towards automatically checking thousands of failures with
play

Towards Automatically Checking Thousands of Failures with - PowerPoint PPT Presentation

Feb 27, 2023 •845 likes •1.84k views

Towards Automatically Checking Thousands of Failures with Micro-Specifications Haryadi S. Gunawi, Thanh Do , Pallavi Joshi, Joseph M. Hellerstein, Andrea C. Arpaci-Dusseau , Remzi H. Arpaci-Dusseau , Koushik Sen University of

  1. Towards Automatically Checking Thousands of Failures with Micro-Specifications Haryadi S. Gunawi, Thanh Do † , Pallavi Joshi, Joseph M. Hellerstein, Andrea C. Arpaci-Dusseau † , Remzi H. Arpaci-Dusseau † , Koushik Sen University of California, Berkeley † University of Wisconsin, Madison 1

  2. Cloud Era Solve bigger human problems Use cluster of thousands of machines 2 2

  3. Failures in The Cloud 3 3

  4. Failures in The Cloud “The future is a world of failures everywhere ” - Garth Gibson 3 3

  5. Failures in The Cloud “The future is a world of failures everywhere ” - Garth Gibson “Recovery must be a first-class operation” - Raghu Ramakrishnan 3 3

  6. Failures in The Cloud “The future is a world of failures everywhere ” - Garth Gibson “Recovery must be a first-class operation” - Raghu Ramakrishnan “Reliability has to come from the software ” - Je fg rey Dean 3 3

  7. 4 4

  8. 5 5

  9. Why Failure Recovery Hard? • Testing is not advanced enough against complex failures – Diverse, frequent, and multiple failures – FaceBook photo loss • Recovery is under specified – Need to specify failure recovery behaviors – Customized well-grounded protocols • Example: Paxos made live – An engineering perspective [PODC’ 07] 6 6

  10. Our Solutions 7 7

  11. Our Solutions • FTS (“FATE”) – Failure Testing Service – New abstraction for failure exploration – Systematically exercise 40,000 unique combinations of failures 7 7

  12. Our Solutions • FTS (“FATE”) – Failure Testing Service – New abstraction for failure exploration – Systematically exercise 40,000 unique combinations of failures • DTS (“DESTINI”) – Declarative Testing Specification – Enable concise recovery specifications – We have written 74 checks (3 lines / check) 7 7

  13. Our Solutions • FTS (“FATE”) – Failure Testing Service – New abstraction for failure exploration – Systematically exercise 40,000 unique combinations of failures • DTS (“DESTINI”) – Declarative Testing Specification – Enable concise recovery specifications – We have written 74 checks (3 lines / check) • Note: Names have changed since the paper 7 7

  14. Summary of Findings • Applied FATE and DESTINI to three cloud systems: HDFS, ZooKeeper, Cassandra • Found 16 new bugs • Reproduced 74 bugs • Problems found – Inconsistency – Data loss – Rack awareness broken – Unavailability 8 8

  15. Outline  Introduction • FATE • DESTINI • Evaluation • Summary 9 9

  16. 10 10

  17. M C 1 2 3 No failures 10 10

  18. Alloc. Req. M C 1 2 3 No failures 10 10

  19. Setup Alloc. Stage Req. M C 1 2 3 Data Transfer Stage No failures 10 10

  20. M C 1 2 3 No failures 10 10

  21. M C 1 2 3 M C 1 2 3 4 X 1 Setup Stage Recovery: No failures Recreate fresh pipeline 10 10

  22. M C 1 2 3 M C 1 2 3 4 X 1 Setup Stage Recovery: No failures Recreate fresh pipeline M C 1 2 3 X 2 Data transfer Stage Recovery: Continue on surviving nodes 10 10

  23. M C 1 2 3 M C 1 2 3 4 X 1 Setup Stage Recovery: No failures Recreate fresh pipeline M C 1 2 3 M C 1 2 3 X 2 X 3 Data transfer Stage Recovery: Bug in Data Transfer Stage Recovery Continue on surviving nodes 10 10

  24. M C 1 2 3 M C 1 2 3 4 X 1 Failures at Setup Stage Recovery: No failures DIFFERENT STAGES Recreate fresh pipeline lead to M C 1 2 3 M C 1 2 3 DIFFERENT FAILURE BEHAVIORS Goal: Exercise di fg erent failure recovery path X 2 X 3 Data transfer Stage Recovery: Bug in Data Transfer Stage Recovery Continue on surviving nodes 10 10

  25. FATE • A failure injection framework – target IO points – Systematically exploring failure – Multiple failures • New abstraction of failure scenario – Remember injected failures – Increase failure coverage 11 11

