1.

• • SCC WIP Session 3, Honolulu, HI, USA, July 9, 2008

• • German Shegalov(ex-MPII, Oracle, USA)

• • Gerhard Weikum (MPI Informatik, Germany)

Formal Verification ofWeb ServiceInteraction Contracts funded by

2. E-Business Scenario Your server command (process id #20) has been terminated. Re-run your command (severity 13) in /opt/www/your-reliable-eshop.biz/mb_1300_db.mb1 place your order! 3.

Non- idempotence(Math 1.0)

• , n>1

Non-idempotence (Web 2.0, ERP, etc.)

• "Request timeout""request failure"

• "Request send""request resend"

• Anecdotal evidence: Don't click more than once!

• • 8health insurance id's for a3member family

• • Orderone , getmany... pay formany

Problem Statement 4. Transaction recovery is idempotent. However, Web Client Web ApplicationServer DatabaseServer Timeline Non-idempotent execution ! ACK Purchase Request Order Confirmation Start Transaction SQL Request SQL Response SQL Request SQL Response Commit Transaction ACK Transaction Restart Purchase RequestResubmission 5. Real-Worldn -Tier ApplicationExpediaSabre Server Amadeus ExpediaApp ServerSabre App Server Amadeus App Server Client Web ServerDB 1 DB 2 DB 3 DB 4 6. IC Framework

ComponentsandGuarantees

• Persistent (Pcom): Persistent, testable state & messages

• External (Xcom) (e.g., humans): No recovery

• Transactional (Tcom): Persistance and testability on commit

Interaction Contracts

• Xcom & Pcom = External IC (XIC)

• Pcom & Pcom = Committed IC (CIC)

• Tcom & Pcom = Transacted IC (TIC)

Failure model: transient failures, e.g., Heisenbugs

Exactly-Once Semantics

• Forget rollbacks : exactly-once execution is guaranteed

7. Pcom Design

Redo Log & Recovery Managers

Piecewise determinism+ Logging = Full Determinism

Unique message idfor duplicate elimination

Deterministic replayrecovers Pcom's

Installation Pointsspeed up replay

PCom1 PCom2 C 2 C 2 C 2 8. Committed IC Sender *EVENT_OK = EVENT LINK_OUTAGE STABLE_SSENDINGINSTALLED_SRECOVERYMSG_LOOKUPPREPARE_PERSISTENCESNDR_MSG_TM and not (STABLE_OK orINSTALLED_OK)/ SEND_MSGSNDR_ND/ SEND_MSG SNDR_TRIGGER [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSGGET_MSG_OK[SNDR_LAST_LOGGED=='INSTALLED']INSTALLED_OK/ SNDR_LAST_LOGGED:='INSTALLED' STABLE_OKSNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED CIC_SNDR_SCSTABLE_SSENDINGMSG_LOOKUPSNDR_MSG_TM and INSTALLED_OK)/ SEND_MSGSNDR_ND/ SEND_MSG [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSGGET_MSG_OKINSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED SNDR_CRASHTTSTABLE_SSENDINGMSG_LOOKUPSNDR_MSG_TM and INSTALLED_OK)/ SEND_MSGSNDR_ND/ SEND_MSG [SNDR_LAST_LOGGED=='']/ SNDR_ND MSG_RECOVERED_TM/ SEND_MSGGET_MSG_OKINSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED CIC_SNDR_SCSTABLE_SSENDINGMSG_LOOKUPINSTALLED_OK/ SNDR_MSG_TM and INSTALLED_OK)/ SEND_MSGSNDR_ND/ SEND_MSG SNDR_LAST_LOGGED SNDR_ND MSG_RECOVERED_TM/ SEND_MSGGET_MSG_OKINSTALLED_OK/ SNDR_STABLE_TM and not (INSTALLED_OK or GET_MSG_OK)/ IS_INSTALLED TTSNDR_LAST_LOGGED:='INSTALLED' _TM means TIMEOUT 9. Committed IC Receiver MSG_RECOVERYSTABLE_RINSTALLED_RMSG_RECEIVEDRECOVERYMSG_PROCESSEDRCVR_INSTALL_TM/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLED[RCVR_LAST_LOGGED=='INSTALLED'][RCVR_LAST_LOGGED=='STABLE']SEND_MSG_OK[RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLEDMSG_EXEC_TM/RECEIVED;( RCVR_STABLE_TM orRCVR_ND [MSG_ORDER_MATTERS]) [not ICIC and RCVR_LAST_LOGGED=='']/ RCVR_LAST_LOGGED:='STABLE'; SEND_MSG_OK [RCVR_LAST_LOGGED=='']not SEND_MSG_OK and GET_MSG_TM/ GET_MSGRCVR_CRASHTCIC_RCVR_SCMSG_RECEIVEDRECOVERYMSG_PROCESSED[RCVR_LAST_LOGGED=='INSTALLED'][RCVR_LAST_LOGGED=='STABLE']SEND_MSG_OK[RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLEDMSG_EXEC_TM/RECEIVED;[not ICIC and RCVR_LAST_LOGGED=='']/ RCVR_LAST_LOGGED:='STABLE'; SEND_MSG_OK [RCVR_LAST_LOGGED=='']not SEND_MSG_OK and GET_MSG_TM/ GET_MSGRCVR_CRASHTSEND_MSG or IS_INSTALLED/ SEND_MSG or IS_INSTALLED/ INSTALLEDSTABLE_RINSTALLED_RMSG_RECEIVEDRECOVERYMSG_PROCESSED[RCVR_LAST_LOGGED=='INSTALLED'][RCVR_LAST_LOGGED=='STABLE']SEND_MSG_OK[RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLEDMSG_EXEC_TM/RECEIVED;STABLESEND_MSG_OK [RCVR_LAST_LOGGED=='']not SEND_MSG_OK and GET_MSG_TM/ GET_MSGRCVR_CRASHTCIC_RCVR_SCMSG_RECEIVEDRECOVERYMSG_PROCESSED[RCVR_LAST_LOGGED=='INSTALLED'][RCVR_LAST_LOGGED=='STABLE']SEND_MSG_OK[RCVR_LAST_LOGGED=='STABLE']/ GET_MSG [ICIC]/ RCVR_LAST_LOGGED:='INSTALLED'; INSTALLEDMSG_EXEC_TM/RECEIVED;SEND_MSG_OK [RCVR_LAST_LOGGED=='']not SEND_MSG_OK and GET_MSG_TM/ GET_MSGRCVR_CRASHTSEND_MSG or IS_INSTALLED/ STABLE SEND_MSG or IS_INSTALLED/ INSTALLED*EVENT_OK = EVENT LINK_OUTAGE, _TM means TIMEOUT RCVR_LAST_LOGGED:='INSTALLED' 10. CIC Verification

