Recovery Oriented Programming by yrs83496

VIEWS: 8 PAGES: 22

									Recovery Oriented
  Programming
Olga Brukman and Shlomi Dolev
     Ben-Gurion University
         Beer-Sheva
            Israel
Towards Correct Software
• Software should respects
  its specifications
    – Safety, Liveness
• Atomic power station
    – Safety: the atomic
      station shouldn't
      explode
    – Liveness: the atomic
                               Atomic power station
      station should produce
      some electricity
2
Recovery Oriented Design
• Software performs substantially in accordance
  with specifications for a period of 90 days...
  (IEEE Computer, October 2006)
• How to cope with such software?!
   – Recovery Oriented Computing [PBB'02]!
• Recovery actions
   – Reboot, wait, reschedule
   – Non-intrusive: avoid rewriting the program
     (possibly new other bugs)
3
Recovery Oriented Programming




• Specifications Composer           • Programmer
  (Project Manager)                  • Best-effort implementation
    – Invariants and predicates      • Using same IO variables as
        • important properties on
                                       specifier
          program IO                • Still: bugs and
    – Recovery actions               unexpected states
4
Recovery Oriented
Programming: Assumptions
• Self-stabilizing processor
• Self-stabilizing OS
• Infrastructure for robust monitoring and
  recovery
    • Processes exist and execute their code




5
Recovery Oriented
Programming: Assumptions
• Not immediately Byzantine
  – eventual Byzantine program



   Long enough to do
   sufficient job
Our Framework
                                                     External
                                                                                   External
                                                     Monitor
                                                                                   Monitor
Subsystems                            event-driven
                                                                    event-driven
                                       monitoring
 hierarchy                                                           monitoring

                                      event-driven
                                                                    event-driven
                                       monitoring
                                                                     monitoring

    Recovery
     tuples    Pre-compiler
                                                                External
                                                                Monitor


     Code                                        event-driven
                                                  monitoring


                                                 event-driven
                                                  monitoring

                                                                              Subsystem
                                                                               External
                                                                               Monitor
                  System is able to
                  recover from any
                       state


7
Generated Code: One Process
                               External
                               Monitor
    Recovery
     tuples
                event-driven
                 monitoring



     Code
                event-driven
                 monitoring
Generated Code: Subsystem
                                   External
                                                                    External
                                   Monitor
     Subsystems                                                     Monitor

      hierarchy   event-driven
                   monitoring                        event-driven
                                                      monitoring


                  event-driven
                   monitoring                        event-driven
     Recovery                                         monitoring


      tuples

                                                External
                                                Monitor


    Code   Code                  event-driven
                                  monitoring



                                 event-driven
                                  monitoring
       Code                                                         Subsystem
                                                                     External
                                                                     Monitor


9
Our Framework: Transforming
Recovery Tuples into Code
                                                External                     External
                                                Monitor                      Monitor
     Subsystems                  event-driven
                                                              event-driven
      hierarchy                   monitoring
                                                               monitoring


                                 event-driven
                                                              event-driven
                                  monitoring
                                                               monitoring
     Recovery
      tuples      Pre-compiler
                                                        External
                                                        Monitor

                                         event-driven
       Code                               monitoring


                                         event-driven
                                          monitoring

                                                                    Subsystem
                                                                     External
                                                                     Monitor




10
Safety Recovery Tuple
     1 process




                                         temp_x=a;
     PRED: x!=7
                                         if temp_x!=7
     RA: this.restart()
                          Pre-compiler       x=temp_x;
                                         else
                                             this.restart();

      ...
      x=a;
      ...




11
Safety Recovery Tuple in the Scope
of Stabilization: External Monitoring
1 process
                                                          if !(ps.x!=7)
                                                             ps.restart();



PRED: x!=7
RA: this.restart();                  temp_x=a;
                      Pre-compiler   if temp_x!=7
                                        x=temp_x;
                                     else
                                        this.restart();
                                         ...
 ...
 x=a;
                          No more
 ...
                            x=...




12
Liveness Recovery Tuple
         1 process
                                                     x=x+2;
                                                     if (x+y==15)
                                                         this.history={};
                                                     ...
 INV: eventually x+y=15
                                                     y=y+5;
 RA: this.restart()
                                                     if (x+y==15)
 HTR: history={}
                          Pre-compiler                    this.history={};



     x=x+2;
     ...
     y=y+5;
     ...
                                                     history=history▪this.state();
                                                     if loop in history
                            History= [ ...                      and CPU(this)
                                 {.., x=1,y=2,..},        ps.restart();
                                 {.., x=3,y=7,..},
                            ...]

13
Generated Monitoring Code for
Subsystem
     sub: p1, p2   History= [ ...
                        distributed snapshot(sub),
                   ...]                                         External monitor
                                                                    for sub
Recovery Tuples
                                                                    External
                                                                    Monitor

                      Pre-compiler                   event-driven
                                                      monitoring
                                                                                          External
                                                                                          Monitor

 Code for p1                                         event-driven
                                                      monitoring           event-driven
                                                                            monitoring



                                                                           event-driven
                                                                            monitoring
 Code for p2




14
Generic Correctness Theorem
• In the program produced by the pre-
  compiler every rsf (restart supporting
  fair)-execution E has a suffix in which
  the program respects its specification
  function
     – A rsf-execution is the execution in which
       system is trusted to behave according to its
       specifications after restart.



15
Generic Correctness Proof
• Assumption: Processes and external
  monitors are scheduled fairly due to
  presence of self-stabilizing software
  platform
• Safety: process either reaches monitoring
  section in its code or its external monitor
  makes scheduled check
     – Subsystem: external monitor makes scheduled
       check



16
Generic Correctness Proof Cont.
• Liveness: the process (subsystem) external
  monitor makes scheduled check of the
  history log
• Corrupted history:
     – If causes (unnecessary) recovery - trimmed
     – New correct records are eventually
       accumulated and reflect the real state of
       system




17
Related Work: Perfect Software
• Formal specification languages
     – ASM [GRS'04], IO Automata [L'96], NURPL [CKB'84]
     – Gradually and manually translated into fully verified
       program
• Model checking
     – Doesn't scale
• Specification embedding programming languages
     – SRC (Software Cost Reduction) language [RLHL'06]
     – Programmer bugs




18
Related Work: Programming
Tools
• Design By Contract
     – Eiffel, iContract for Java
     – Checking invariants on an object state, pre-
       /post-conditions on object methods, recovery
       by predefined recovery action
     – Partial monitoring of liveness, based on
       timeout
     – Monitoring of safety outside of stabilization
       scope
• Exceptions
19
Related Work: Online Recovery
• Recovery blocks (N-programming) [RX94]
• ROC [PBB02], Java MOP[CR'05],
  Kinesthetics eXtreme [KPGV'03], "On
  Modeling and Tolerating Incorrect
  Software" [AT'03]
• Monitoring/correcting layer that alternates
  the failed component behaviour




20
Related Work: Online Recovery
• Assumption of monitoring/correcting layer
  stability
     – ROC [PBB02], Java MOP[CR'05], Kinesthetics
       eXtreme [KPGV'03]
• Intrusive correcting actions
     – Empty program: correcting actions define the
       program
        • "On Modelling and Tolerating Incorrect Software"
          [AT'03]



21
Conclusions
• Recovery Oriented Programming
  paradigm for a programming language
• Full monitoring of safety and liveness
  properties in the scope of stabilization
• Formal correctness proof scheme for
  the resulting code



22

								
To top