Presentation is loading. Please wait.

Presentation is loading. Please wait.

Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Published byMilton Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center."— Presentation transcript:

1 Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center

2 Practical Synthesis for Concurrent Systems Concurrent Memory Management (PLDI’06, PLDI’07, Vechev’s PhD Thesis’08) Concurrent Data Structures (PLDI’08) Concurrency vs. Observability (TACAS’09)

3 Lets suppose… I want a concurrent set that is: correct efficient portable QUICKLY

4 Now what…

5 The result… Heller et al. (OPODIS’05) Maged (PODC’02) Harris (DISC’01) Vechev & Yahav (PLDI’08)

6 bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=CAS(&pred->next,  curr,0 ,  entry,0  ) if (  val) goto restart return true } bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false = curr->next lval=CAS(&curr->next,  r,m ,  r,1  ) if (  lval) goto restart pval=CAS(&pred->next,  curr,0 ,  r,0  ) if (  pval) goto restart return true } New Concurrent Set Algorithm bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false return true } The Good New algorithm Fine-grained synchronization (CAS) The Good New algorithm Fine-grained synchronization (CAS) The Bad Can you understand what it does? Can you show it is correct? The Bad Can you understand what it does? Can you show it is correct? The Ugly How did you get it? Anything repeatable? Any other similar algorithms? The Ugly How did you get it? Anything repeatable? Any other similar algorithms?

7 bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry return true } bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true } Sequential Set Algorithm bool contains(int key) { atomic Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false return true } Understandable Proving correctness easier Understandable Proving correctness easier

8 bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=CAS(&pred- >next,  curr,0 ,  entry,0  ) if (  val) goto restart return true } bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false = curr->next lval=CAS(&curr->next,  r,m ,  r,1  ) if (  lval) goto restart pval=CAS(&pred- >next,  curr,0 ,  r,0  ) if (  pval) goto restart return true } Sequential to Highly Concurrent bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry return true } bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true } ???

9 Concurrent Objects Constructions Today Performance Manual Effort Sequential Naïve STM Fine-grained STM Expert Design This Work Goal

10 Atomicity Reduction: Transformations Removing redundant atomicity Reordering statements Optimistic concurrency Add Observability (synchronization meta-data) s1 s2 s3 s4 s1 s2 s3 s4 If (validate) update else restart read s1 s2 s3 s4 s2 s1 s3 s4 s3 s4 read update s1 s2 s1 If (t > 0) s2 s3 s4

11 A journey from a sequential algorithm to efficient concurrent algorithms Schema Correct Algorithm DCAS Sequential DCAS CAS with LOCKS Priority Queue Stack CAS/DCAS … … Michael (PODC’02) Heller et al. (OPODIS’05) Trieber Stack Existing Algorithm New Algorithm

12 Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center

13 High Level Setting Process 1Process 2Process 3

14 High Level Setting Process 1Process 2Process 3

15 High Level Setting Process 1Process 2Process 3

16 High Level Setting Process 1Process 2Process 3

17 Challenge Process 1Process 2Process 3 How to synchronize processes to achieve correctness and good performance?

18 This Work Assist the programmer by automatically inferring correct and efficient synchronization

19  Semaphores  Monitors  Conditional critical region (CCR)  Fine grained (e.g., CAS)  Locks .... Synchronization Primitives

20 Conditional Critical Regions  Syntax of CCR  Synchronization code  guard can observe the program state  guard does not modify program state guard  stmt

21 High Level Setting Process 1Process 2Process 3

22 CCR Setting Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Specification:  Permissibility Cost as a language of CCR guards

23  Given a language LG, specification S and program A, program B is maximally permissive, if:  B satisfies S  B is obtained from A by adding guards from LG  Cannot obtain a program C that is correct and more permissive than B from A via LG Maximal Permissibility if  B    C  then C does not satisfy S

24  Two Algorithms to infer CCR guards  Greedy  Exhaustive  Guarantee maximal permissiveness  Greedy: under some conditions  Exhaustive: always  Implementation in SPIN  prototype, examples Contributions