Safety: a value is logged at most once

• For alllogvaluesv { 'stable', 'installed' }

• AG(written ( log ) log= v AX AG( written ( log ) log= v ) )

Liveness: CIC terminates

• for timeouts < 30 steps

• F

• • Script called5times

• • Other server reports:Script called 1000 times

28. EOS

• Exactly-once semantics with

• • Transparent browser recovery

• • Concurrent accesses to shared data

• • Nondeterm. functions:time ,curl_exec ,rand

• • Anyninn -tier, any fanout

• • Failure masking:no changes to app codeneither to PHP scripts, nor to the browser

• Performance enhancements (side effects)

• • Log structured data access (sequential I/O)

• • LRU buffers for state and log data

• • Latches (Shared/Exclusive)

• • session_start ( bool $read_only )

29. Transacted IC Activities

• Activitychart = Functional View

TIC_AC @TIC_SC FAILURE_PRONE_ENVIRONMENT XACT_CLIENT_CRASHLINK_OUTAGE XACT_CLIENT_AC XACT_SERVER_AC SQL_REQ SQL_REP @XACT_CLIENT_SC @XACT_SERVER_SC EXTERNAL_APP_LOGIC XACT_TRIGGER XACT_COMMITTED COMMITTED SYSTEM_ADMINISTRATOR TIMEOUTS XACT_ABORTED XACT_SERVER_CRASHCOMMIT USER_ABORT ABORTED 30. Transactional IC Server 31. Transactional IC Client 32. Execution Abstraction

• Kripke structure K =( S , R , L )overP

• • Pis a finite set of atomic propositions

• • Software: P is a union of all memory bits

• • Sfinite set of states

• • R S Sstate transitions

• • L S P { true, false } valuation

• • Non-determinism to determinism Computation Tree vs. Sequence

p ,q P p p q p q 33.

• Basic Syntax

• • Atomic propositions PCTL( P )

• • Ifp, q CTL( P ), then so are

• • • Propositional logic formulas ( p ,pq, etc. )

• • • Path quantifiersE xists,A ll +modalityne X t ,U ntil

• • • EX p

• • • { E, A } ( p U q )

• Derived Syntax

• • • AX p ( EX p)

• • • A F inallyp A( true U p )

• • • EF p E( true U p )

• • • A G loballyp (E( true U p ) )

• • • EG p (A( true U p ) )

Computation Tree Logic 34. Explicit Model Checking

• ForK= ( S ,R ,L ) overP, sS, f CTL ( P )

• • s|=f ,fP L ( s ,f ) =true

• • s|=f , f = f 1 s | f 1

• • s|=f ,f = f 1 f 2 s |=f 1ors |=f 2

• • s|=f ,f = EX f ( s ,r ) Rwithr |=f

• • s|=f ,f = E ( f 1 U f 2 )

• • • ifsis checkedthenfalse else check

• • • ifs |=f 2 thentrue

• • • ifs |=f 1and ( s ,r ) R with r |=fthentrue

• • s |=f ,f = A ( f 1 U f 2 )

• • • ifsalready checked thenfalseelse check

• • • ifs |=f 2 thentrue

• • • if s |=f 1 and ( s ,r ) R with r |=f

35. TIC Verification

• At-Most-Once (Safety): AG( server_last_logged = commited AG(any( sql_req )))

• At-Least-Once (Liveness): AF