Proving Correctness of Transformation Functions in RealTime Groupware

Context n n n Building Real-Time Groupware Operational Transformation d. Opt [Ellis 89], GOTO[Sun

Using Real Time Groupware Technology n n n Choose an algorithm Provide transformation functions

Transformation functions n 22=4 transformation functions: n n n T(Ins(), Ins()): -. . T(Ins(),

Correctness of transformation function n n Algorithms ensure Causality, Intention, Convergence if… …Transformation functions

Problems n Proving C 1 and C 2: n n n Time consuming Error

Approach n n n Using an automatic theorem prover (SPIKE [Bouhoula 95]) for C

Site 1 : user 1 Site 2 : user 2 abc Op 1 abc

user 3 user 1 user 2 abc abc Op 1 Ins(2, x) Op 2

Site 1 : user 1 Site 2 : user 2 Site 3 : user

user 3 abc Op 1 user 2 abc Op 2 Ins(2, x, {}) Del(2)

user 3 abc Op 1 user 2 abc Op 2 Ins(2, 2, x) Del(2)

Formalization n Condition C 1: n n Condition C 2: n n Requires to

Formal Specification of Transformation Functions (p 1 < p 2) = true => T(Ins(p

SPIKE Output Elapsed time: 0. 1 s --- Global statistics of the main successful

Counter Example abc Goal: u 6 > 0 = true Op 1 Op 2

Resume n Proving transformation with SPIKE : n n Produce safe transformation functions Provide

Perspectives n n Proving transformation functions for more complex data types: XML, Blocks of

Slides: 23

Download presentation

Proving Correctness of Transformation Functions in Real-Time Groupware Abdessamad Imine, Pascal Molli, Gérald Oster and Michaël Rusinowitch ECOO and CASSIS Project INRIA Lorraine - FRANCE

Context n n n Building Real-Time Groupware Operational Transformation d. Opt [Ellis 89], GOTO[Sun 98], a. Dopted[Ressel 96], SOCT 2, 3, 4[Suleiman 97, Vidot 00]

Using Real Time Groupware Technology n n n Choose an algorithm Provide transformation functions for your own data types: Example: n String: n n Ins(char, position) Del(char, position)

Transformation functions n 22=4 transformation functions: n n n T(Ins(), Ins()): -. . T(Ins(), Del()): -… T(Del(), Ins()): -. . T(Del(), Del()): -… T(Ins(p 1, c 1), Ins(p 2, c 2)): n n If (p 1<p 2) then return Ins(p 1, c 1) Else return Ins(p 1+1, c 1)

Correctness of transformation function n n Algorithms ensure Causality, Intention, Convergence if… …Transformation functions ensure :

Problems n Proving C 1 and C 2: n n n Time consuming Error Prone 123 cases to verify for ins(p, c), del(p) and to verify again for each update ! A serious bottleneck for the transformational approach. .

Approach n n n Using an automatic theorem prover (SPIKE [Bouhoula 95]) for C 1 and C 2 Input : Formal specification of transformation functions Output: OK or KO with counterexamples

ELLIS – [SIGMOD 89]

Site 1 : user 1 Site 2 : user 2 abc Op 1 abc Op 2 Ins(2, x) axbc Del(2) ac Op’ 1 Op’ 2 Del(3) Ins(1, x) axc xac

Ressel – [CSCW 96]

user 3 user 1 user 2 abc abc Op 1 Ins(2, x) Op 2 Del(2) axbc ac Op 3 Ins(3, y) abyc Op’ 3 Op’ 2 Ins(2, y) Del(2) ayc Op’ 1 Op’’ 1 Ins(3, x) Ins(2, x) ayxc axyc

Sun – [TOCHI 98]

Site 1 : user 1 Site 2 : user 2 Site 3 : user 3 abc abc Op 1 Ins(2, y) Op 2 Del(2) aybc ac Op 3 Ins(3, y) abyc Op’ 3 Op’ 2 Ins(2, y) Del(2) ayc Op’ 1 Op’’ 1 Ins(3, y) Ins(2, y) ayyc

