Presentation is loading. Please wait.

Presentation is loading. Please wait.

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.

Published byJulius Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford."— Presentation transcript:

1 Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

2 Specifying and Verifying Software Composition Efficient libraries are widely available Composing software in a way which guarantee correctness: –Specification –Verification –Synthesis –Performance

3 Concurrent Data Structures Writing highly concurrent data structures is complicated Modern programming languages provide efficient concurrent collections with atomic operations. … … … … … … … …

4 attr = new HashMap(); … Attribute removeAttribute(String name){ Attribute val = null; synchronized(attr) { found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } attr = new ConcurrentHashMap(); … Attribute removeAttribute(String name){ Attribute val = null; /* synchronized(attr) { */ found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } /* } */ return val; } TOMCAT Motivating Example TOMCAT 5.*TOMCAT 6.* Invariant: removeAttribute(name) returns the removed value or null if it does not exist

5 removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; o attr.put(“A”, o); attr.remove(“A”);  Invariant: removeAttribute(name) returns the removed value or null if it does not exist

6 Challenge Testing and Verifying the atomicity of composed operations … … … … … … … …

7 Challenges in Testing Specifying software correctness Bugs occur in rarely executed traces –Especially true in concurrent systems Scalability of dynamic checking –large traces Hard to find programs to test

8 Challenges in Verification Specifying software correctness Many sources of unboundedness –Data Integers Stack Heap … –Interleavings Scalability of static checking –Large programs Hard to find programs to verify

9 Testing atomicity of composed operations OOPSLA’11

10 Challenge 1: Long traces Assume that composed operations are written inside encapsulated methods Modular testing –Unit testing in all contexts –Composed operations need to be correct in all contexts May lead to false warnings

11 False Warning if (m.contains(k)) return m.get(k); else return k; False warning in clients without remove Sometimes indicate “future bugs” m.remove(k);

12 Challenge 2: Specification Check that composed operations are Linearizable [Herlihy & Wing, TOPLAS’90] –Returns the same result as some sequential run

13 Linearizability removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; attr.put(“A”, o); attr.remove(“A”); attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; o o null o o o attr.remove(“A”);

14 But Linearizability errors only occur in rarely executed paths removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”);

15 Linearizability errors only occur in rarely executed paths Only consider “atomic” executions of base collection operations [TACAS’10, Ball et. al.] Employ commutativity/influence of base collection operations –Operations on different key commute –Partial order reduction using the collection interface

16 Influence table OperationConditionPotential Action get(k)get(k) == nullput(k,*) get(k)get(k) != nullremove(k) containsKey(k)get(k) == nullput(k,*) containsKey(k)get(k) != nullremove(k) get(k) == nullput(k,*) remove(k)get(k) != nullremove(k)

17 removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”); Influence trace

18 COLT Tester program CO extractor candidate COs Timeout instrument linearizability checking CO key/value driver Non-Lin Execution library spec influence driver

19 removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } attr.put(“A”, o); attr.remove(“A”); o o null

20 attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; attr.put(“A”, o); attr.remove(“A”); attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; o o null o o o removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”);

21 Evaluation Use Google code search and Koders to search for collection operations methods with at least two operations Used simple static analysis to extract composed operations –29% needed manual modification Check Linearizability of all public domain composed operations Extracted 112 composed operations from 55 applications –Apache Tomcat, Cassandra, MyFaces – Trinidad, … Each run took less than a second Without influence timeout always occur

22 112 Unknown

23 59 Non Linearizable 53 Unknown

24 42 Non Linearizable 17 Open Non Linearizable

25 42 Non Linearizable 31 Linearizable 22 Globals

26 31 Linearizable 81 Non-Linearizable

27 Results Reported the bugs with fixes Even bugs in open environment As a result of the paper the Java library is being changed “A preliminary version is in the pre-java8 "jsr166e" package as ConcurrentHashMapV8. We can't release the actual version yet because it relies on Java8 lambda (closure) syntax support. See links from http://gee.cs.oswego.edu/dl/concurrency-interest/index.html including: http://gee.cs.oswego.edu/dl/jsr166/dist/jsr166edocs/jsr166e/Co ncurrentHashMapV8.html Good luck continuing to find errors and misuses that can help us create better concurrency components!” http://gee.cs.oswego.edu/dl/concurrency-interest/index.html http://gee.cs.oswego.edu/dl/jsr166/dist/jsr166edocs/jsr166e/Co ncurrentHashMapV8.html

28 Verifying atomicity of composed operations

29 Motivation Unbounded number of potential composed operations –There exists no “thick” interface Automatically prove Linearizability for composed operations beyond the ones provided –Already supports the existing interface –No higher order functions Zero false alarms –beyond modularity

30 Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Easy detection

31 Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Data independent [Wolper, POPL’86] Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; }

32 Verifying data independent operations using Linearization points in the code Data independentVerified using single input Influence CO adds one value Map elements are bounded Single Mutation

33 Verifying data independent operations Small model reduction Decidable when the local state is bounded Explore all possible executions using: –One input key and finite number of values –Influenced based environment uses single value Employ SPIN

34

35

36 program Composed Operation extractor candidate COs CO Library spec Data Independent verifier SCM/FCM Input keys/values Lin Linearizability verifier generator Non-Lin CO SPIN Promela Input keys/values Linearizability tester generator CO Execution Java No SCM key/value driver Influence driver Unknown Non-Lin Influence driver

37 31 Linearizable 81 Non-Linearizable

38 Summary Writing concurrent data structures is hard Employing atomic library operations is error prone Modular linearizability checking Leverage influence Leverage data independence Sweet spot –Identify important bugs together with a traces showing and explaining the violations –Hard to find –Prove the linearizability of several composed operations –Simple and efficient technique

Download ppt "Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.

Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.
Guy Golan-GuetaTel-Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University G. Ramalingam Microsoft Research Mooly Sagiv Tel-Aviv.

Guy Golan-GuetaTel-Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University G. Ramalingam Microsoft Research Mooly Sagiv Tel-Aviv.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Interprocedural Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12.

Interprocedural Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Testing and Quality Assurance

Testing and Quality Assurance
Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.

Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Similar presentations

Ads by Google