Presentation is loading. Please wait.

Presentation is loading. Please wait.

Taming Concurrency: A Program Verification Perspective Shaz Qadeer Microsoft Research.

Published byBernadette Gibson Modified over 8 years ago

Similar presentations

Presentation on theme: "Taming Concurrency: A Program Verification Perspective Shaz Qadeer Microsoft Research."— Presentation transcript:

1 Taming Concurrency: A Program Verification Perspective Shaz Qadeer Microsoft Research

2 Reliable concurrent software? Correctness problem –does program behave correctly for all inputs and all interleavings? Bugs due to concurrency are insidious –non-deterministic, timing dependent –data corruption, crashes –difficult to detect, reproduce, eliminate

3 P satisfies S Undecidable problem! Why is verification of concurrent programs more difficult than verification of sequential programs?

4 P satisfies S Assertions: Provide contracts to decompose problem into a collection of decidable problems pre-condition and post-condition for each procedure loop invariant for each loop Abstractions: Provide an abstraction of the program for which verification is decidable Finite-state systems finite automata Infinite-state systems pushdown automata, counter automata, timed automata, Petri nets

5 Interference int t; t := x; t := t + 1; x := t; Correct pre x = 0; post x = 1;

6 Interference int t; t := x; t := t + 1; x := t; Incorrect! pre x = 0; post x = 2; int t; t := x; t := t + 1; x := t; AB

7 Controlling interference int t; acquire(l); t := x; t := t + 1; x := t; release(l); Correct! pre x = 0; post x = 2; int t; acquire(l); t := x; t := t + 1; x := t; release(l); AB

8 Interference makes program verification difficult Annotation explosion with the assertion approach State explosion with the abstraction approach

9 Annotation explosion For sequential programs –assertion for each loop –assertion refers only to variables in scope For concurrent programs –assertion for each control location –assertion may need to refer to private state of other threads

10 State explosion SequentialConcurrent Finite-state systems Pushdown systems P.G (P.G) 3 P = # of program locations G = # of global states PSPACE complete Undecidable n = # of threads

11 Taming interference Atomicity for combating annotation explosion Interference-bounding for combating state explosion

12 Critical_Section l; /*# guarded_by l */ int balance; Bank account /*# atomic */ void deposit (int x) { acquire(l); int r = balance; balance = r + x; release(l); } /*# atomic */ int read( ) { int r; acquire(l); r = balance; release(l); return r; } /*# atomic */ void withdraw(int x) { int r = read(); acquire(l); balance = r – x; release(l); }

13 Atomicity violation in StringBuffer (Flanagan-Q, PLDI 03) public final class StringBuffer { private int count; private char[ ] value;. public synchronized StringBuffer append (StringBuffer sb) { if (sb == null) sb = NULL; int len = sb.length( ); int newcount = count + len; if (newcount > value.length) expandCapacity(newcount); sb.getChars(0, len, value, count); //use of stale len !! count = newcount; return this; } public synchronized int length( ) { return count; } public synchronized void getChars(...) {... } }

14 Inadequate atomicity is a good predictor of undesirable interference! compared to data races Numerous tools for detecting atomicity violations static (Type systems, ESPC, QED) dynamic (Atomizer, AVIO, AtomAid, Velodrome, …) Significant effort cutting across communities architecture and operating systems programming languages and compilers testing and formal methods

15 Definition of atomicity deposit is atomic if for every non-serialized execution, there is a serialized execution with the same behavior         acq(l)r=balbal=r+nrel(l)xyz  Serialized execution of deposit         acq(l)r=balbal=r+nrel(l)xyz         acq(l)r=balbal=r+nrel(l)xyz  Non-serialized executions of deposit

16 S0S0 S1S1 S2S2 S3S3 S4S4 S7S7 S6S6 S5S5 acq(l)r=balbal=r+nrel(l)xyz S0S0 T1T1 T2T2 T3T3 S4S4 S7S7 T6T6 S5S5 r=balbal=r+nrel(l)xyz acq(l) S0S0 T1T1 S2S2 T3T3 S4S4 S7S7 S6S6 S5S5 yr=balbal=r+nrel(l)xacq(l)z S0S0 T1T1 T2T2 T3T3 S4S4 S7S7 S6S6 S5S5 r=balbal=r+nrel(l)xyz S0S0 S1S1 S2S2 T3T3 S4S4 S7S7 S6S6 S5S5 acq(l)r=balbal=r+nrel(l)yz x Reduction (Lipton, CACM 75)

