Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s Decidable for Asynchronous Programs? Rupak Majumdar Max Planck Institute for Software Systems Joint work with Pierre Ganty, Michael Emmi, Fernando.

Published bySonny Kellogg Modified over 8 years ago

Similar presentations

Presentation on theme: "What’s Decidable for Asynchronous Programs? Rupak Majumdar Max Planck Institute for Software Systems Joint work with Pierre Ganty, Michael Emmi, Fernando."— Presentation transcript:

1 What’s Decidable for Asynchronous Programs? Rupak Majumdar Max Planck Institute for Software Systems Joint work with Pierre Ganty, Michael Emmi, Fernando Rosa-Velardo

2 Sequential Imperative Programs Program = Instruction Sequence Input Output Executed sequentially Analysis for Safety and liveness is well-studied: Safety: (Interprocedural) dataflow analysis based on abstract interpretation Liveness: Termination analysis based on well-foundedness

3 Concurrent Programs Why? Latency hiding Where? Operating Systems Web Servers Everywhere… Two Styles: -Multithreaded programs maintain parallel threads of execution -Asynchronous (event- driven) programs co-operatively schedule tasks Requests Program interacts with a Concurrent environment Responses

4 Asynchronous Programs Programming Model: Distributed Systems Web Servers Embedded Systems Mobile platforms Languages and Libraries: LibAsync, LibEvent, … Go, Rust, … Javascript/AJAX Android/iOS Requests Requests buffered and executed asynchronously Responses

5 Asynchronous Program Analysis This Talk: Decidability landscape of safety and (sometimes) liveness for expressive classes of asynchronous programming models [JhalaM07,GantyM.2012,EmmiGantyM.Rosa-Velardo15] Decidability is nontrivial: Not finite state or context free: -potentially unbounded stacks, -potentially unbounded request buffers, events Decidability is useful: basis for static analysis -Often used in correctness critical settings -The style breaks up control flow, making it difficult to reason about code

6 Simple Asynchronous Programs h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; main ends in dispatch location Calls asynchronously posted functions Async calls stored in task buffer Scheduler picks a pending task and runs it to completion

7 Asynchronous Program Execution h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; PC Execution starts in main Task buffer empty Pending Calls h1 State: b = 0

8 Asynchronous Program Execution h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; PC Execution enters dispatch loop Picks pending call and executes it Returns to dispatch loop on return Pending Calls h1 PC h1 h2 State: b = 0

9 Asynchronous Program Execution h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; PC Pick another pending call Pending Calls h1 PC h2 State: b = 0 h1 h2

10 Asynchronous Program Execution h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; PC Pick some pending task Pending Calls h2 PC h2 h1 State: b = 0State: b = 1

11 Asynchronous Program Execution h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; PC Pick some pending task Pending Calls h2 PC h1 State: b = 1

12 Asynchronous Program Execution h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; PC And the program terminates Pending Calls h2 PC State: b = 1

13 Properties: Safety h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; Given a Boolean asynchronous program and a control location in a handler Is there an execution which reaches the control location? We do not care about the task buffer - Handlers cannot take decisions based on the contents of the task buffer

14 Properties: Termination h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; Given a Boolean asynchronous program, Does it terminate? main does not terminate on all runs What if h1 is chosen over h2 forever?

15 Fairness h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; An infinite execution is fair if -For every handler h that is pending -The scheduler eventually picks and runs an instance of h -So: the run choosing h1 over h2 always is not fair -Will focus on fair runs -Captures the intuition that scheduling is fair

16 Fair Termination Given: –A simple asynchronous program with Boolean variables Check: –There is no fair infinite run Two checks: (a)Each called handler terminates (b)There is no infinite fair execution of handlers LTL model checking for pushdown systems [Walukiewicz, BouajjaniEsparzaMaler, Steffen]

17 First Attempt h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; Reduce to sequential analysis -Add a counter for each handler (tracks number of pending instances) -An async call increments counter -Dispatch loop chooses a non-zero counter, decrements it and runs corresponding handler

18 First Attempt h1(){ if(b == 0){ ch1++; ch2++; return; } h2(){... b = 1;... return; } main(){... ch1++; while(ch1>0||ch2>0){ pick h s.t. ch > 0 ch--; h(); } global bit b = 0; ch1=0,ch2=0; Reduce to sequential analysis -Add a counter for each handler (tracks number of pending instances) -An async call increments counter -Dispatch loop chooses a non-zero counter, decrements it and runs corresponding handler -Sound, but decidability not obvious -In general, analyses undecidable for sequential programs with counters

19 Petri Nets Can convert an asynchronous program into a Petri net in polynomial time s.t. every execution of the async program is equivalent to an execution of the PN In particular: –The asynchronous program is safe iff the Petri net is coverable –The asynchronous program fairly terminates iff the Petri net has no fair infinite runs

20 General Scheme for the PN Posts add a token to the place for the handler Dispatch takes a token from the scheduler and one from the buffer (nondet) Task completion puts token back on scheduler Petri net representation for the CFG of each handler Scheduler Task buffer: One place for each handler … Places for global state

21 Removing the Stack Observation: Just the number of async calls matter, not the order in which they are made Parikh’s Lemma: For every context free language L, there is a regular language L’ such that: –For every w in L, there is a permutation of w in L’ and conversely So: can replace a recursive handler with a non- recursive one while maintaining the summary

22 Polynomial Time Conversion Do not explicitly compute the Parikh image (that FSA can be exponentially bigger) Instead, go from the CFG for a handler to a Petri net: –Places: Terminals + Non-terminals –Transitions: A -> BC takes a token from A and puts a token each in B and C

