Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Formal Verification of Transactional Interaction Contract

974 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Formal Verification of Transactional Interaction Contract

  1. 1. <ul><ul><li>SOAIS, Honolulu, HI, USA, July 2008 </li></ul></ul><ul><ul><li>German Shegalov (ex-MPII, Oracle, USA) </li></ul></ul><ul><ul><li>Gerhard Weikum (MPI Informatik, Germany) </li></ul></ul>Formal Verification of a Transactional Interaction Contract funded by
  2. 2. Outline <ul><li>Background & Problem Statement </li></ul><ul><li>Interaction Contracts Framework </li></ul><ul><li>Formal Specification of the Transacted IC (TIC) </li></ul><ul><ul><li>STATEMATE State & Activity Charts </li></ul></ul><ul><li>Verification of IC's with model checking </li></ul><ul><ul><li>Computational Tree Logic </li></ul></ul><ul><ul><li>Model Checking </li></ul></ul><ul><li>Demo of Exactly Once (Web) Service </li></ul><ul><li>Summary </li></ul>
  3. 3. E-Business Scenario Review and Your server command (process id #20) has been terminated. Re-run your command (severity 13) in /opt/www/your-reliable-eshop.biz/mb_1300_db.mb1 place your order!
  4. 4. <ul><li>Non- idempotence (Math 1.0) </li></ul><ul><ul><li>, n > 1 </li></ul></ul><ul><li>Non-idempotence (Web 2.0, ERP, etc.) </li></ul><ul><ul><li>&quot;Request timeout&quot;  &quot;request failure&quot; </li></ul></ul><ul><ul><li>&quot;Request send&quot;  &quot;request resend&quot; </li></ul></ul><ul><ul><li>Anecdotal evidence: “Don't click more than once!” </li></ul></ul><ul><ul><ul><li>8 health insurance id's for a 3 member family </li></ul></ul></ul><ul><ul><ul><li>Order one , get many  ... pay for many  </li></ul></ul></ul>Problem Statement
  5. 5. Transaction Recovery <ul><li>At most once semantics </li></ul><ul><li>BEGIN TRANSACTION </li></ul><ul><li>/* LSN= 1: log for undo and redo in MM buffer*/ </li></ul><ul><ul><li>UPDATE Accounts SET balance = balance – 100,00 WHERE Number = 1 </li></ul></ul><ul><li>/* LSN = 2: log for undo and redo in MM buffer*/ </li></ul><ul><ul><li>UPDATE Accounts SET balance = balance + 100,00 WHERE Number = 2 </li></ul></ul><ul><li>/* LSN = 3: log commit and force (5-6 orders slower)*/ </li></ul><ul><li>COMMIT TRANSACTION </li></ul>Transfer €100 from 1 to 2 <ul><li>Recovery: Redo Committed, Undo Uncommitted </li></ul><ul><ul><li>LSN test guarantees idempotence </li></ul></ul>(LSN=0) (LSN=3) 2000,00 2 1000,00 1 Balance Number Accounts 2100,00 2 900,00 1 Balance Number Accounts
  6. 6. Transactions are great. However, … Web Client Web Application Server Database Server Timeline Non-idempotent execution ! ACK Purchase Request Order Confirmation Start Transaction SQL Request SQL Response SQL Request SQL Response Commit Transaction ACK Transaction Restart Purchase Request Resubmission
  7. 7. Traditional OLTP: Queued Transactions <ul><li>2 forced client writes (I/O queues) </li></ul><ul><li>1 forced write (client request id) </li></ul><ul><li>4 forced writes for 2PC commit </li></ul><ul><li>3 extra messages </li></ul>