17  B: both right + left commutes –variable access holding lock  A: atomic action, non-commuting –access unprotected variable Four atomicities  L: left commutes –lock release  R: right commutes –lock acquire

18 S0S0. S5S5 R* A L*xY... S0S0. S5S5 R* A L* x Y... Sequential composition  Theorem: Sequence (R+B)*;(A+  ); (L+B)* is atomic CCCCCC CCCAAA CCCLLL CARARR CARLBB CARLB; ; A R;A;L ; R;A;L C A ; A R; B ; A; L A R

19 Critical_Section l; /*# guarded_by l */ int balance; Bank account /*# atomic */ void deposit (int x) { acquire(l); int r = balance; balance = r + x; release(l); } /*# atomic */ int read( ) { int r; acquire(l); r = balance; release(l); return r; } /*# atomic */ void withdraw(int x) { int r = read(); acquire(l); balance = r – x; release(l); } RBBLRBBL A RBLBRBLB A ARBLARBL C Incorrect!

20 Critical_Section l; /*# guarded_by l */ int balance; Bank account /*# atomic */ void deposit (int x) { acquire(l); int r = balance; balance = r + x; release(l); } /*# atomic */ int read( ) { int r; acquire(l); r = balance; release(l); return r; } /*# atomic */ void withdraw(int x) { acquire(l); int r = balance; balance = r – x; release(l); } RBBLRBBL A RBLBRBLB A RBBLRBBL A Correct!

21 Taming interference Atomicity for combating annotation explosion Interference-bounding for combating state explosion

22 Interference bounding An approach to the state-explosion problem Explore all executions with a bounded amount of interference –increase the interference bound iteratively Good idea if low interference bound –can be exploited by algorithms –is enough to expose bugs

23 Context-bounded verification [Wu-Q, PLDI 04] [Rehof-Q, TACAS 05]           Context Context switch Interference proportional to number of context switches Explore all executions with few context switches Unbounded computation within each context –Different from bounded model checking

24 Context-bounding today CHESS [Musuvathi-Q, PLDI 07] JMoped [Suwimonteerabuth et al., SPIN 08] SPIN for multithreaded C programs [Zaks- Joshi, SPIN 08] CBA [Lal-Reps, CAV 08] Static Driver Verifier

25 Testing concurrent programs is HARD Bugs hidden in rare thread interleavings Today, concurrency testing = stress testing –Poor coverage of interleavings –Unpredictable coverage results in “Heisenbugs” The mark of reliability of the system still remains its ability to withstand stress

26 CHESS in a nutshell Replace the OS scheduler with a demonic scheduler Systematically explore all scheduling choices Concurrent Program Win32 API Kernel Scheduler Kernel Scheduler Demonic Scheduler Demonic Scheduler

27 CHESS architecture Kernel: Threads, Scheduler, Synchronization Objects Kernel: Threads, Scheduler, Synchronization Objects While(not done) { TestScenario() } While(not done) { TestScenario() } TestScenario() { … } Program CHESS CHESS runs the scenario in a loop Each run takes different interleaving Each run is repeatable Win32 API Intercept synchronization and threading calls To control and introduce nondeterminism Detect Assertion violations Deadlocks Dataraces Livelocks

28 CHESS methodology generalizes CHESS works for –Unmanaged programs (written in C, C++) –Managed programs (written in C#,…) –Singularity applications With appropriate wrappers, can work for Java, Linux applications.NET Program.NET Program.NET CLR CHESS Win32 Program Win32 Program Win32 / OS CHESS Singularity Program Singularity Program Singularity CHESS

29 CHESS: Systematic testing for concurrency Kernel: Threads, Scheduler, Synchronization Objects While(not done){ TestScenario() } TestScenario(){ … } Program CHESS Win32 API CHESS runs the scenario in a loop Each run is a different interleaving Each run is repeatable

30 x = 1; … x = k; State-space explosion x = 1; … x = k; … n threads k steps each Number of executions = O( n nk ) Exponential in both n and k –Typically: n 100 Limits scalability to large programs Goal: Scale CHESS to large programs (large k) Thread 1Thread n

