><li>User settings at frontend (private) </li></ul><ul><li>Auction items at backend (shared) </li></ul><ul><li>5 concurrent end users, synthetic load </li></ul>
  26. 26. Run-Time Overhead Backend Server Frontend Server shared count 1234  1235 private count 2  3 private count 2  3 private count 2  1 private count 2  3 POST ( ICIC ) action=increment b2b=true 1235 <html> <p>Privatel Count: 3 <p>Shared Count: 1235 </html> POST ( ICIC ) action=increment Web Client 33% 36% 44% Overhead (backend CPU) [%] 0.1600 0.0750 0.0130 EOS-PHP backend CPU time [sec] 0.1200 0.0550 0.0090 PHP backend CPU time [sec] 102% 122% 109% Overhead (frontend CPU) [%] 1.1545 0.6000 0.0815 EOS-PHP frontend CPU time [sec] 0.5727 0.2708 0.0390 PHP frontend CPU time [sec] 93% 113% 101% Overhead (elapsed time) [%] 3.1000 1.6850 0.3140 EOS-PHP elapsed time [sec] 1.6100 0.7900 0.1560 PHP elapsed time [sec] 10 steps 5 steps 1 step   Session
  27. 27. PHP and Zend Engine Zend Engine Session CURL Zend Engine Session CURL Zend Engine Session CURL Web Client Web Client Web Client Web Client <ul><li><html> </li></ul><ul><li><?php </li></ul><ul><li>session_start(); </li></ul><ul><li>$HTTP_SESSION_VARS[&quot;count&quot;]++; </li></ul><ul><li>printf(&quot;Script called %i times&quot;, </li></ul><ul><li>$HTTP_SESSION_VARS[&quot;count&quot;] ); </li></ul><ul><li>$ch = curl_init(&quot;http://eos-php.net/b2b.php&quot;); </li></ul><ul><li>$b2b_reply = curl_exec($ch); </li></ul><ul><li>printf(&quot;Other server reports: %s &quot;, $b2b_reply ); </li></ul><ul><li>curl_close($ch); </li></ul><ul><li>?> </li></ul><ul><li></html> </li></ul><ul><li><html> </li></ul><ul><ul><li>Script called 5 times </li></ul></ul><ul><ul><li>Other server reports: Script called 1000 times </li></ul></ul><ul><li></html> </li></ul>
  28. 28. EOS <ul><li>Exactly-once semantics with </li></ul><ul><ul><li>Transparent browser recovery </li></ul></ul><ul><ul><li>Concurrent accesses to shared data </li></ul></ul><ul><ul><li>Nondeterm. functions: time , curl_exec , rand </li></ul></ul><ul><ul><li>Any n in n -tier, any fanout </li></ul></ul><ul><ul><li>Failure masking: no changes to app code neither to PHP scripts, nor to the browser </li></ul></ul><ul><li>Performance enhancements (side effects) </li></ul><ul><ul><li>Log structured data access (sequential I/O) </li></ul></ul><ul><ul><li>LRU buffers for state and log data </li></ul></ul><ul><ul><li>Latches (Shared/Exclusive) </li></ul></ul><ul><ul><li>session_start ( bool $read_only ) </li></ul></ul>
  29. 29. Transacted IC Activities <ul><li>Activitychart = Functional View </li></ul>TIC_AC @TIC_SC FAILURE_PRONE_ENVIRONMENT XACT_CLIENT_CRASH LINK_OUTAGE XACT_CLIENT_AC XACT_SERVER_AC SQL_REQ SQL_REP @XACT_CLIENT_SC @XACT_SERVER_SC EXTERNAL_APP_LOGIC XACT_TRIGGER XACT_COMMITTED COMMITTED SYSTEM_ADMINISTRATOR TIMEOUTS XACT_ABORTED XACT_SERVER_CRASH COMMIT USER_ABORT ABORTED
  30. 30. Transactional IC Server
  31. 31. Transactional IC Client