Suleiman – [Group 97]

user 3 abc Op 1 user 2 abc Op 2 Ins(2, x, {}) Del(2) axbc ac Ins(2, x, {}, {Del(2)}) Op 3 Ins(3, y, {}) abyc Op’ 3 Ins(2, x, {}) Op’ 2 Ins(2, y, {Del(2)}, {}) Del(2) Ins(2, x, {}, {Del(2)}) ayc Op’ 1 Ins(2, x, {}, {Del(2)}) axyc ayc Op’’ 1 Ins(2, x, {}, {Del(2)}) axyc

Imine – [ECSCW 03]

user 3 abc Op 1 user 2 abc Op 2 Ins(2, 2, x) Del(2) axbc ac Ins(2, 2, x) Op 3 Ins(3, 3, y) abyc Op’ 3 Ins(2, 2, x) Op’ 2 Ins(2, 3, y) Del(2) Ins(2, 2, x) ayc Op’ 1 Ins(2, 2, x) axyc ayc Op’’ 1 Ins(2, 2, x) axyc

Formalization n Condition C 1: n n Condition C 2: n n Requires to specify states Only requires to specify transformation functions For theorem prover, C 2 is easier (but longer) to prove than C 1.

Formal Specification of Transformation Functions (p 1 T(Ins(p 1, c 1, pr 1), Ins(p 2, c 2, pr 2)) = Ins(p 1, c 1, pr 1); (p 1 p 2) = true => T(Ins(p 1, c 1, pr 1), Ins(p 2, c 2, pr 2)) = Ins(p 1 + s(0), c 1, pr 1); (p 1 p 2) = false, c 1 = c 2 => T(Ins(p 1, c 1, pr 1), Ins(p 2, c 2, pr 2)) = nop; (p 1 p 2) = false, c 1 <> c 2, (pr 1 > pr 2) = true => T(Ins(p 1, c 1, pr 1), Ins(p 2, c 2, pr 2)) = Ins(p 1 + s(0), c 1, pr 1); (p 1 p 2) = false, c 1 <> c 2, (pr 1 > pr 2) = false => T(Ins(p 1, c 1, pr 1), Ins(p 2, c 2, pr 2)) = Ins(p 1, c 1, pr 1);

SPIKE Output Elapsed time: 0. 1 s --- Global statistics of the main successful operations ---contextual_rewriting : 0 of 0 tries. -- equational_rewriting : 0 of 0 tries. -- conditional_rewriting : 4 of 11 tries. -- partial_case_rewriting : 0 of 0 tries. -- total_case_rewriting : 5 of 5 tries. -- induction : 0 of 0 tries. -- subsumption : 0 of 6 tries. -- tautology : 0 of 24 tries. ------Total clauses: 176 -Max depth : 1 -All sets of conjectures were successfully processed

Counter Example abc Goal: u 6 > 0 = true Op 1 Op 2 and u 6 <= (length (u 5)) = true Ins(2, x) Del(2) and u 3 > 0 = true and u 3 <= (length (u 5)) = true and u 6 = (u 3 + (1)) = false Del(3) Ins(1, x) and u 8 <> u 6 and u 8 > u 6 = false => ; axc xac Instance: car (u 8, (u 5. . (Del (u 3, u 4))). . (T (Ins (u 6, ua 7, u 2), Del (u 3, u 4)))) = car (u 8, (u 5. . (Ins (u 6, ua 7, u 2))). . (T (Del (u 3, u 4), Ins (u 6, ua 7, u 2)))) ;

Resume n Proving transformation with SPIKE : n n Produce safe transformation functions Provide high value feedback with counter examples Formal specification is easy Leverage a serious bottleneck for the transformational approach

Perspectives n n Proving transformation functions for more complex data types: XML, Blocks of Text, File System… Provide an IDE for writing transformation function: n n Input: specification like in this talk Output: formatted counter examples…