  8. 8. Real-World n -Tier Application Expedia Sabre Server Amadeus Expedia App Server Sabre App Server Amadeus App Server Client Web Server DB 1 DB 2 DB 3 DB 4
  9. 9. IC Framework <ul><li>Components and Guarantees </li></ul><ul><ul><li>Persistent (Pcom): Persistent, testable state & messages </li></ul></ul><ul><ul><li>External (Xcom) (e.g., humans): No recovery </li></ul></ul><ul><ul><li>Transactional (Tcom): Persistance and testability on commit </li></ul></ul><ul><li>Interaction Contracts </li></ul><ul><ul><li>Xcom & Pcom = External IC (XIC) </li></ul></ul><ul><ul><li>Pcom & Pcom = Committed IC (CIC) </li></ul></ul><ul><ul><li>Tcom & Pcom = Transacted IC (TIC) </li></ul></ul><ul><li>Failure model: transient failures, e.g., Heisenbugs </li></ul><ul><li>Exactly-Once Semantics </li></ul><ul><ul><li>Forget rollbacks : exactly-once execution is guaranteed </li></ul></ul>
  10. 10. Pcom Design <ul><li>Redo Log & Recovery Managers </li></ul><ul><li>Piecewise determinism + Logging = Full Determinism </li></ul><ul><li>Unique message id for duplicate elimination </li></ul><ul><li>Deterministic replay recovers Pcom's </li></ul><ul><li>Installation Points speed up replay </li></ul>PCom1 PCom2 C 2 C 2 C 2
  11. 11. TIC Design <ul><li>Tcom </li></ul><ul><ul><li>Traditional Redo & Undo Log </li></ul></ul><ul><ul><li>Faithful Reply </li></ul></ul><ul><ul><ul><li>Persists commit state </li></ul></ul></ul><ul><ul><ul><li>Persists commit reply message </li></ul></ul></ul><ul><ul><ul><li>Resends commit reply on a second request </li></ul></ul></ul><ul><ul><ul><li>No commit reply logged ->aborted </li></ul></ul></ul><ul><ul><li>Commit request duplicate elimination. </li></ul></ul><ul><li>Pcom </li></ul><ul><ul><li>forces log to disk before commit </li></ul></ul><ul><ul><li>Periodically resends commit request </li></ul></ul>
  12. 12. CIC's Informal Design <ul><li>CIC sender (Pcom) obligations </li></ul><ul><ul><li>Persist state before send </li></ul></ul><ul><ul><li>Tag message with a MSN </li></ul></ul><ul><ul><li>Resend on timeout until stable ack </li></ul></ul><ul><ul><li>Resend on receiver's &quot;get msg&quot; </li></ul></ul><ul><ul><li>Forget interaction on installed ack </li></ul></ul><ul><li>CIC receiver (Pcom) obligations </li></ul><ul><ul><li>Eliminates duplicates by MSN's </li></ul></ul><ul><ul><li>Persists interaction before stable ack </li></ul></ul><ul><ul><li>&quot;gets msg&quot; if msg is not in log after failure </li></ul></ul><ul><ul><li>Ensures autonomous recovery before installed ack </li></ul></ul>
  13. 13. Committed IC Activities <ul><li>Activitychart = Functional View </li></ul>CIC_AC @CIC_SC FAILURE_PRONE_ENVIRONMENT RCVR_CRASH SNDR_CRASH LINK_OUTAGE CIC_SNDR_AC CIC_RCVR_AC SEND_MSG STABLE INSTALLED @CIC_SNDR_SC @CIC_RCVR_SC EXTERNAL_APP_LOGIC SNDR_TRIGGER MSG_PROCESSED GET_MSG SYSTEM_ADMINISTRATOR ICIC TIMEOUTS