23 Example: CFG  PN Problem: How do you know the grammar has a full derivation?  There are no tokens in the variable places Theorem [EsparzaKieferLuttenberger, EsparzaGantyKieferLuttenberger] For a CFG with n nonterminals, the 2n- index language has the same Parikh image So give a budget to the PN S A ab

24 Petrification b=0 b!=0 set b:=1 Tokens: –Control flow in each handler –Pending handler calls pending h1 dispatch pending h2 h1(){ if(b == 0){ async h1(); async h2(); return; } h2(){... b = 1;... return; } main(){... async h1();... } global bit b = 0; Code for h1

25 Safety Verification Theorem: Safety verification EXPSPACE- complete Simple async program  Petri net  Coverability Poly time

26 Fair Termination Theorem: Fair termination for simple async programs is decidable and equivalent to PN reachability Program  PN  Yen’s logic to encode fair termination No implementation yet

27 An Aside on Implementation Two approaches to verification: 1.Abstract the program, use generic PN coverability tool bfc, mist, iic [KaiserKroeningWahl,Ganty,KloosM.NiksicPiskac] 2. Directly perform analysis on the program [JhalaM.07], using counter abstractions and expand-enlarge-check [GeeraertsRaskinvanBegin] Some initial progress, but no “stable” source-level tools Also, tools for bug finding [EmmiLalQadeer,MaiyaKanadeM.]

28 A Related Result Theorem: [BozzelliGanty] Backward iteration terminates in doubly exponential many iterations on PN [M.Wang14] EEC terminates in at most doubly exponential many iterations - With space efficient implementations of reachability, EEC is in EXPSPACE

29 “Real” Asynchronous Programs Cancel tasks Dynamically create task buffers Associate events with tasks, wait and synchronize on events Dynamically create events

30 Real Asynchronous Programming Programmers create events dynamically Tasks wait in task buffers and are activated by events One or more threads execute tasks from buffers (often, threads are associated with a buffer)

31 Example p1(){ b = 1; sync e } p2(){ assert (b==1); } main(){ e = new event async p1 {} buf; async p2 {e} buf; } global bit b = 0; event e;

32 Canceling tasks cancel h remove all pending occurrences of h Safety remains decidable  Go to PN + reset Liveness is undecidable

33 Dynamic Buffers buf = new buffer … post handler buffer Safety remains decidable: - hierarchical PN: “Buffer” tokens carry their own multiset of pending handlers - depth bounded pi-calculus [Meyer] - direct wqo construction

34 Events Problem: Tasks can pend on several events, and they are released by the first event that occurs –There can be unbounded chains created by tasks waiting on event sets –Do not see how to encode in depth bounded pi-calculus

35 Petri Data Nets Tokens carry data from dense linearly ordered domain -Places, transitions as for PN -Transition of arity n has a precondition sequence of length n and a postcondition sequence of length n: - how many tokens of the ith identity are consumed, how many are produced

36 Example a x<y<z x b z c

37 Modeling Pending Events I Tokens carry one identity, but tasks can wait on multiple events Attempt 1: Guess which token will fire the task at task creation Does not work – what if event 1 always happens before event 2? –Add spurious behaviors

38 Modeling Pending Events II Use the linear ordering! Guess the order in which events will fire at event creation time At task creation time, select the minimal event it pends on Plus some bookkeeping to ensure ordering of events is maintained Details are complicated 

39 Safety Verification Theorem: [EmmiGantyM.Rosa-Velardo] Safety verification decidable (but Ackermann hard) Async program  Petri data net  Coverability Poly time [LazicNewcombOuaknineRoscoeWorrell]

40 Summary Asynchronous programs are a common programming idiom –High performance –Complicated code –Good static analysis tools can help We now have the theoretical foundations –Decidable safety, decidable liveness under abstraction –But still some ways from scalable tools –In particular, tools that work on source code

41 Questions? http://www.mpi-sws.org/~rupak/

Download ppt "What’s Decidable for Asynchronous Programs? Rupak Majumdar Max Planck Institute for Software Systems Joint work with Pierre Ganty, Michael Emmi, Fernando."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
CS 345: Chapter 9 Algorithmic Universality and Its Robustness

CS 345: Chapter 9 Algorithmic Universality and Its Robustness
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS.

Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS.
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.

Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.
A university for the world real R © 2009, www.yawlfoundation.org Chapter 3 Advanced Synchronization Moe Wynn Wil van der Aalst Arthur ter Hofstede.

A university for the world real R © 2009, Chapter 3 Advanced Synchronization Moe Wynn Wil van der Aalst Arthur ter Hofstede.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Silberschatz, Galvin and Gagne ©2007 Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Chapter 6 (a): Synchronization.

Silberschatz, Galvin and Gagne ©2007 Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Chapter 6 (a): Synchronization.
Timed Automata.

Timed Automata.
Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Keeping a Crowd Safe On the Complexity of Parameterized Verification Javier Esparza Technical University of Munich.

Keeping a Crowd Safe On the Complexity of Parameterized Verification Javier Esparza Technical University of Munich.
From Monotonic Transition Systems to Monotonic Games Parosh Aziz Abdulla Uppsala University.

From Monotonic Transition Systems to Monotonic Games Parosh Aziz Abdulla Uppsala University.
Race Conditions. Isolated & Non-Isolated Processes Isolated: Do not share state with other processes –The output of process is unaffected by run of other.

Race Conditions. Isolated & Non-Isolated Processes Isolated: Do not share state with other processes –The output of process is unaffected by run of other.
Synthesis of Embedded Software Using Free-Choice Petri Nets.

Synthesis of Embedded Software Using Free-Choice Petri Nets.

Similar presentations

Ads by Google