Deductive Verification of Distributed Groupware Systems

Deductive Verification of Distributed Groupware Systems Abdessamad Imine, Pascal Molli, G´erald Oster and Micha¨el Rusinowitch LORIA, INRIA - Lorraine Campus Scientifique, 54506 Vandœuvre-L`es-Nancy Cedex, France {imine,molli,oster,rusi}@loria.fr

Abstract. Distributed groupware systems consist of a group of users manipulating a shared object (like a text document, a filesystem, etc). Operational Transformation (OT) algorithms are applied for achieving convergence in these systems. However, the design of such algorithms is a difficult and error-prone activity, since building the correct operations for maintaining good convergence properties of the local copies requires examining a large number of situations. In this paper, we present the modelling and deductive verification of OT algorithms with algebraic specifications. We show that many OT algorithms in the literature do not satisfy convergence properties unlike what was stated by their authors.

1

Introduction

Distributed groupware systems consist of two or more users (sites) that simultaneously manipulate objects (i.e. text, image, graphic, etc.) without the need for physical proximity and enables them to synchronously observe each other changes. The shared objects are replicated at the local memory of each participating user. Every operation is executed locally first and then broadcasted for execution at other sites. So, the operations are applied in different orders at different replicas (or copies) of the object. This potentially leads to divergent (or different) replicas – an undesirable situation for distributed groupware systems [16]. Operational Transformation is an approach which has been proposed to overcome the divergence problem, especially for building real-time groupware [4, 15]. This approach consists of an algorithm which transforms, i.e. to adjust parameters, the remote operation according to local concurrent ones in order to achieve convergence. It has been used in several group editors [4, 13, 15, 14, 18], and more recently it is employed in other distributed systems as the generic synchronizer S5 [11]. The advantages of this approach are: (i) it is independent of the replica state and depends only on concurrent operations; (ii) it enables an unconstrained concurrency, i.e. no global order on operations; (iii) it ensures a good responsiveness in real-time interaction context. However, if OT algorithms are not correct then the consistency of shared data is not ensured. Accordingly, it is critical to verify such algorithms to avoid the loss of data when broadcasting operations.

According to [13], the OT algorithm needs to fulfill two convergence conditions C1 and C2 which will be detailed in Section 2. Finding such an OT algorithm and proving that it satisfies C1 and C2 is not an easy task. This proof is often difficult – even impossible – to produce by hand and unmanageably complicated. Our solution. To overcome this problem, it is necessary to encourage OT algorithm developers to write a formal specification, i.e. a description about the replica behaviour, and then verify the correctness of the OT algorithm w.r.t. convergence conditions by using a theorem prover. However, effective use of a theorem prover typically requires expertise that is uncommon among software engineers. So, our work is aimed at designing and implementing techniques underlying the development of OT algorithms which meet the following requirements: (i) Writing formal specifications must be effortless. (ii) High degree of automation in the proof process. The developers should use the theorem prover as a (push-button) probing tool to verify convergence conditions. Using Observational Semantics, we treat a replica object as a black box [6]. We specify interactions between a replica object and a user. Operations which observe the replica states are called attributes, and operations which change the states are called methods. We can only recognize the current state by observing states modified by methods through attributes. So, we consider method sequences followed by an attribute as observation tools. We have implemented our approach as a tool which enables a developer to define all replica operations (methods and attributes) and the OT algorithm. From this description, our tool generates an algebraic specification described in terms of conditional equations. As verification back-end we use SPIKE, a first-order implicit induction prover, which is suitable for reasoning about conditional equations [2, 3]. The main contribution of this paper is to show that a lightweight use of formal verification techniques is feasible (i) to write easily a formal specification of a replica object, and (ii) to have its OT algorithm checked w.r.t. convergence conditions so as to increase confidence in the correctness of the OT algorithm. Moreover, using our theorem-proving approach we have obtained surprising results. Indeed, we have detected bugs in several distributed groupware systems designed by specialists from the domain [7, 8]. Related work. To our best knowledge, there is no other work on formal verification of OT algorithms. In [8], we represented the replica as an abstract data type, but the proof effort became costlier when the data is complex (e.g. an XML tree). Indeed, a property proof involving the data could call for numerous sub-proofs of properties about its logical structure. In [10, 9], we used the situation calculus for hiding the internal state of replica but this formalism turned out to be inappropriate to accurately model the notion of state. In this work, we found that the observational semantics is natural enough to abstract away from the internal replica structure. It describes the behaviour of a replica object as viewed by an external user. Since OT algorithms rely on replica methods, then the process verification becomes effortless.

