Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Slides:

Advertisements

Similar presentations

Abstraction of Source Code (from Bandera lectures and talks)

Advertisements

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Adapted from Scott, Chapter 6:: Control Flow Programming Language Pragmatics Michael L. Scott.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

CIS 720 Lecture 2. Concurrency …shared variable declaration…. …shared variable initialization… co P 1 // P 2 // P 3 // P 4 oc Execution of P 1 … P 4 starts.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

1 Lecture 09 – Synthesis of Synchronization Eran Yahav.

Chapter 2: Algorithm Discovery and Design

Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.

Chapter 2: Algorithm Discovery and Design

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.

ARTIST Summer School in Europe 2009 Autrans (near Grenoble), France September 7-11, 2009 Invited Speaker: Eran Yahav IBM T.J. Watson Research Center.

1 Thread Synchronization: Too Much Milk. 2 Implementing Critical Sections in Software Hard The following example will demonstrate the difficulty of providing.

Automatic Abstraction Refinement for GSTE Yan Chen, Yujing He, and Fei Xie Portland State University Jin Yang Intel Nov 13, 2007.

By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.

Recursion A method is recursive if it makes a call to itself. A method is recursive if it makes a call to itself. For example: For example: public void.

Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.

Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.

1 Bisimulations as a Technique for State Space Reductions.

COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.

Inferring Synchronization under Limited Observability Martin Vechev, Eran Yahav, Greta Yorsh IBM T.J. Watson Research Center (work in progress)

PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 7: Process Synchronization Background The Critical-Section Problem Synchronization.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Semantics In Text: Chapter 3.

Automated Patch Generation Adapted from Tevfik Bultan’s Lecture.

Pattern-based Synthesis of Synchronization for the C++ Memory Model Yuri Meshman, Noam Rinetzky, Eran Yahav 1.

Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Synchronization Emery Berger and Mark Corner University.

CIS 720 Lecture 5. Techniques to avoid interference Disjoint variables –If the write set of each process is disjoint from the read and write set of other.

CS 153 Design of Operating Systems Winter 2016 Lecture 7: Synchronization.

CHARME’03 Predicate abstraction with Minimum Predicates Sagar Chaki*, Ed Clarke*, Alex Groce*, Ofer Strichman** * Carnegie Mellon University ** Technion.

Semaphores Chapter 6. Semaphores are a simple, but successful and widely used, construct.

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Problem: design complexity advances in a pace that far exceeds the pace in which verification technology advances. More accurately: (verification complexity)

Maitrayee Mukerji. INPUT MEMORY PROCESS OUTPUT DATA INFO.

Abstraction and Refinement for Large Scale Model Checking

Abstraction-Guided Synthesis

Over-Approximating Boolean Programs with Unbounded Thread Creation

Semaphores Chapter 6.

Synthesis of Memory Fences via Refinement Propagation

Abstraction, Verification & Refinement

Predicate Abstraction

BLAST: A Software Verification Tool for C programs

COP4020 Programming Languages

Abstraction-Guided Synthesis of synchronization

Presentation transcript:

Greta YorshEran YahavMartin Vechev IBM Research

{ ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { …………………………… ……………………. … } T2() atomic { ………………….. …… ……………………. ……………… …………………… } T3() atomic Assist the programmer by automatically inferring correct and efficient synchronization

Challenge: Correct and Efficient Synchronization { ……………… …… …………………. ……………………. ………………………… } T1() { …………………………… ……………………. … } T2() { ………………….. …… ……………………. ……………… …………………… } T3() Assist the programmer by automatically inferring correct and efficient synchronization

Challenge  Find minimal synchronization that makes the program satisfy the specification  Avoid all bad interleaving while permitting as many good interleavings as possible  Handle infinite-state programs

Change the abstraction to match the program A Standard Approach: Abstraction Refinement program specification Abstract counter example abstraction Verify Refine  

synchronized program A Standard Approach: Abstraction Refinement concurrent program safety specification Abstract counter example state abstraction Verify  Restrict Refine   Change the program to match the abstraction