  32. 32. Execution Abstraction <ul><li>Kripke structure K =( S , R , L ) over P </li></ul><ul><ul><li>P is a finite set of atomic propositions </li></ul></ul><ul><ul><li>Software: P is a union of all memory bits </li></ul></ul><ul><ul><li>S finite set of states </li></ul></ul><ul><ul><li>R  S  S state transitions </li></ul></ul><ul><ul><li>L  S  P  { true, false } valuation </li></ul></ul><ul><ul><li>Non-determinism to determinism Computation Tree vs. Sequence </li></ul></ul>p , q  P p p q p  q
  33. 33. <ul><li>Basic Syntax </li></ul><ul><ul><li>Atomic propositions P  CTL( P ) </li></ul></ul><ul><ul><li>If p, q  CTL( P ), then so are </li></ul></ul><ul><ul><ul><li>Propositional logic formulas (  p , p  q, etc. ) </li></ul></ul></ul><ul><ul><ul><li>Path quantifiers E xists, A ll + modality ne X t , U ntil </li></ul></ul></ul><ul><ul><ul><li>EX p </li></ul></ul></ul><ul><ul><ul><li>{ E, A } ( p U q ) </li></ul></ul></ul><ul><li>Derived Syntax </li></ul><ul><ul><ul><li>AX p   ( EX  p ) </li></ul></ul></ul><ul><ul><ul><li>A F inally p  A ( true U p ) </li></ul></ul></ul><ul><ul><ul><li>EF p  E ( true U p ) </li></ul></ul></ul><ul><ul><ul><li>A G lobally p   ( E ( true U  p ) ) </li></ul></ul></ul><ul><ul><ul><li>EG p   ( A ( true U  p ) ) </li></ul></ul></ul>Computation Tree Logic
  34. 34. Explicit Model Checking <ul><li>For K = ( S , R , L ) over P, s  S, f  CTL ( P ) </li></ul><ul><ul><li>s |= f , f  P  L ( s , f ) = true </li></ul></ul><ul><ul><li>s |= f , f =  f 1  s  |  f 1 </li></ul></ul><ul><ul><li>s |= f , f = f 1  f 2  s  |= f 1 or s  |= f 2 </li></ul></ul><ul><ul><li>s |= f , f = EX f  ( s , r )  R with r  |= f </li></ul></ul><ul><ul><li>s |= f , f = E ( f 1 U f 2 ) </li></ul></ul><ul><ul><ul><li>if s is checked then false else check </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 2  then true </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 1 and  ( s , r )  R with r  |= f then true </li></ul></ul></ul><ul><ul><li>s  |= f , f = A ( f 1 U f 2 ) </li></ul></ul><ul><ul><ul><li>if s already checked then false else check </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 2  then true </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 1 and  ( s , r )  R with r  |= f </li></ul></ul></ul>
  35. 35. TIC Verification <ul><li>At-Most-Once (Safety): AG( server_last_logged =’ commited ’  AG(¬any( sql_req )) ) </li></ul><ul><li>At-Least-Once (Liveness): AF <500 (AG¬( failures ))  AF <700 ( AG( client_last_logged =’committed’  srvr_last_logged =’ committed ’)) </li></ul><ul><li>Consequence: Exactly Once </li></ul>
  36. 36. TIC Design <ul><li>Tcom </li></ul><ul><ul><li>Traditional Redo & Undo Log </li></ul></ul><ul><ul><li>Faithful Reply </li></ul></ul><ul><ul><ul><li>Persists commit state </li></ul></ul></ul><ul><ul><ul><li>Persists commit reply message </li></ul></ul></ul><ul><ul><ul><li>Resends commit reply on a second request </li></ul></ul></ul><ul><ul><ul><li>No commit reply logged ->aborted </li></ul></ul></ul><ul><ul><li>Commit request duplicate elimination. </li></ul></ul><ul><li>Pcom </li></ul><ul><ul><li>Log-forcing before commit </li></ul></ul><ul><ul><li>Periodically resends commit request </li></ul></ul>

×