Structure of the paper. This paper is organized as follows: Section 2 summarizes the basic concepts of OT approach. The ingredients of our formalization for specifying replica object and OT algorithm are given in Section 3. In Section 4, we present how to express convergence conditions in our algebraic framework. Section 5 briefly describes our tool and numerous bugs that we have found in some distributed groupware systems. Finally, we give conclusions and present future work.

2

Operational Transformation Approach

Distributed groupware systems typically maintain shared state of some sort (i.e. text document, XML tree, etc.). Shared states are usually replicated among a group of sites. Updates are performed first at local sites and then propagated to remote sites. When the replicated state is being modified, all the replicas must be modified in a consistent way. In the following, we consider a distributed groupware system as a Group of Sites (GS) where every site has its own replica. Notation [op1 op2 . . . opn ] represents an operation sequence. We denote X • st = st0 when an operation (or an operation sequence) X is executed on a replica state st and produces a replica state st0 . Definition 1. (Convergence Property). The convergence property states that all replicas are identical at all sites after all generated operations have been executed at all sites. Example 1. Consider the following group text editor scenario (see Figure 1): there are two sites working on a shared document represented by a string of characters. Initially, all the copies hold the string “efect”. The document is modified with the operation Ins(p, c) for inserting a character c at position p. Users 1 and 2 generate two concurrent operations: op1 = Ins(2, “f”) and op2 = Ins(6, “s”) respectively. When op1 is received and executed on site 2, it produces the expected string “effects”. But, when op2 is received on site 1, it does not take into account the fact that op1 has been executed before it. Consequently, we obtain a divergence problem between sites 1 and 2. As a solution to divergence problem, we can use an OT algorithm which has been proposed in [4]. It takes two concurrent operations op1 and op2 defined on the same state and returns op01 which is equivalent to op1 but is defined on a state where op2 has been applied. We denote this algorithm by a function T . Example 2. In Figure 2, we illustrate the effect of T on the previous example. When op2 is received on site 1, op2 needs to be transformed according to op1 as follows: T ((Ins(6, “s”), Ins(2, “f”)) = Ins(7, “s”). The insertion position of op2 is incremented because op1 has inserted a character at position 2, which is before the character inserted by op2 . Next, op02 is executed on site 1. In the same way, when op1 is received on site 2, it is transformed as follows: T (Ins(2, “f”), Ins(6, “s”)) = Ins(2, “f”); op1 remains the same because “f” is inserted before “s”.

Fig. 1. Incorrect integration.

Fig. 2. Integration with transformation.

Intuitively we can write the transformation T as follows: T(Ins(p1,c1),Ins(p2,c2)) = if (p1 < p2) return Ins(p1,c1) else return Ins(p1+1,c1) endif; However, using an OT algorithm requires to satisfy two conditions [13]. Given two operations op1 and op2 , let op02 = T (op2 , op1 ) and op01 = T (op1 , op2 ), the conditions are as follows: – Condition C1 : [op1 op02 ] • st = [op2 op01 ] • st, for every state st. – Condition C2 : T (T (op, op1 ), op02 ) = T (T (op, op2 ), op01 ). C1 defines a state identity and ensures that if op1 and op2 are concurrent, the effect of executing op1 before op2 is the same as executing op2 before op1 . This condition is necessary but not sufficient when the number of concurrent operations is greater than two. As for C2 , it ensures that transforming op along equivalent and different operation sequences will give the same result. In [14], the authors have proved that conditions C1 and C2 are sufficient to ensure the convergence property for any number of concurrent operations which can be executed in arbitrary order. Proving the correctness of OT algorithms, w.r.t C1 and C2 is very complex and error prone even on a simple string object. Consequently, to be able to develop the transformational approach and to safely use it in other replicationbased distributed systems with simple or more complex objects, proving conditions on OT algorithms must be assisted by an automatic theorem prover.