  14. 14. Committed IC Monitor <ul><li>Statechart = Behavioral View </li></ul><ul><ul><li>Finite State Automaton (FSA) + </li></ul></ul><ul><ul><li>Nesting + Orthogonal substates + </li></ul></ul><ul><ul><li>E [ C ]/ A transitions: on E vent while C ondition </li></ul></ul><ul><ul><ul><li>Leave source, enter target, execute A ction </li></ul></ul></ul><ul><ul><ul><li>E.g., A = E' means generate event E' </li></ul></ul></ul><ul><ul><li>Configuration = set of entered states </li></ul></ul><ul><ul><li>Execution context = variable valuation </li></ul></ul><ul><ul><ul><li>Step i : conf i  ctxt i  conf i+1  ctxt i+1 </li></ul></ul></ul>CIC_SC SENDING RECEIVING (not SNDR_CRASH) [not active(CIC_SNDR_AC) ]/ start!(CIC_SNDR_AC) SENDING RECEIVING (not RCVR_CRASH) [not active(CIC_RCVR_AC)]/ start!(CIC_RCVR_AC) SNDR_S RCVR_S
  15. 15. Committed IC Sender * EVENT_OK = EVENT   LINK_OUTAGE STABLE_S SENDING INSTALLED_S RECOVERY MSG_LOOKUP PREPARE_PERSISTENCE SNDR_MSG_TM and not (STABLE_OK or INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG SNDR_TRIGGER [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK [SNDR_LAST_LOGGED=='INSTALLED'] INSTALLED_OK/ SNDR_LAST_LOGGED:='INSTALLED' STABLE_OK SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED CIC_SNDR_SC STABLE_S SENDING MSG_LOOKUP SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK INSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED SNDR_CRASH T T STABLE_S SENDING MSG_LOOKUP SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK INSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED CIC_SNDR_SC STABLE_S SENDING MSG_LOOKUP INSTALLED_OK/ SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSG SNDR_ND/ SEND_MSG SNDR_LAST_LOGGED SNDR_ND MSG_RECOVERED_TM/ SEND_MSG GET_MSG_OK INSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED T T SNDR_LAST_LOGGED:='INSTALLED' _TM means TIMEOUT
  16. 16. Committed IC Receiver MSG_RECOVERY STABLE_R INSTALLED_R MSG_RECEIVED RECOVERY MSG_PROCESSED RCVR_INSTALL_TM/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; ( RCVR_STABLE_TM or RCVR_ND [MSG_ORDER_MATTERS] ) [not ICIC and RCVR_LAST_LOGGED=='']/ RCVR_LAST_LOGGED:='STABLE'; SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T CIC_RCVR_SC MSG_RECEIVED RECOVERY MSG_PROCESSED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; [not ICIC and RCVR_LAST_LOGGED=='']/ RCVR_LAST_LOGGED:='STABLE'; SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T SEND_MSG or IS_INSTALLED/ SEND_MSG or IS_INSTALLED/ INSTALLED STABLE_R INSTALLED_R MSG_RECEIVED RECOVERY MSG_PROCESSED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; STABLE SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T CIC_RCVR_SC MSG_RECEIVED RECOVERY MSG_PROCESSED [RCVR_LAST_LOGGED=='INSTALLED'] [RCVR_LAST_LOGGED=='STABLE'] SEND_MSG_OK [RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED MSG_EXEC_TM/ RECEIVED; SEND_MSG_OK [RCVR_LAST_LOGGED==''] not SEND_MSG_OK and GET_MSG_TM/ GET_MSG RCVR_CRASH T SEND_MSG or IS_INSTALLED/ STABLE SEND_MSG or IS_INSTALLED/ INSTALLED * EVENT_OK = EVENT   LINK_OUTAGE, _TM means TIMEOUT RCVR_LAST_LOGGED:='INSTALLED'