Our Approach  Synthesis of synchronization via abstract interpretation  Compute over-approximation of all possible program executions  Add minimal atomics to avoid (over-approximation of) bad interleavings  Interplay between abstraction and synchronization  Finer abstraction may enable finer synchronization  Coarse synchronization may enable coarser abstraction

AGS Algorithm – High Level  = true while(true) { Traces = {  |   (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  ’ = avoid(  ) if (  ’ is false) abort else  =    ’ } else {  ’ = refine( ,  ) if (  =  ‘) abort else  =  ‘ } Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under 

Avoiding an interleaving  By adding atomicity constraints  Atomicity predicate [l1,l2] – no context switch allowed between execution of statements at l1 and l2  avoid(  )  A disjunction of all possible atomicity predicates that would prevent   Example   = A 1 B 1 A 2 B 2  avoid(  ) = [A 1,A 2 ]  [B 1,B 2 ]  (abuse of notation)

Example T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 }

Example: Parity Abstraction y2 y1 1 Concrete values y2 y1 1 Parity abstraction (even/odd)

Example: Avoiding Bad Interleavings avoid(  1 ) = [z++,z++]  = [z++,z++]  = true while(true) { Traces={  |  (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) }

Example: Avoiding Bad Interleavings avoid(  2 ) =[x+=z,x+=z]  = [z++,z++]  = [z++,z++]  [x+=z,x+=z]  = true while(true) { Traces={  |  (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) }

Example: Avoiding Bad Interleavings T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)  = [z++,z++]  [x+=z,x+=z]  = true while(true) { Traces={  |  (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) }

y2 y1 1 parity  parity x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 Example: Avoiding Bad Interleavings But we can also refine the abstraction…

y2 y parity interval octagon     (a)(b) (c) (d)(e) (f)(g) parity interval octagon x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3

Quantitative Synthesis  Performance: smallest atomic sections  Interval abstraction for our example produces the atomicity constraint: ([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++])  Minimal satisfying assignments   1 = [z++,z++]   2 = [x+=z,x+=z]

Choosing between abstraction refinement and program restriction - not always possible to refine/avoid - may try and backtrack AGS Algorithm – More Details Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under  Forward Abstract Interpretation, taking  into account for pruning infeasible interleavings  = true while(true) { Traces = {  |   (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } Backward exploration of invalid Interleavings using  to prune infeasible interleavings. Order of selection matters Up to this point did not commit to a synchronization mechanism

Implementability  No program transformations (e.g., loop unrolling)  Memoryless strategy T1 1: while(*) { 2: x++ 3: x++ 4: } T2 1: assert (x != 1)  Separation between schedule constraints and how they are realized  Can realize in program: atomic sections, locks,…  Can realize in scheduler: benevolent scheduler

0,0 0,1 0,2 2,0 0,0 1,1 0,2 2,1 0,2 2,2 1,2 2,1 1,2 3,2 2,2 y=2 if (y==0) x++ x+=1 if (y==0) y=2 x+=1 T1 0: if (y==0) goto L 1: x++ 2: L: T2 0: y=2 1: x+=1 2: assert x !=y Choosing a trace to avoid

Examples Intuition  If we can show disjoint access we can avoid synchronization  Requires abstractions rich enough to capture access pattern to shared data Parity Intervals

Example: “Double Buffering” fill() { L1:if (i < N) { L2:Im[Fill][i] = read(); L3: i += 1; L4: goto L1; } L5: Fill ˆ= 1; L6: Render ˆ= 1; L7: i = 0; L8: goto L1; } render() { L1:if (j < N) { L2: write(Im[Render][j]); L3: j += 1; L4: goto L1; } L5: j = 0; L6: goto 1; } int Fill = 1; int Render = 0; int i = j = 0; main() { fill() || render(); } Render Fill

Examples ProgramRefine StepsAvoid Steps Double buffering12 Defragmentation18 3D array update223 Array Removal117 Array Init156

Summary  An algorithm for Abstraction-Guided Synthesis  Synthesize efficient and correct synchronization  Handles infinite-state systems based on abstract interpretation  Refine the abstraction and/or restrict program behavior  Interplay between abstraction and synchronization  Quantitative Synthesis  Separate characterization of solution from choosing optimal solutions (e.g., smallest atomic sections)