3

Formal Specification

We present in this section the theoretical background of our framework. We first briefly review the basics of algebraic specification. Then, we give the ingredients of our formalization for specifying and reasoning on OT algorithms. 3.1

Algebraic Preliminaries

We assume that the reader is familiar with the basic concepts of algebraic specifications [19], term rewriting and equational reasoning [17]. Let S be a set (of sorts). An S-sorted set is a family of sets X = {Xs }s∈S indexed by S. A many-sorted signature Σ is a triplet (S, F, X) where S is a set (of sorts), F is a S ∗ × S-sorted set (of function symbols) and X is a family of S-sorted variables. \(ω, s) denotes the number of occurrences of the sort s in the sequence ω. We assume that we have a partition of F in two subsets: the first one C contains the constructor symbols and the second one D is the set of defined symbols, such that C and D are disjoint. Let T (F, X) be the set of sorted terms. When a term does not contain variables, it is called ground term. The set of all ground terms is T (F ). A substitution η assigns terms of appropriate sorts to variables. If t is a term, then tθ denotes the application of substitution θ to t. If η applies every variable to ground term, then η is a ground substitution. We denote by ≡ the syntactic equivalence between objects. An equation is a formula Vnof the form l = r. A conditional equationVisn a formula of the following form: i=1 ai = bi =⇒ l = r. It will be written i=1 ai = bi =⇒ l → r and called a V conditional rewrite rule when V using an order on terms. The precondition n n of rule i=1 ai = bi =⇒ l → r is i=1 ai = bi . The term l is the left-hand side of the rule. A set of conditional rewrite rules is called a rewrite system. A constructor is free if it is not the root of a left-hand side of a rule. A term is strongly irreducible if none of its non-variable subterms matches a left-hand side of a rule in a rewrite system. An algebraic specification is a pair (Σ, A) where Σ is a many-sorted signature and A is a rewrite Vnsystem (called the Wmaxioms of (Σ, A)). A clause is an expression of the form: i=1 ai = bi =⇒ j=1 a0j = b0j . The clause C is a Horn clause if m 6 1. The clause C is a logical consequence of A if C is valid in any model of A, denoted by A |= C. C is said inductively valid in A (denoted A|=Ind C), if for any ground substitution σ, (for all i, E|= ai σ = bi σ) implies (there exists j, A|= a0j σ = b0j σ). An Observational signature is a many-sorted signature Σ = (S, Sobs , F, X) where Sobs ⊆ S is the set of observable sorts. An Observational specification is a pair (Σ, A) where Σ is an observational signature and A is a set of axioms. 3.2

Replica Specification

The main component in distributed groupware system is the replica. Every replica has a set of operations. The methods are operations which modify the replica state. The attributes are operations which extract informations from this state. In some cases, the replica state can be small, like a text document.In other

cases, it can be large like a database, an XML tree or a filesystem. In this work, we use an observational technique which conceals the internal state of the replica by extracting informations from the method sequence executed on it. We use the sort State for representing the space of replica state. This sort has two constructor functions: (i) the constant constructor S0 (the initial state), and (ii) a constructor Do which given a method and a state gives the resulting state provided that the execution of this method is possible. The sort Meth represents the set of methods. Every method type has its own constructor. These constructors are free since methods are assumed to be distinct. For every method, we should indicate conditions under which it is enabled. For this we use a boolean function P oss defined by a set of conditional equations. We define also an idle method which has null effect on the replica state, i.e. constructor N op. As to attributes, we define them as function symbols which are monadic on the State sort. These attribute functions serve as observers and are inductively expressed upon the State sort. The OT algorithm is defined by the function symbol T which takes two methods as arguments and produces another method. We then formally define a replica specification: Definition 2. (Replica Specification). Given S the set of all sorts, Sbs = {State, Meth} the set of basic sorts and Sis = S \ Sbs the set of individual sorts (data sorts). A replica specification π is an observational specification OSP π = (Σ π , Aπ ) such that: – Σ π is an observational signature where the set of non-observable sorts is a singleton, i.e. S \ Sobs = {State}. F is defined as C ∪ D, such that: (i) C,State = {S0 }, CMeth State,State = {Do} and Cω,s = ∅ if s is State or ω contains an element of Sbs . (ii) DMeth Meth,Meth = {T }, DMeth State,Bool = {P oss} and Dω,s = ∅ if either s is State, ω contains Meth, or \(ω, State) > 1. – Aπ = DP ∪ DA ∪ DT is the set of axioms (written as conditional equations) such that: (i) DP is the set of method precondition axioms (P oss); (ii) DA is the set of axioms for every attribute; (iii) DT contains axioms defining the transformation function T . Example 3. Consider the group text editor designed by Ellis and Gibbs [4] who are the pioneers of the OT approach. The string replica has two methods: Ins(p, c, pr) and Del(p, pr) [4]. In this example, Ins and Del are extended with a new parameter pr. This one represents the priority to solve conflict when transforming two Ins operations and it is based on the site identifier where operations have been generated. The replica string has two attributes: Length for extracting the length of the string and Car for giving the character of the string at given position and state. The replica specification is given in Figure 3. ∗ The set Cω,Meth (ω ∈ Sis ) contains all constructor methods which represents the method types of a replica. All the necessary conditions for executing a method are given by DP (lines 1 − 2). The set Dω State,s contains all replica attributes ∗ where ω ∈ Sis and s ∈ Sis . DA is illustrated in lines 3 − 9. Lines 10 − 25 gives the definition of T . true and f alse are boolean constants.

