Presentation is loading. Please wait.

Presentation is loading. Please wait.

BloomUnit Declarative testing for distributed programs Peter Alvaro UC Berkeley.

Published bySkylar Moulton Modified over 9 years ago

Similar presentations

Presentation on theme: "BloomUnit Declarative testing for distributed programs Peter Alvaro UC Berkeley."— Presentation transcript:

1 BloomUnit Declarative testing for distributed programs Peter Alvaro UC Berkeley

2 Team and Benefactors Peter Alvaro Andy Hutchinson Neil Conway Joseph M. Hellerstein William R. Marczak National Science Foundation Air Force Office of Scientific Research Gifts from Microsoft Research and NTT Communications

3 Distributed Systems and Software To verify or to test?

4 Verification Formally specify program and behavior – e.g., in Promela Systematically test inputs and schedules – e.g., using SPIN High investment, high returns

5 Testing Concrete inputs Concrete assertions over outputs / state No control over asynchrony, scheduling Pay-as-you-go investment, diminishing returns

6 Sweet Spot? Investment similar to unit tests Payoff closer to formal methods

7 Context Disorderly programming Computation as transformation Uniform representation of state: collections < ~ bloom

8 Hypothesis Database foundations can simplify distributed systems programming Successes to date: 1.Compact, declarative protocol implementations [Alvaro et al., NetDB `09, Alvaro et al., Eurosys `10] 2.Static analyses for distributed consistency [Alvaro et al., CIDR `10] 3.Software quality assurance? Yes.

9 The database view of testing 1.Declarative assertions – Correctness specs as queries 2.Constraint-guided input generation – Synthesize inputs from FDs and FKs 3.Exploration of execution nondeterminism – Apply LP-based analyses to reduce state space

10 Testing a protocol with BloomUnit

11 An abstract delivery protocol module DeliveryProtocol state do interface input, :pipe_in, [:dst, :src, :ident] => [:payload] interface output, :pipe_sent, pipe_in.schema interface output, :pipe_out, pipe_in.schema end

12 A delivery protocol sender receiver pipe_in pipe_sent pipe_out

13 A delivery protocol – Best effort sender receiver pipe_in pipe_sent pipe_out

14 A delivery protocol – Reliable sender receiver pipe_in pipe_sent pipe_out

15 A delivery protocol – FIFO sender receiver pipe_in pipe_sent pipe_out 1 1 22

16 Declarative Assertions – Specifications: queries over execution traces Timestamped log of flow at interfaces – Specifications encode invariants Queries capture incorrect behaviors

17 pipe_out_log Declarative Assertions module FIFOSpec bloom do fail <= (pipe_out_log * pipe_out_log).pairs do |p1, p2| if p1.src == p2.src and p1.dst == p2.dst and p1.ident = p2.time ["out-of-order delivery: #{p1.inspect} < #{p2.inspect}"] end create view fail as select 'out-of-order delivery: ' + p1 + ' < ' + p2 from pipe_out_log p1, pipe_out_log p2 where p1.src = p2.src and p1.dst = p2.dst and p1.ident = p2.time

18 Declarative Assertions module FIFOSpec bloom do fail <= (pipe_out_log * pipe_out_log).pairs do |p1, p2| if p1.src == p2.src and p1.dst == p2.dst and p1.ident = p2.time ["out-of-order delivery: #{p1.inspect} < #{p2.inspect}"] end ``delivery order (timestamps) never deviates from sender order (encoded into ident)’’ pipe_out_log

19 Input Generation

20 Idea: User supplies constraints (in FO logic) Search for models of the given formula – Let a SAT solver do the hard work Convert models into concrete inputs – Ensure that the models are interestingly different Implementation: Use the Alloy[Jackson ’06] language & solver

21 Input Generation Exclusion constraints What records cannot appear in an input instance all p1, p2 : pipe_in | (p1.src = p2.src and p1.ident = p2.ident) => p1.payload = p2.payload (ident functionally determines payload)

22 Input Generation Inclusion constraints: What records must appear in an input instance some p1, p2 : pipe_in | p1 != p2 => (p1.src = p2.src and p1.dst = p2.dst) (there are at least two messages between two endpoints)

23 Execution Exploration

24 All distributed executions are nondeterministic Each concrete input => set of executions Message timings / orderings may differ Too large a space to search exhaustively!