  26. FATE M C 1 2 3 • A failure injection framework – target IO points – Systematically exploring failure – Multiple failures • New abstraction of failure scenario – Remember injected failures – Increase failure coverage 11 11

  27. FATE M C 1 2 3 • A failure injection framework X X – target IO points – Systematically exploring failure – Multiple failures • New abstraction of failure scenario – Remember injected failures – Increase failure coverage 11 11

  28. FATE M C 1 2 3 • A failure injection framework X X X – target IO points X – Systematically exploring failure – Multiple failures • New abstraction of failure scenario – Remember injected failures – Increase failure coverage 11 11

  29. FATE M C 1 2 3 • A failure injection framework X X X – target IO points X – Systematically exploring failure – Multiple failures • New abstraction of failure scenario – Remember injected failures – Increase failure coverage 11 11

  30. FATE M C 1 2 3 • A failure injection framework X X X – target IO points X – Systematically exploring failure X X – Multiple failures • New abstraction of failure scenario – Remember injected failures – Increase failure coverage 11 11

  31. Failure ID 2 3 12 12

  32. Failure ID 2 3 Field Fields Values Static Static Func. Call OutputStream.read() Source File BlockReceiver.java Dynamic Stack Track … Domain Domain Source Node 2 specific specific Destination Node 3 Net. Message Data Packet Failure Type Crash After Hash 12348729 12348729 12 12

  33. How Developers Build Failure ID? • FATE intercepts all I/Os • Use aspectJ to collect information at every I/O point – I/O bu fg ers (e.g file bu fg er, network bu fg er) – Target I/O (e.g. file name, IP address) • Reverse engineer for domain specific information 13 13

  34. Failure ID 2 3 12 14

  35. Failure ID 2 3 Field Fields Values Static Static Func. Call OutputStream.read() Source File BlockReceiver.java Dynamic Stack Track … Domain Domain Source Node 2 specific specific Destination Node 3 Net. Message Data Packet Failure Type Crash After Hash 12348729 12348729 12 14

  36. Failure ID 2 3 Field Fields Values Static Static Func. Call OutputStream.read() Source File BlockReceiver.java Dynamic Stack Track … Domain Domain Source Node 2 specific specific Destination Node 3 Net. Message Data Packet Failure Type Crash After Hash 12348729 12348729 12 14

  37. Exploring Failure Space 14 15

  38. Exploring Failure Space M C 1 2 3 A Exp #1: A 14 15

  39. Exploring Failure Space M C 1 2 3 A Exp #1: A A Exp #2: B B 14 15

  40. Exploring Failure Space M C 1 2 3 A Exp #1: A A Exp #2: B B Exp #3: C A B C 14 15

  41. Exploring Failure Space M C 1 2 3 M C 1 2 3 A A Exp #1: A AB B A Exp #2: B B Exp #3: C A B C 14 15

  42. Exploring Failure Space M C 1 2 3 M C 1 2 3 A A Exp #1: A AB B A A Exp #2: B AC B C B Exp #3: C A B C 14 15

  43. Exploring Failure Space M C 1 2 3 M C 1 2 3 A A Exp #1: A AB B A A Exp #2: B AC B C B A Exp #3: C A BC C B B C 14 15

  44. Outline  Introduction  FATE • DESTINI • Evaluation • Summary 15 16

  45. DESTINI • Enable concise recovery specifications • Check if expected behaviors match with actual behaviors • Important elements: – Expectations – Facts – Failure Events – Check Timing • Interpose network and disk protocols 16 17

  46. Writing specifications 17 18

  47. Writing specifications “Violation if expectation is di fg erent from actual facts” 17 18

  48. Writing specifications “Violation if expectation is di fg erent from actual facts” 17 18

  49. Writing specifications “Violation if expectation is di fg erent from actual facts” violationTable():- expectationTable(), NOT-IN actualTable() 17 18

  50. Writing specifications “Violation if expectation is di fg erent from actual facts” violationTable():- expectationTable(), NOT-IN actualTable() 17 18

  51. Writing specifications “Violation if expectation is di fg erent from actual facts” violationTable():- expectationTable(), NOT-IN actualTable() DataLog syntax: 17 18

  52. Writing specifications “Violation if expectation is di fg erent from actual facts” violationTable():- expectationTable(), NOT-IN actualTable() DataLog syntax: :- derivation 17 18

  53. Writing specifications “Violation if expectation is di fg erent from actual facts” violationTable():- expectationTable(), NOT-IN actualTable() DataLog syntax: :- derivation , AND 17 18