  17. 17. Execution Abstraction <ul><li>Kripke structure K =( S , R , L ) over P </li></ul><ul><ul><li>P is a finite set of atomic propositions </li></ul></ul><ul><ul><li>Software: P is a union of all memory bits </li></ul></ul><ul><ul><li>S finite set of states </li></ul></ul><ul><ul><li>R  S  S state transitions </li></ul></ul><ul><ul><li>L  S  P  { true, false } valuation </li></ul></ul><ul><ul><li>Non-determinism to determinism Computation Tree vs. Sequence </li></ul></ul>p , q  P p p q p  q
  18. 18. <ul><li>Basic Syntax </li></ul><ul><ul><li>Atomic propositions P  CTL( P ) </li></ul></ul><ul><ul><li>If p, q  CTL( P ), then so are </li></ul></ul><ul><ul><ul><li>Propositional logic formulas (  p , p  q, etc. ) </li></ul></ul></ul><ul><ul><ul><li>Path quantifiers E xists, A ll + modality ne X t , U ntil </li></ul></ul></ul><ul><ul><ul><li>EX p </li></ul></ul></ul><ul><ul><ul><li>{ E, A } ( p U q ) </li></ul></ul></ul><ul><li>Derived Syntax </li></ul><ul><ul><ul><li>AX p   ( EX  p ) </li></ul></ul></ul><ul><ul><ul><li>A F inally p  A ( true U p ) </li></ul></ul></ul><ul><ul><ul><li>EF p  E ( true U p ) </li></ul></ul></ul><ul><ul><ul><li>A G lobally p   ( E ( true U  p ) ) </li></ul></ul></ul><ul><ul><ul><li>EG p   ( A ( true U  p ) ) </li></ul></ul></ul>Computation Tree Logic
  19. 19. CIC Verification <ul><li>Safety </li></ul><ul><ul><li>For all log values v  { 'stable', 'installed' } </li></ul></ul><ul><ul><li>AG ( written ( log )  log = v  AX AG ¬( written ( log )  log = v ) ) </li></ul></ul><ul><ul><li>i.e., a value is written at most once </li></ul></ul><ul><li>Liveness for timeouts < 30 steps </li></ul><ul><ul><li>F < n eventually after at most n steps </li></ul></ul><ul><ul><li>AF < 500 AG ¬ failures  AF <700 CIC installed </li></ul></ul>
  20. 20. IC's & Web Service <ul><li>Web server reply's SNDR_ND = App server replies' RCVR_ND = WEBSRVR_ND, i.e., commits app server reply order </li></ul><ul><li>AG websrvr_rep:send_msg   i=1,2 ( appsrvr i : rcvr_log=’stable'  appsrvr i : rcvr_log=’installed' ) </li></ul>HTML_PROMPT USER1_REQ @USER1_SC XACT_UPDATE <TIC_AC BROWSER_INPUT <XIC_I_AC BROWSER_OUTPUT <XIC_O_AC APPSRVR2_REP <CIC_AC APPSRVR1_REQ <CIC_AC APPSRVR2_REQ <CIC_AC APPSRVR1_REP <CIC_AC WEBSRVR_REP <CIC_AC WEBSRVR_REQ <CIC_AC CUSTOMER BUTTON_CLICKED HTML_REPLY CLICK_CAPTURED WEBSRVR_REQ_RCVD APPSRVR1_REQ_RCVD APPSRVR2_REP_RCVD APPSRVR1_REP_RCVD WEBSRVR_REP_RCVD LOCAL_FAILURES BROWSER_CRASH, XACT_{USER, INTERNAL}_ABORT, BROWSER_WEBSRVR_LINK_OUTAGE GLOBAL_FAILURES WEBSERVER_CRASH, APPSERVER{1;2}_CRASH, DBSRVR_CRASH, WEB_APP{1,2}_LINK_OUTAGE, APP1_DB_LINK_OUTAGE XACT_COMMITTED APPSRVR2_REQ_RCVD USER1_REQ @USER1_SC XACT_UPDATE <TIC_AC BROWSER_INPUT <XIC_I_AC BROWSER_OUTPUT <XIC_O_AC APPSRVR2_REP <CIC_AC APPSRVR1_REQ <CIC_AC APPSRVR2_REQ <CIC_AC APPSRVR1_REP <CIC_AC WEBSRVR_REP <CIC_AC WEBSRVR_REQ <CIC_AC CUSTOMER LOCAL_FAILURES BROWSER_CRASH, XACT_{USER, INTERNAL}_ABORT, BROWSER_WEBSRVR_LINK_OUTAGE GLOBAL_FAILURES WEBSERVER_CRASH, APPSERVER{1;2}_CRASH, DBSRVR_CRASH, WEB_APP{1,2}_LINK_OUTAGE, APP1_DB_LINK_OUTAGE