25 Execution Exploration A C B Message orderings: N! Loss scenarios: 2 N D σ π Messages: N

26 Execution Exploration CALM Theorem [Hellerstein ‘10, Ameloot ‘11] : Consistency as logical monotonicity – Monotonic logic (e.g. select, project, join) is order-insensitive – Monotonic => race-free

27 Execution Exploration: Monotonic program A C B D σ π Message orderings: 1

28 Execution Exploration: Hybrid program A C B D σ π Messages: K Message orderings: 1

29 Execution Exploration Only explore messages orderings when downstream logic is nonmonotonic Search only ``interesting’’ orderings

30 The system Module under test Inputs

31 Do you need to learn Bloom? Yes. – But you can take advantage of these techniques without adopting the language Requirements: – A high-level query language – Monotonicity analysis capabilities Prove (or assert) that program fragments are order-insensitive

32 Queries?

33 The fold

34 FIFO delivery in bloom module FifoPerSource state do scratch :enqueue_src, [:source, :ident] => [:payload] scratch :dequeue_src, [:source] => [:reqid] scratch :dequeue_resp_src, [:reqid] => [:source, :ident, :payload] table :storage_tab, [:source, :ident] => [:payload] scratch :tops, [:source] => [:ident] end bloom :logic do storage_tab <= enqueue_src tops <= storage_tab.group([:source], min(storage_tab.ident)) end bloom :actions do temp :deq tops.source, storage_tab.ident => tops.ident, tops.source => dequeue_src.source) dequeue_resp_src <+ deq do |s, t, d| [d.reqid, d.source, s.ident, s.payload] end storage_tab <- deq {|s, t, d| s } end module FifoProto state do interface input, :enqueue, [:source, :ident] => [:payload] interface input, :dequeue, [] => [:reqid] interface output, :dequeue_resp, [:reqid] => [:source, :ident, :payload] scratch :chosen_src, [:ident] end

Download ppt "BloomUnit Declarative testing for distributed programs Peter Alvaro UC Berkeley."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Disorderly Distributed Programming with Bloom

Disorderly Distributed Programming with Bloom
Edelweiss: Automatic Storage Reclamation for Distributed Programming Neil Conway Peter Alvaro Emily Andrews Joseph M. Hellerstein University of California,

Edelweiss: Automatic Storage Reclamation for Distributed Programming Neil Conway Peter Alvaro Emily Andrews Joseph M. Hellerstein University of California,
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Declarative sensor networks David Chu Computer Science Division EECS Department UC Berkeley DBLunch UC Berkeley 2 March 2007.

Declarative sensor networks David Chu Computer Science Division EECS Department UC Berkeley DBLunch UC Berkeley 2 March 2007.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.

Software Engineering-II Sir zubair sajid. What’s the difference? Verification – Are you building the product right? – Software must conform to its specification.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Bookshelf.EXE - BX A dynamic version of Bookshelf –Automatic submission of algorithm implementations, data and benchmarks into database Distributed computing.

Bookshelf.EXE - BX A dynamic version of Bookshelf –Automatic submission of algorithm implementations, data and benchmarks into database Distributed computing.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.

Software Engineering, COMP201 Slide 1 Protocol Engineering Protocol Specification using CFSM model Lecture 30.
Models of Computation for Embedded System Design Alvise Bonivento.

Models of Computation for Embedded System Design Alvise Bonivento.
©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.

©Ian Sommerville 2000Software Engineering, 6/e, Chapter 91 Formal Specification l Techniques for the unambiguous specification of software.
7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 PTIDES: A Programming Model for Time- Synchronized Distributed Real-time Systems Yang.

7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 PTIDES: A Programming Model for Time- Synchronized Distributed Real-time Systems Yang.
Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL.

Designing Predictable and Robust Systems Tom Henzinger UC Berkeley and EPFL.
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

Similar presentations

Ads by Google