  54. Correct recovery Incorrect Recovery M C 1 2 3 M C 1 2 3 X X 18 19

  55. Correct recovery Incorrect Recovery M C 1 2 3 M C 1 2 3 X X incorrectNodes (B, N) :- expectedNodes (B, N), NOT-IN actualNodes (B, N); 18 19

  56. Correct recovery Incorrect Recovery M C 1 2 3 M C 1 2 3 X X Expected Nodes Expected Nodes (Block, Node) ock, Node) B Node 1 B Node 2 incorrectNodes (B, N) :- expectedNodes (B, N), NOT-IN actualNodes (B, N); 18 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
Model Checking in the Propositional -Calculus Ka I Violet Pun INF 9140 - Specification and

Model Checking in the Propositional -Calculus Ka I Violet Pun INF 9140 - Specification and

Model Checking in the Propositional -Calculus Ka I Violet Pun INF 9140 - Specification and Verification of Parallel Systems 13 th May, 2011 Overview Model Checking is a useful means to automatically ascertain the specification of a system

347 views • 24 slides
Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

SYSC 5801 Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path failures Link failures Node failures Results: packet losses, waste of resources, and higher delay. What IGP does in the event

721 views • 35 slides
Framework for Application Security Testing September 11th, 2018 Create thousands of security

Framework for Application Security Testing September 11th, 2018 Create thousands of security

Framework for Application Security Testing September 11th, 2018 Create thousands of security tests from existing functional tests automatically Wallarm FAST enables secure CI / CD Wallarm FAST has many cool features to help

476 views • 14 slides
REDECHECK: AN AUTOMATIC LAYOUT FAILURE CHECKING TOOL FOR RESPONSIVELY DESIGNED WEB PAGES ISSTA

REDECHECK: AN AUTOMATIC LAYOUT FAILURE CHECKING TOOL FOR RESPONSIVELY DESIGNED WEB PAGES ISSTA

THOMAS WALSH 1 , PHIL MCMINN 1 , GREGORY KAPFHAMMER 2 1 UNIVERSITY OF SHEFFIELD, 2 ALLEGHENY COLLEGE REDECHECK: AN AUTOMATIC LAYOUT FAILURE CHECKING TOOL FOR RESPONSIVELY DESIGNED WEB PAGES ISSTA 2017 THE PROBLEM: RESPONSIVE LAYOUT FAILURES

146 views • 3 slides
3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification Technology

Fachgebiet RechnerSysteme Technische Universitt Verification Technology Darmstadt 3. Satisfiability Checking Computer Systems Lab 1 3. Satisfiability Checking 3 3. Satisfiability Checking 3.1 SAT-Checking Procedures Verification

278 views • 11 slides
Failures and Consensus Failures and Consensus Coordination Coordination If the solution to

Failures and Consensus Failures and Consensus Coordination Coordination If the solution to

Failures and Consensus Failures and Consensus Coordination Coordination If the solution to availability and scalability is to decentralize and replicate functions and data, how do we coordinate the nodes? data consistency update

712 views • 36 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Checking & Spot-Checking the Correctness of Priority Queues Matthew Chu & Sampath Kannan

Checking & Spot-Checking the Correctness of Priority Queues Matthew Chu & Sampath Kannan

Checking & Spot-Checking the Correctness of Priority Queues Matthew Chu & Sampath Kannan (UPenn) Andrew McGregor (UCSD) Memory Checking Memory Checking Your resources: A lot of cheap unreliable memory and a little expensive reliable

1.11k views • 70 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Software Failures Perdita Stevens perdita@inf.ed.ac.uk

Software Failures Perdita Stevens perdita@inf.ed.ac.uk

Software Failures Perdita Stevens perdita@inf.ed.ac.uk http://www.inf.ed.ac.uk/teaching/courses/sapm/ Original slides: Dr James A. Bednar & Dr David Robertson, changes by Dr Massimo Felici, Mr Conrad Hughes, me SAPM Spring 2010: Failures

771 views • 27 slides
s rsrt Market failures Tyler Moore

s rsrt Market failures Tyler Moore

s rsrt Market failures Tyler Moore When markets fail Market failures occur when the free-market outcome is inefficient Monopolies/oligopolies Public goods Information

301 views • 15 slides
MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability Clustering & disasters Geographical Redundancy power failures network failures Clustering Technologies hardware failures software failures

593 views • 47 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Availability models Dr. Jnos Tapolcai tapolcai@tmit.bme.hu http://opti.tmit.bme.hu/~tapolcai/

Availability models Dr. Jnos Tapolcai tapolcai@tmit.bme.hu http://opti.tmit.bme.hu/~tapolcai/

