Philip M. Lewis

Automatic workflow verification and generation

Correctness is an important aspect of workflow management systems. However, most of the workflow literature focuses only on the modeling aspects and assumes that a workflow is correct if during the execution it respects the control and data dependency specified by the workflow designer. To address the correctness question properly we propose a new workflow model based on Hoare semantics that allows to: (1) automatically check if the desired outcome of a workflow can be produced by its actual implementation, (2) automatically synthesize a workflow implementation from the workflow specification and a given task library.In particular we: (1) formalize the semantics of workflows and tasks with pre-and postconditions, (2) for each control construct we provide a set of sound inference rules formalizing its semantics. While most of our workflow constructs are standard, two of them are new: the universal and the existential constructs. We then describe algorithms for automatically checking the correctness of workflows and for automatic workflow generation.

Semantic conditions for correctness at different isolation levels

Many transaction processing applications execute at isolation levels lower than serializable in order to increase throughput and reduce response time. The problem is that non-serializable schedules are not guaranteed to be correct for all applications. The semantics of a particular application determines whether that application will run correctly at a lower isolation level, and in practice it appears that many applications do. Unfortunately, we know of an analysis technique that has been developed to test an application for its correctness at a particular level. Apparently decisions of this nature are made on an informal basis. In this paper we describe such a technique in a formal way. We use a new definition of correctness, semantic correctness, which is weaker than serializability, to investigate the correctness of such executions. For each isolation level, we prove a condition under which transactions that execute at that level will be semantically correct. In addition to the ANSI/ISO isolation levels of read uncommitted, read committed, and repeatable read, we also prove a condition for correct execution at the read committed with first-committer-wins (a variation of read committed) and at the snapshot isolation level. We assume that different transactions can be executing at different isolation levels, but that each transaction is executing at least at the read uncommitted level.

The Concurrency Factory: A Development Environment for Concurrent Systems

The Concurrency Factory supports the specification, simulation, verification, and implementation of real-time concurrent systems such as communication protocols and piocess control systems. While the system uses process algebra as its underlying design formalism, the primary focus of the project is practical utility: the tools should be usable by engineers who are not familiar with formal models of concurrency, and it should be capable of handling large-scale systems such as those found in the telecommunications industry.

A model for abstract process specification, verification and composition

An abstract business process contains a description the protocol that a business process engages in without revealing the internal computation of the process. This description provides the information necessary to compose the process with other Web services. BPEL supports this by providing distinct dialects for specifying abstract and executable processes. Unfortunately, BPEL does not prevent complex computations from being included in an abstract process. This complicates the protocol description, unnecessarily reveals implementation details, and makes it difficult to analyze correctness. We propose some restrictions on the data manipulation constructs that can be used in an abstract BPEL process. The restrictions permit a full description of a protocol while hiding computation. A restricted abstract process can easily be converted into an abstract BPEL process or expanded into an executable BPEL process. Based on these restrictions we propose a formal model for a business process and use it as the basis of an algorithm for demonstrating the correctness of a protocol described by a restricted abstract process. We then sketch an algorithm for synthesizing a protocol based on a formal specification of its outcome and the tasks available for its construction.

Correct execution of transactions at different isolation levels

Many transaction processing applications execute at isolation levels lower than SERIALIZABLE in order to increase throughput and reduce response time. However, the resulting schedules might not be serializable and, hence, not necessarily correct. The semantics of a particular application determines whether that application will run correctly at a lower level and, in practice, it appears that many applications do. The decision to choose an isolation level at which to run an application and the analysis of the correctness of the resulting execution is usually done informally. We develop a formal technique to analyze and reason about the correctness of the execution of an application at isolation levels other than SERIALIZABLE. We use a new notion of correctness, semantic correctness, a criterion weaker than serializability, to investigate correctness. In particular, for each isolation level, we prove a condition under which the execution of transactions at that level will be semantically correct. In addition to the ANSI/ISO isolation levels of READ UNCOMMITTED, READ COMMITTED, and REPEATABLE READ, we also prove a condition for correct execution at the READ-COMMITTED with first-committer-wins and at SNAPSHOT isolation. We assume that different transactions in the same application can be executing at different levels, but that each transaction is executing at least at READ UNCOMMITTED.

Factorization of Finite State Machines under Observational Equivalence

A usual approach to designing a complex concurrent system is to follow the topdown design methodology: the abstract specification of the system is decomposed into a network of communicating modules such that the behavior of the modules in composition is equivalent to the behavior of the system specification.

Semantics based verification and synthesis of BPEL4WS abstract processes

We introduce a logic model to formally specify the semantics of workflows and their composite tasks described as BPEL4WS abstract processes. Based on the model, we present a set of inference rules to deduce the strongest postcondition and weakest precondition of a workflow and demonstrate that automatic workflow verification is possible due to the restrictions on data manipulation in an abstract process. We then sketch an algorithm that automatically synthesizes a workflow given its specification and a task library.

Concurrency control for step-decomposed transactions

Abstract The throughput of a transaction processing system can be improved by decomposing transactions into steps and allowing the steps of concurrent transactions to be interleaved. In some cases all interleavings are assumed to be acceptable; in others certain interleavings are forbidden. In this paper we describe a new concurrency control that guarantees that only acceptable interleavings occur. We describe the implementation of the new control within the CA-Open Ingres tm database management system and experiments that were run to evaluate its effectiveness using the TPC-C tm Benchmark Transactions. The experiments demonstrate up to 80% improvement when lock contention is high, when long running transactions are a part of the transaction suite, and/or when sufficient system resources are present to support the additional concurrency that the new control allows. Finally, we describe a new correctness criterion that is weaker than serializability and yet guarantees that the specifications of all transactions are met. The criterion can be used to determine the acceptable interleavings for a particular application. The specification of these interleavings can serve as input to the new control.

Factorisation of finite state machines under strong and observational equivalences

AbstractThe factorisation problem is to construct the specification of a submoduleX when the specifications of the system and all submodules butX are given. It is usually described by the equation