Sorts: State, Meth, bool, nat, char Constructors S0 : → State Do : Meth × State → State Ins : nat × char × nat → Meth Del : nat × nat → Meth N op : → Meth Defined P oss : Length : Car : T :

Operations Meth × State → bool State → nat nat × State → char Meth × Meth → Meth

Variables x, p1, p2, pr1, pr2 : nat; st : State; m : Meth; c1, c2 : char; Axioms 1. P oss(Ins(p1, c1, pr1), st) = (p1 ≤ Length(st)); 2. P oss(Del(p1, pr1), st) = (p1 < Length(st)); 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.

Length(Do(Ins(p1, c1, pr1), st)) = Length(st) + 1; Length(Do(Del(p1, pr1), st)) = Length(st) − 1; x = p1 ⇒ Car(x, Do(Ins(p1, c1, pr1), st)) = c1; (x > p1) = true ⇒ Car(x, Do(Ins(p1, c1, pr1), st)) = Car(x − 1, st); (x < p1) = true ⇒ Car(x, Do(Ins(p1, c1, pr1), st)) = Car(x, st); (x ≥ p1) = true ⇒ Car(x, Do(Del(p1), st)) = Car(x + 1, st); (x < p1)) = true ⇒ Car(x, Do(Del(p1), st)) = Car(x, st); T (N op, m) = N op; T (m, N op) = m; (p1 < p2) = true ⇒ T (Ins(p1, c1, pr1), Ins(p2, c2, pr2)) = Ins(p1, c1, pr1); (p1 > p2) = true ⇒ T (Ins(p1, c1, pr1), Ins(p2, c2, pr2)) = Ins(p1 + 1, c1, pr1); p1 = p2 ∧ c1 = c2 ⇒ T (Ins(p1, c1, pr1), Ins(p2, c2, pr2)) = N op; p1 = p2 ∧ c1 6= c2 ∧ (pr1 > pr2) = true ⇒ T (Ins(p1, c1, pr1), Ins(p2, c2, pr2)) = Ins(p1 + 1, c1, pr1); p1 = p2 ∧ c1 6= c2 ∧ (pr1 < pr2) = true ⇒ T (Ins(p1, c1, pr1), Ins(p2, c2, pr2)) = Ins(p1, c1, pr1); (p1 < p2) = true ⇒ T (Ins(p1, c1, pr1), Del(p2, pr2)) = Ins(p1, c1, pr1); (p1 ≥ p2) = true ⇒ T (Ins(p1, c1, pr1), Ins(p2, c2, pr2)) = Ins(p1 − 1, c1, pr1); (p1 < p2) = true ⇒ T (Del(p1, pr1), Del(p2, pr2)) = Del(p1, pr1); (p1 > p2) = true ⇒ T (Del(p1, pr1), Del(p2, pr2)) = Del(p1 − 1, pr1); p1 = p2 ⇒ T (Del(p1, pr1), Del(p2, pr2)) = N op; (p1 < p2) = true ⇒ T (Del(p1, pr1), Ins(p2, c2, pr2)) = Del(p1, pr1); (p1 ≥ p2) = true ⇒ T (Del(p1, pr1), Ins(p2, c2, pr2)) = Del(p1 + 1, pr1); Fig. 3. Replica specification for text editor.

