What is the precise role of non-commutativity in Quantum Theory?
Automating Commutativity Analysis at the Design Level
description
Transcript of Automating Commutativity Analysis at the Design Level
Automating Commutativity Analysis at the Design Level
Greg Dennis, Robert Seater,Derek Rayside, Daniel Jackson
Therac-25 (1985-1987)
• race conditions when operator typed too quickly
• lacked hardware interlocks in previous versions
• X-rays delivered without metal target in place
• problems eluded testing
• 6 major overdoses, 2 deaths
Panama (2001)
• déjà vu all over again
• unexpected data entry
• 20%-100% more radiation than prescribed
• 28 overdoses, at least 6 attributable deaths
Northeast Proton Therapy Center
• proton therapy machine at MGH
• unlike the Therac or Panama
• extensive hardware interlocks
• abundant runtime checks
• thoroughly reviewed and tested
TCR 2
NPTC Overview
TCR 1 TCR 3
room 2
cyclotron Master Control Room (MCR)
room 2room 3
Automatic Beam Scheduler (ABS)
room 1
room 3
Request Queue
allocated
pending
room 1
TCR Operations
• RequestBeam• RequestBeamHighPriority• CancelBeamRequest• ReleaseBeam
Request(1) ReqHigh(3)Request(2) Cancel(1) Release(3)
3
2
1
1
2
1 3
2
2
2
1
3
MCR Operations
• StepUp• StepDown• Flush• FlushAll
StepUp(1) Flush(3)StepDown(1) FlushAll()
2
1
22
1
3
2
1
3
Interfering Commands
FlushAll() Request(1)
2
1
3
2
3
2
1
Request(1)
Request(1)
FlushAll()
FlushAll()
2
2
≠
Commutativity
•
• if not, results can be surprising when commands issued simultaneously.
Violations of Commutativity
Violation ofDiamond Equivalence:
Violation ofDiamond Connectivity:
What We Did
AlloyModel
AlloyModel
OCL Spec ofBeam Scheduler
OCL Spec ofBeam Scheduler
Commutativity Properties
Commutativity Properties
CommutativityMatrix
AlloyAnalyzer
commutativity properties for each pair of operations
OCL Spec
context BeamScheduler::cancelBeamRequest(req: BeamRequest) pre: -- BeamRequest is inside the pending request queue self.pendingRequests@pre->exists(r | r == req)
post: -- BeamRequest is not inside the pending requests queue not self.pendingRequests->exists(r | r == req)
key differences between OCL and Alloy?
open util/ordering[OrderID]
sig Request { room: Room, priority: Priority}
sig Room {}
abstract sig Priority {}one sig Service, Normal, High extends Priority {}
sig Queue { alloc, pending, requests : set Request, order: requests -> one OrderID}{ requests = alloc + pending}
sig OrderID {}
Operations
pred CancelBeamRequest(q, q': Queue, req: Request) { preCancelBeamRequest(q, req) q'.pending = q.pending - req q'.alloc = q.alloc q'.order = (q.requests – req) <: (q.order)}
pred preCancelBeamRequest(q: Queue, req: Request) { req in q.pending} we factored out the precondition of each
operation into a separate predicate
effect of operation as constraint on pre- and post-state
assert A_B_Equiv { all si, sa, sb, sab, sba: Queue { A(si,sa) && B(sa,sab) && B(si,sb) && A(sb,sba) => sab = sba } }
assert Cancel_StepUp_Equiv { all si, sa, sb, sab, sba: Queue, rq1, rq2: Request { (Invariants(si) && CancelBeamRequest(si, sa, rq1) && StepUp(sa, sab, rq2) && StepUp(si, sb, rq2) && CancelBeamRequest(sb, sba, rq1)) => equivQueues(sab, sba) }}
Commutativity Properties
Results
Request ReqHigh Cancel Release
Request x x
ReqHigh x x
Cancel x
Release x x x
3-100 seconds/analysis, Pentium III 600 MHz, 192 MB RAM
StepUp x x
StepDown x x
Flush x x x x
FlushAll x x x x
TCR Operations
TC
R O
per
atio
ns
MC
R O
per
atio
ns
Non-commutativity Example
Release(2) ReqHigh(1)
1
2
2
1
ReqHigh(1)
ReqHigh(1)
Release(2)
Release(2)
cannot execute
Pure Logic Modeling
• Could we have modeled commutativity in OCL with built-in state transitions?
• "Pure Logic Modeling":– explicit states allows us to "rewind" time and
ask about different execution traces
• Similar difficulty analyzing these properties with traditional model checker.
Conclusions
• Practical results from lightweight formal methods
• Commutativity analysis is useful– when humans manipulate shared data
• Constraint solver effective for this analysis– didn't stretch limits of tool or modelers
• Analyzability is important in practice
• Pure logic modeling is powerful