  21. 21. Explicit Model Checking <ul><li>For K = ( S , R , L ) over P, s  S, f  CTL ( P ) </li></ul><ul><ul><li>s |= f , f  P  L ( s , f ) = true </li></ul></ul><ul><ul><li>s |= f , f =  f 1  s  |  f 1 </li></ul></ul><ul><ul><li>s |= f , f = f 1  f 2  s  |= f 1 or s  |= f 2 </li></ul></ul><ul><ul><li>s |= f , f = EX f  ( s , r )  R with r  |= f </li></ul></ul><ul><ul><li>s |= f , f = E ( f 1 U f 2 ) </li></ul></ul><ul><ul><ul><li>if s isChecked then false else check </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 2  then true </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 1 and  ( s , r )  R with r  |= f then true </li></ul></ul></ul><ul><ul><li>s  |= f , f = A ( f 1 U f 2 ) </li></ul></ul><ul><ul><ul><li>if s already checked then false else check </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 2  then true </li></ul></ul></ul><ul><ul><ul><li>if s  |= f 1 and  ( s , r )  R with r  |= f </li></ul></ul></ul>
  22. 22. Verification Run-Times ~10 hours ~10 6 Nondeterministic Timeout Not terminated ~10 7 Integer Timeout 1-user WS safety ~10 hours ~10 5 Nondeterministic Timeout ~10 hours ~10 6 Integer Timeout IC-level liveness ~1sec. ~10 3 Nondeterministic Timeout ~5 seconds ~10 4 Integer Timeout IC-level safety Verification Time OBDD size Property/Specification Type
  23. 23. Outline <ul><li>Problem Statement and Background </li></ul><ul><li>Interaction Contracts Framework </li></ul><ul><ul><li>Formal Specification of the Committed IC </li></ul></ul><ul><ul><li>Verification of IC's with model checking </li></ul></ul><ul><ul><li>Verification of Web Service IC Model </li></ul></ul><ul><li>Implementation: Exactly-Once Web Service (EOS) </li></ul><ul><ul><li>Overview </li></ul></ul><ul><ul><li>EOS-PHP </li></ul></ul><ul><ul><li>Demo </li></ul></ul><ul><li>Summary </li></ul>
  24. 24. PHP and Zend Engine Zend Engine Session CURL Zend Engine Session CURL Zend Engine Session CURL Web Client Web Client Web Client Web Client <ul><li><html> </li></ul><ul><li><?php </li></ul><ul><li>session_start(); </li></ul><ul><li>$HTTP_SESSION_VARS[&quot;count&quot;]++; </li></ul><ul><li>printf(&quot;Script called %i times&quot;, </li></ul><ul><li>$HTTP_SESSION_VARS[&quot;count&quot;] ); </li></ul><ul><li>$ch = curl_init(&quot;http://eos-php.net/b2b.php&quot;); </li></ul><ul><li>$b2b_reply = curl_exec($ch); </li></ul><ul><li>printf(&quot;Other server reports: %s &quot;, $b2b_reply ); </li></ul><ul><li>curl_close($ch); </li></ul><ul><li>?> </li></ul><ul><li></html> </li></ul><ul><li><html> </li></ul><ul><ul><li>Script called 5 times </li></ul></ul><ul><ul><li>Other server reports: Script called 1000 times </li></ul></ul><ul><li></html> </li></ul>
  25. 25. EOS <ul><li>Exactly-once semantics with </li></ul><ul><ul><li>Transparent browser recovery </li></ul></ul><ul><ul><li>Concurrent accesses to shared data </li></ul></ul><ul><ul><li>Nondeterm. functions: time , curl_exec , rand </li></ul></ul><ul><ul><li>Any n in n -tier, any fanout </li></ul></ul><ul><ul><li>Failure masking: no changes to app code neither to PHP scripts, nor to the browser </li></ul></ul><ul><li>Performance enhancements (side effects) </li></ul><ul><ul><li>Log structured data access (sequential I/O) </li></ul></ul><ul><ul><li>LRU buffers for state and log data </li></ul></ul><ul><ul><li>Latches (Shared/Exclusive) </li></ul></ul><ul><ul><li>session_start ( bool $read_only ) </li></ul></ul>
