Presentation is loading. Please wait.

Presentation is loading. Please wait.

Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund."— Presentation transcript:

1 Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund

2 Calvin project  Check properties of systems code –operating systems kernel, file systems,...  Apply to multithreaded programs –deadlocks, data races,... –manifest in variety of ways –hard to recognize, locate, fix  For all inputs and all interleavings, program behaves “correctly” –no deadlocks, no races, invariants hold

3 Thread-modular verification  Modular –each thread verified separately –leverage techniques for reasoning about sequential programs  Expressive –handles variety of synchronization mechanisms  Low annotation overhead –many fewer annotations than the Owicki-Gries- Lamport method

4 SimpleLock program  Mutex lock  Verify that the assert never fails

5 Owicki-Gries-Lamport method  Sequential correctness  Non-interference X = {pre(X)} X {post(X)} {pre(Y) and pre(X)} Y {pre(X)} Y =

6 Why is Thread 1 correct? Thread 1 view: acq(mx); * * x := x * x; * x := x + 2; * assert x > 1; * rel(mx); 1-abstraction A i  (mx = i  mx’ = i  x’ = x) acq(mx); x := x * x; x := x + 2; assert x > 1; rel(mx); A1;A1; * A1;A1; * A1;A1; * A1;A1; * A1;A1; * A2A2 A2A2 A2A2 A2A2 A2A2 1-abstraction acq(mx); x := x * x; x := x + 2; assert x > 1; rel(mx); A1;A1; A1;A1; A1;A1; A1;A1; A1;A1; A2A2 A2A2 A2A2 A2A2 A2A2

7 Why is Thread 2 correct? Thread 2 view: acq(mx); * x := 0; rel(mx); 2-abstraction A i  (mx = i  mx’ = i  x’ = x) acq(mx); x := 0; rel(mx); A2;A2;A2;A2;A2;A2; A1A1 A1A1 A1A1 **

8 Assume-guarantee reasoning  Environment assumption (A t ) –expectation on every step taken by other threads  Guarantee (G t ) –conjunction of assumptions of other threads  Translate thread t into sequential t-abstraction –assume A t satisfied by steps of other threads –prove G t satisfied by each step of thread t –check using sequential techniques  Parallel program correct, if all sequential t-abstractions are correct –circularity resolved by induction over time

9 Summary of method Thread 1 Thread 2 Thread n 1-abs 2-abs n-abs ESC/Java... yes

10 Thread-modular verification theorem  If each t-abstraction of P is correct, then P is correct.  Generalize to invariant checking –want to show validity of data invariants –if no t-abstraction violates invariant I, then P does not violate invariant I

11 Thread-modular verification in practice  Assumptions parameterized by thread id  Assumptions reflexive and transitive  Scales with complexity of synchronization patterns, not size of program A i  (mx = i  mx’ = i  x’ = x)

12 Frangipani [Thekkath-Mann-Lee]  block is not allocated to inode  block allocated to inode m_inode block = null m_busy busy = false data = 0 inodeblock m_inode block m_busy busy = true data = 52 inodeblock

13 Frangipani  Assumption for thread i:

14 Current status  Theory understood  Built prototype for Java [with Seshia] –applied to Mercator (Heydon-Najork) –verified Mercator’s readers-writer lock class –checked the code of worker threads and checkpointing thread  Thread-modular verification with method calls across abstraction boundaries [with Flanagan and Seshia]

15 Related work  Owicki-Gries axiomatic semantics –replace control predicates with environment assumption  Assume-guarantee decomposition –[Abadi-Lamport 95, Jones 83,...] –designed proof system to leverage automated verification tools like ESC/Java  RCC/Java, Warlock [Sterling], ESC/Java –explicate simple locking strategy –can not easily express other idioms –data invariants

Download ppt "Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
CS 5204 – Operating Systems 1 Scheduler Activations.

CS 5204 – Operating Systems 1 Scheduler Activations.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Generalizing Reduction and Abstraction to Simplify Concurrent Programs: The QED Approach Shaz Qadeer Microsoft Research Redmond, WA Serdar Taşıran Serdar.

Generalizing Reduction and Abstraction to Simplify Concurrent Programs: The QED Approach Shaz Qadeer Microsoft Research Redmond, WA Serdar Taşıran Serdar.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)

1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)

Similar presentations

Ads by Google