25 This Work Safety, No Stuck States Specification: Language of Guards Cost: Automatic Inference of Guards Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Process 1Process 2Process 3 g1  s1;s2; s5; g2  s7; s6; s3;s4; Correct and Maximally Permissive

26 Inference Algorithm  Build transition system of input program and specification  Remove a (minimal) set of transitions such that the result satisfies the specification  Implement resulting transition system as program by strengthening guards of CCRs in the program

27 Inference Algorithm GREEDY(P : Program) : Program { R = ∅ while (true) { ts = if valid(ts) return implement(P,R) B = cut-transitions(ts) if B = ∅ abort “cannot find valid synchronization” select a transition t ∈ B R = R ∪ equiv(t) }

28 Example Language: Observability  Obs: Variables that can be read by CCR guards  LE(Obs): language of boolean combinations of equalities between variables in Obs and constants  Example: Obs: {x, y, z} Guard Expression in LE(Obs): (x!=1 || y!=0 || z!=0)

29 Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

30 Build Transition System s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 s,s,s 0,0,0 X Y Z PC1 PC2 PC3 legend

31 Select Transitions to Remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1

32 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 e,s,e 1,0,1 e,e,e 1,2,1 y=x+1 z=y+1 Build Transition System x!=1 || y!=0 || z!=0  Correct and Maximally Permissive

33 Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 (x!=1 || y!=0 || z!=0)  z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

34 Example: Limited Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

35 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 Build Transition System

36 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1

37 Select transition to remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1

38 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 Select All Equivalent Transitions Implementability

39 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 Side-effects e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Build Transition System

40 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Select transitions to remove

41 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,3 1,2,0 e,2,e 1,0,1 e,e,3 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 x!=1 || z!=0  x!=0 || z!=0  x!=1 || z!=0  x!=0|| z!=0  Build Transition System Correct and Maximally Permissive

42 Example: Limited Observability Automatic Inference of Guards (x!=1 || z!=0)  z=y+1; Process 1 (x!=0 || z!=0)  x=z+1; y=x+1; Process 2 Process 3 z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost:

43 Inference Algorithms  Greedy algorithm  Resulting program satisfies the specification  No side-effects guarantees maximal permissiveness  Experience: maximally permissive with side-effects  Polynomial  Exhaustive algorithm  Resulting program satisfies the specification  Maximally permissive  Exponential 43

44 Implementation  Prototype  Greedy algorithm  Using SPIN  Examples  Dining philosophers  Asynchronous counters  Race correction 44

45 Remarks  Transition system vs. program

46 Infinite Transition System  Preliminary Work  Finite state abstraction  Same algorithm  Conservatively eliminate potentially stuck states  Cannot guarantee maximally permissive  Future Work  Refine when state becomes potentially stuck  Specialized abstractions for stuckness  Related to abstractions for termination 46

47 Summary  Algorithms for CCR guard inferences  Greedy (polynomial) and Exhaustive (exponential)  Produce maximally permissive programs  Parametric on User-specified Cost  Deals with side effects and implementability 47

48 Related Work  Recovery and predication mechanisms  STM, Isolator, Tolerace  Synthesis from temporal specification  Game theory  Memoryless winning strategy for Buchi games 48

49 Ongoing and Future Work  Conditions for maximal permissiveness of greedy  Infer other synchronization mechanisms  meta-data, atomic sections, non-blocking  Abstraction for stuck states 49

50 Invited Questions 1) Why can’t I enumerate all the expressions of the language and call the checker externally? 2) How come the complexity is exponential, we know its double-exp ? 3) You say its NP-hard and then you say its polynomial, how come ? 4) Can you always give strongest guard for a given language and a state?

51 BACKUP

Download ppt "Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.

IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.
Operating Systems Part III: Process Management (Process Synchronization)

Operating Systems Part III: Process Management (Process Synchronization)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.

Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Process Synchronization Continued 7.2 The Critical-Section Problem.

Process Synchronization Continued 7.2 The Critical-Section Problem.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

Similar presentations

Ads by Google