31 x = 1; if (p != 0) { x = p->f; } Preemption-bounding Prioritize executions with small number of preemptions Two kinds of context switches: Preemptions – forced by the scheduler e.g. Time-slice expiration Non-preemptions – a thread voluntarily yields e.g. Blocking on an unavailable lock, thread end x = p->f; } x = 1; if (p != 0) { p = 0; preemption non-preemption Thread 1Thread 2

32 Preemption-bounding in CHESS The scheduler has a budget of c preemptions –Nondeterministically choose the preemption points Resort to non-preemptive scheduling after c preemptions Once all executions explored with c preemptions –Try with c+1 preemptions

33 x = 1; … x = 1; … x = k; Property 1: Polynomial bound Terminating program with fixed inputs and deterministic threads –n threads, k steps each, c preemptions Number of executions <= nk C c. (n+c)! = O( (n 2 k) c. n! ) Exponential in n and c, but not in k x = 1; … x = k; x = 1; … x = k; … x = k; Choose c preemption points Permute n+c atomic blocks Thread 1Thread 2

34 Property 2: Simple error traces Finds smallest number of preemptions to the error Number of preemptions better metric of error complexity than execution length

35 Property 3: Coverage metric If search terminates with preemption- bound of c, then any remaining error must require at least c+1 preemptions Intuitive estimate for –The complexity of the bugs remaining in the program –The chance of their occurrence in practice

36 Property 4: Many bugs with 2 preemptions ProgramLines of code Bugs Work Stealing Q4K4 CDS6K1 CCR9K3 ConcRT16K4 Dryad18K7 APE19K4 STM20K2 TPL24K9 PLINQ24K1 Singularity175K2 37 (total) Acknowledgement: testers from PCP team

37 Coverage vs. Preemption-bound

38 CHESS status Being used by testers in many Microsoft product groups Demo and session at Professional Developer Conference 2008 CHESS for Win32 –http://research.microsoft.com/projects/chess CHESS for.NET –Coming soon

39 So far … Interference makes program verification difficult Taming interference –atomicity –interference-bounding

40 Whither next? Concurrent programs as a composition of modules implementing atomic actions Inteference-bounding for general concurrent systems Symbolic context-bounded verification

41 Structuring concurrent programs In addition to atomicity, we need –behavioral abstraction analogous to pre/post- conditions for sequential code fragments –intuitive and simple contract language A calculus of atomic actions (Elmas- Tasiran-Q, POPL 08) –QED verifier

42 Interference-bounding for general concurrent systems Task = unit-of-work Shared-memory systems –Task (usually) corresponds to a thread Message-passing systems –Task corresponds to a sequence of messages Need linguistic support for the task abstraction in software models and implementations

43 Context-bounded reachability is NP-complete UnboundedContext-bounded Finite-state systems Pushdown systems PSPACE complete NP-complete UndecidableNP-complete P = # of program locations G = # of global states n = # of threads c = # of context switches

44 Symbolic context-bounded verification The transition relations of tasks are usually encoded symbolically –reachability analysis is PSPACE-complete even for a single task Scalable tools for single symbolic task –Bebop, Moped, Getafix Can we extend these techniques to deal with multiple tasks? –Lal and Reps (TACAS 2008, CAV 2008) –Suwimonteerabuth et al. (SPIN 2008)

45 Questions?

Download ppt "Taming Concurrency: A Program Verification Perspective Shaz Qadeer Microsoft Research."

Similar presentations

CHESS : Systematic Testing of Concurrent Programs

CHESS : Systematic Testing of Concurrent Programs
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.
The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.

The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Algorithmic Verification of Concurrent Programs Shaz Qadeer Microsoft Research.

Algorithmic Verification of Concurrent Programs Shaz Qadeer Microsoft Research.
Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.

Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.
CHESS: Systematic Concurrency Testing Tom Ball, Sebastian Burckhardt, Madan Musuvathi, Shaz Qadeer Microsoft Research

CHESS: Systematic Concurrency Testing Tom Ball, Sebastian Burckhardt, Madan Musuvathi, Shaz Qadeer Microsoft Research
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
CHESS: A Systematic Testing Tool for Concurrent Software CSCI6900 George.

CHESS: A Systematic Testing Tool for Concurrent Software CSCI6900 George.
Tom Ball, Sebastian Burckhardt, Madan Musuvathi, Shaz Qadeer Microsoft Research.

Tom Ball, Sebastian Burckhardt, Madan Musuvathi, Shaz Qadeer Microsoft Research.

Similar presentations

Ads by Google