  26. 26. Experiment Setup Backend Server P4 3Ghz, 1GB Frontend Server P4 3Ghz, 1GB shared count 1234  1235 private count 2  3 private count 2  3 private count 2  1 private count 2  3 POST (ICIC) action=increment b2b=true 1235 <html> <p>Privatel Count: 3 <p>Shared Count: 1235 </html> POST (ICIC) action=increment Web Client <ul><li>eBay-like auction service </li></ul><ul><li>User settings at frontend (private) </li></ul><ul><li>Auction items at backend (shared) </li></ul><ul><li>5 concurrent end users, synthetic load </li></ul>
  27. 27. Run-Time Overhead Backend Server Frontend Server shared count 1234  1235 private count 2  3 private count 2  3 private count 2  1 private count 2  3 POST ( ICIC ) action=increment b2b=true 1235 <html> <p>Privatel Count: 3 <p>Shared Count: 1235 </html> POST ( ICIC ) action=increment Web Client 33% 36% 44% Overhead (backend CPU) [%] 0.1600 0.0750 0.0130 EOS-PHP backend CPU time [sec] 0.1200 0.0550 0.0090 PHP backend CPU time [sec] 102% 122% 109% Overhead (frontend CPU) [%] 1.1545 0.6000 0.0815 EOS-PHP frontend CPU time [sec] 0.5727 0.2708 0.0390 PHP frontend CPU time [sec] 93% 113% 101% Overhead (elapsed time) [%] 3.1000 1.6850 0.3140 EOS-PHP elapsed time [sec] 1.6100 0.7900 0.1560 PHP elapsed time [sec] 10 steps 5 steps 1 step   Session
  28. 28. Outline <ul><li>Problem Statement and Background </li></ul><ul><li>Interaction Contracts Framework </li></ul><ul><ul><li>Formal Specification of the Committed IC </li></ul></ul><ul><ul><li>Verification of IC's with model checking </li></ul></ul><ul><ul><li>Verification of Web Service IC Model </li></ul></ul><ul><li>Implementation: Exactly-Once Web Service (EOS) </li></ul><ul><ul><li>Overview </li></ul></ul><ul><ul><li>EOS-PHP </li></ul></ul><ul><ul><li>Demo </li></ul></ul><ul><li>Summary </li></ul>
  29. 29. Summary <ul><li>Generic IC framework specification </li></ul><ul><li>Formal verification at IC and app level </li></ul><ul><ul><li>To do: Overcome &quot;model checking&quot; non-scalability </li></ul></ul><ul><li>Efficient implementation: EOS </li></ul><ul><ul><li>Rigorous recovery guarantees </li></ul></ul><ul><ul><ul><li>Based on the formal verified models </li></ul></ul></ul><ul><ul><li>Many enhancements to PHP </li></ul></ul><ul><ul><ul><li>LRU buffer management </li></ul></ul></ul><ul><ul><ul><li>Mostly sequential disk accesses </li></ul></ul></ul><ul><ul><ul><li>Concurrency control with latches </li></ul></ul></ul>
  30. 30. EOS Demo USER 1 Backend Server Frontend Server B2B_LINK B2C_LINK
  31. 31. Thank You! ?
  32. 32. 2PC Message Sequence Coordinator DB i force-log begin Timeline prepare force-log prepared commit force-log commit force-log commit force-log end ack yes
  33. 33. PA-2PC Coordinator
  34. 34. PA-PC Cohort
  35. 35. Transactional IC Server
  36. 36. Transactional IC Client
  37. 37. External IC

×