Availability models Dr. Jnos Tapolcai tapolcai@tmit.bme.hu http://opti.tmit.bme.hu/~tapolcai/ / 1 Failure sources HW failures Network element failures Type failures Manufacturing or design failures Turns out at the testing

553 views • 31 slides
Political Market Failures and Corruption November 2008 () Political Market Failures and

Political Market Failures and Corruption November 2008 () Political Market Failures and

Political Market Failures and Corruption November 2008 () Political Market Failures and Corruption November 2008 1 / 9 When Does Political Competition Lead to Optimal Provision of Public Goods? Political economy models predict that policy in

103 views • 9 slides
A micro-perspective on variation and universals Jeroen van Craenenbroeck 1 Marjo van Koppen 2 1

A micro-perspective on variation and universals Jeroen van Craenenbroeck 1 Marjo van Koppen 2 1

A micro-perspective on variation and universals Jeroen van Craenenbroeck 1 Marjo van Koppen 2 1 CRISSP/KU Leuven, jeroen.vancraenenbroeck@kuleuven.be 2 UiL-OTS/Utrecht University, j.m.vankoppen@uu.nl . . . . . . . . . . . . . . . .

798 views • 45 slides
A Scalable Architecture for Ordered Parallelism Mark Jeffrey , Suvinay Subramanian, Cong Yan,

A Scalable Architecture for Ordered Parallelism Mark Jeffrey , Suvinay Subramanian, Cong Yan,

A Scalable Architecture for Ordered Parallelism Mark Jeffrey , Suvinay Subramanian, Cong Yan, Joel Emer, Daniel Sanchez MICRO 2015 Multicores Target Easy Parallelism 2 Multicores Target Easy Parallelism 2 Regular : known tasks and data

1.22k views • 110 slides
Microservices at Netflix Scale First Principles, Tradeoffs, Lessons Learned Ruslan Meshenberg

Microservices at Netflix Scale First Principles, Tradeoffs, Lessons Learned Ruslan Meshenberg

Microservices at Netflix Scale First Principles, Tradeoffs, Lessons Learned Ruslan Meshenberg @rusmeshenberg Microservices: all benefits, no costs? Netflix is the worlds leading Internet television network with over 81 million members in

1.01k views • 62 slides
PHI: ARCHITECTURAL SUPPORT FOR SYNCHRONIZATION- AND BANDWIDTH-EFFICIENT COMMUTATIVE SCATTER

PHI: ARCHITECTURAL SUPPORT FOR SYNCHRONIZATION- AND BANDWIDTH-EFFICIENT COMMUTATIVE SCATTER

PHI: ARCHITECTURAL SUPPORT FOR SYNCHRONIZATION- AND BANDWIDTH-EFFICIENT COMMUTATIVE SCATTER UPDATES Anurag Mukkara , Nathan Beckmann, Daniel Sanchez MICRO 2019 Scatter updates are common but inefficient 2 Scatter updates are common but

1.55k views • 152 slides
The Micro-Price Sasha Stoikov Cornell University Jim Gatheral @ NYU Introduction General

The Micro-Price Sasha Stoikov Cornell University Jim Gatheral @ NYU Introduction General

Introduction General Framework Toy models Discrete Markov model Data Analysis Conclusion The Micro-Price Sasha Stoikov Cornell University Jim Gatheral @ NYU Introduction General Framework Toy models Discrete Markov model Data Analysis

639 views • 30 slides
Micro Simulations in ORA Tom Magelinski tmagelin@andrew.cmu.edu School of Computer Science,

Micro Simulations in ORA Tom Magelinski tmagelin@andrew.cmu.edu School of Computer Science,

<Your Name> Micro Simulations in ORA Tom Magelinski tmagelin@andrew.cmu.edu School of Computer Science, Carnegie Mellon Summer Institute 2020 Center for Computational Analysis of Social and Organizational Systems

395 views • 28 slides
Supporting Data Interlinking in Semantic Libraries with Microtask Crowdsourcing Cristina Sarasua

Supporting Data Interlinking in Semantic Libraries with Microtask Crowdsourcing Cristina Sarasua

Supporting Data Interlinking in Semantic Libraries with Microtask Crowdsourcing Cristina Sarasua SWIB 2014, Bonn Institute for Web Science and Technologies University of Koblenz-Landau, Germany Cristina Sarasua Supporting Data

585 views • 33 slides
Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Micro-Architectural Attacks on Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical Systems Cyber Physical Systems (CPS) Cyber (Computer) + Physical (Plant) Real-time Control physical

310 views • 29 slides

More recommend