We use an observational semantics which is based on weakening the satisfaction relation [3, 1, 6, 5]. Informally speaking, the replica objects which cannot be distinguished by experiments are considered as observationally equal. When using algebraic specifications, such experiments can be formally defined by contexts of observable sorts and operators over the signature of the specification. Definition 3. (Context). Let π be a replica specification and Tπ (F, X) its term algebra. 1. A Σπ -context of sort State is a non-ground term c ∈ Tπ (F, X) with a distinguished linear variable zState of sort State. This variable is called the context variable of c. To indicate the context variable occurring in c, we often write c[zState ]. 2. A Σπ -context c is called an observable Σπ -context if the sort of c is in Sis , and a State Σπ -context if the sort of c is State. 3. A State Σπ -context can be regarded as a sequence of methods. An observable Σπ -context is the sequence formed by an attribute and a State Σπ -context. 4. A Σπ -context c is appropriate for a term t ∈ Tπ (F, X) iff the sort of t matches that of zState . c[t] defines the replacement of zState by t in c[zState ]. 5. ObsCtΣπ denotes the set of all observable Σπ -contexts. Example 4. Consider the replica specification in Figure 3. There are infinitely many observable Σπ -contexts: Length(zState ), Car(x, zState ), Car(x, Do(Ins(p, c, pr), zState )), . . ., Length(Don (Del(p), zState ). Our notion of observational validity is based on the idea that two replica objects in given algebra are observationally equal if they cannot be distinguished by computation with observable results. Definition 4. (Observational Validity). Two terms t1 and t2 are observational equal if for all c ∈ ObsCtΣπ Aπ |= c[t1 ] = c[t2 ]. We denote it by Aπ |=obs t1 = t2 or simply t1 =obs t2 . The observational validity induces a congruence on T (F ) [3]. Vn Definition 5. (State Property). Let P ≡ i=1 ai = bi =⇒ t1 = t2 . We say that P is a state property (or observational valid) and we denote it by Aπ |=obs P if: for all ground substitutions σ, (∀ i ∈ [1..n] ai σ =obs bi σ) implies t1 σ =obs t2 σ. Our purpose is to propose a technique allowing to prove and disprove (or refute) state properties. Note that our state properties are Horn clauses and therefore in the scope of observational properties mentionned in [3]. In this work, the authors introduced the concept of critical contexts. They allow to prove observational theorems by reasoning on the ground irreducible observable contexts rather than on the whole set of observable contexts. In the following, we denote by R a conditional rewrite system which is obtained by orienting axioms of Aπ .

Definition Vn 6. (Inconsistent State Property). We say that the state property P ≡ i=1 ai = bi =⇒ t1 = t2 is provably inconsistent iff there exists a substitution σ and a critical context c such that: (i) ∀ i ∈ [1..n], ai σ = bi σ is an inductive theorem w.r.t. R. (ii) c[t1 = t2 ] is strongly irreducible by R. Provably inconsistent state properties are not observationally valid. The computation of critical contexts requires that axioms are sufficiently complete [19]. Moreover, the refutation of any theorem imposes that R is ground convergent. For more details on how to compute critical context and refute observational theorems can be found in [3]. We denote the inference system of [3] Proof(E), which takes as argument a set of conjectures to be proved and returns a set of lemmas remaining to be proved in order to show E is observationally valid. If Proof(E) returns an empty set then E is observationally valid.

4

Proving Convergence Properties

Before stating the properties that a replica object has to satisfy for ensuring convergence, we give some notations. Let m1 , m2 , . . . , mn and st be terms of sorts Meth and State respectively. We define (the empty sequence is denoted by []): 1. [](st) = st and [m1 m2 . . . mn ](st) = Do(mn , . . . , Do(m2 , Do(m1 , st)) . . .) is the application of the method sequence m1 , m2 , . . . , mn on the state st. 2. Legal([], st) = true and Legal([m1 m2 . . . mn ], st) = P oss(m1 , st) ∧ P oss(m2 , [m1 ](st)) ∧ . . . ∧P oss(mn , [m1 m2 . . . mn−1 ](st)). 3. T ∗ (m, []) = m and T ∗ (m, [m1 m2 . . . mn ]) = T ∗ (T (m, m1 ), [m2 . . . mn ]). T ∗ (m, seq) denotes the operation resulting from transforming m along the sequence seq. Definition 7. (Sequence Equivalence). Given two method sequences seq1 and seq2 . We say that seq1 and seq2 are equivalent iff seq1 (st) =obs seq2 (st) for every state st. In the following, we present how to express the satisfaction of conditions C1 and C2 as properties to be checked in our algebraic framework. Let OSP π = (Σ π , Aπ ) and Mπ be a replica specification and the method set respectively, corresponding to a replica object π. 4.1

Condition C1

As mentionned before, we use an observational approach for comparing two replica states. Accordingly, we define the condition C1 by the following state property (the variable st is universally quantified): Φ1 (m1 , m2 ) ≡ (Legal([m1 T (m2 , m1 )], st) = true ∧ Legal([m2 T (m1 , m2 )], st) = true) (1) =⇒ [m1 T (m2 , m1 )](st) =obs [m2 T (m1 , m2 )](st)

Input : A replica specification π. Output : S a set of CP 1-scenarios. S ← ∅; foreach method M1 in Mπ foreach method M2 in Mπ E ← {Φ1 (M1 , M2 )}; E ← Proof(E); if E 6= ∅ then S ← S ∪ {(M1 , M2 , E)}; endfor endfor

Fig. 4. Checking Algorithm of Convergence Property CP 1.

The first convergence property is formulated as a conjecture to be proved from the replica specification. It means: for all methods m1 and m2 and for every state st, such that m1 and m2 are enabled on st, then the states [m1 T (m2 , m1 )](st) and [m2 T (m1 , m2 )](st) are observationally equal. This conjecture is defined as follows: Conjecture 1 (Convergence Property CP 1). A replica object π satisfies the condition C1 iff Φ1 (m1 , m2 ) is a state property for all m1 and m2 . According to Definition 7, the convergence property CP 1 means that the sequences [m1 T (m2 , m1 )] and [m2 T (m1 , m2 )] are equivalent. Definition 8. (CP1-scenario). A CP 1-scenario is a triple (M1 ,M2 ,E) where M1 and M2 are two methods and E is the set of conjectures obtained by the function Proof({Φ1 (M1 , M2 }). In Figure 4, we present an algorithm allowing us to verify the convergence property CP 1 by detecting all CP 1-scenarios which violate this property. The CP 1-scenarios simply consist of methods and conditions over argument methods which may lead to potential divergence situations. Example 5. Consider the group editor of Example 3. When applying our algorithm to replica specification of Figure 3, we have detected that convergence property CP 1 is violated by giving the CP 1-scenario depicted in Figure 5. From this scenario, we can extract the following informations: (i) the methods (Ins(u1, u2, u3) and Del(u4, u5)) that cause divergence problem; (ii) the observation (the attribute Car) that distinguishes the resulting states, and; (iii) the conditions over method arguments (Preconditions) which lead to divergence situation. The counter-example is simple (as illustrated in Figure 6; for clarity we have omitted priority parameter): (i) user1 inserts x in position 2 (op1 ) while user2 concurrently deletes the character at the same position (op2 ). (ii) When op2 is received by site 1, op2 must be transformed according to op1 . So T (Del(2), Ins(2, x)) is called and Del(3) is returned. (iii) In the same way, op1 is received

on site 2 and must be transformed according to op2 . T (Ins(2, x), Del(2)) is called and returns Ins(3, x). Condition C1 is violated. Accordingly, the final results on both sites are different. Scenario 1: ----------op1 : Ins(u1,u2,u3) op2 : Del(u4,u5) S1 [op1;T(op2,op1)]: [Ins(u1,u2,u3);Del(u1+1,u5)] S2 [op2;T(op1,op2)]: [Del(u1,u5);Ins(u1-1,u2,u3)] Instance: Car(u1,S1) = Car(u1,S2) Preconditions: (u1