Verifying Correct Usage of Atomic Blocks and Typestate Nels E. Beckman Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich Carnegie Mellon University.

Slides:

Advertisements

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

Advertisements

Advanced programming tools at Microsoft

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

Identity and Equality Based on material by Michael Ernst, University of Washington.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Automated Verification with HIP and SLEEK Asankhaya Sharma.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

Concurrency 101 Shared state. Part 1: General Concepts 2.

Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.

Designing a thread-safe class  Store all states in public static fields  Verifying thread safety is hard  Modifications to the program hard  Design.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.

Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.

JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

Modular Typestate Checking for Concurrent Java Programs Nels E. Beckman Carnegie Mellon University (Advised by Jonathan Aldrich)

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.

1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.

Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.

Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Aquinas Hobor and Cristian Gherghina (National University of Singapore) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:

Runtime Refinement Checking of Concurrent Data Structures (the VYRD project) Serdar Tasiran Koç University, Istanbul, Turkey Shaz Qadeer Microsoft Research,

Threading and Concurrency Issues ● Creating Threads ● In Java ● Subclassing Thread ● Implementing Runnable ● Synchronization ● Immutable ● Synchronized.

Computer Science and Engineering College of Engineering The Ohio State University Interfaces The credit for these slides goes to Professor Paul Sivilotti.

Model Programs for Preserving Composite Invariants SAVCBS 2008 Challenge Problem Solution by Steve Shaner, Hridesh Rajan, Gary T. Leavens Iowa State and.

Puzzle 3 1  Write the class Enigma, which extends Object, so that the following program prints false: public class Conundrum { public static void main(String[]

SPL/2010 Safety 1. SPL/2010 system designing for concurrent execution environments ● system: collection of objects and their interactions ● system properties:

Semaphores, Locks and Monitors By Samah Ibrahim And Dena Missak.

Automated Software Engineering with Concurrent Class Machines Radu Grosu SUNY at Stony Brook joint work with Y. Liu, S. Smolka, S.Stoller, J. Yan SUNY.

Rustan Leino RiSE, Microsoft Research, Redmond MIT 5 June 2009 Joint work with: Peter Müller, ETH Zurich Jan Smans, KU Leuven.

A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.

Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.

Multiprocessor Cache Consistency (or, what does volatile mean?) Andrew Whitaker CSE451.

A Type System for Borrowing Permissions Karl Naden, Rob Bocchino Jonathan Aldrich, Kevin Bierhoff POPL – January 27, 2012 School of Computer Science.

An Introduction to Automated Program Verification with Permission Logics 15 th May 2015, Systems Group, ETH Zurich Uri Juhasz, Ioannis Kassios, Peter Müller,

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

Today’s lecture Review of chapter 8 Go over examples.

Spec# John Lefor Program Manager Developer Division, Microsoft.

1 1 Nastaran Shafiei VERIFICATION OF A NON-BLOCKING ARRAY-BASED QUEUE ALGORITHM.

1 Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte ECOOP 2003.

A Calculus of Atomic Actions Tayfun Elmas, Shaz Qadeer and Serdar Tasiran POPL ‘ – Seminar in Distributed Algorithms Cynthia Disenfeld 27/05/2013.

Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.

DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.

VPERM: Variable Permissions for Concurrency Verification Duy-Khanh Le, Wei-Ngan Chin, Yong-Meng Teo ICFEM, Kyoto, Japan, Nov 2012.

A Calculus of Atomic Actions Serdar Tasiran Koc University, Istanbul, Turkey Tayfun ElmasShaz Qadeer Koc University Microsoft Research.

Healing Data Races On-The-Fly

Lecture 8 Thread Safety.

Lecture 8 Thread Safety.

Programming Languages 2nd edition Tucker and Noonan

A Considerate Specification of the Composite Pattern

Presentation transcript:

Verifying Correct Usage of Atomic Blocks and Typestate Nels E. Beckman Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich Carnegie Mellon University

Beckman et al. Verifying Concurrent Object Protocols2 Overview: Goals and Approach Goal: Statically & Modularly Verify Concurrent Object Protocols Challenge: Track thread-sharing modularly Approach: Use Access Permissions –Statically describe reference aliases –Track abstract state –Discard if subject to concurrent modification –...except in an Atomic Block

Beckman et al. Verifying Concurrent Object Protocols3 Example: Blocking Queue Thread-shared, blocking queue –One Producer –N Consumers –Defines Protocol –From Apache Axyl-Lucene Program Thanks to Allen Holub! Meant to illustrate –Races on abstract state of an object –State transitions that are not atomic

4 Queue: Protocol - state - initial state - state transition - transition action

Beckman et al. Verifying Concurrent Object Protocols5 Race on Abstract State of Queue final Blocking_queue queue = new Blocking_queue(); (new Thread() public void run() { while( !queue.is_closed() ) System.out.println("Got object: "+queue.dequeue()); // Important shut-down code… }}).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close();

Beckman et al. Verifying Concurrent Object Protocols6 Race on Abstract State of Queue final Blocking_queue queue = new Blocking_queue(); (new Thread() public void run() { while( !queue.is_closed() ) System.out.println("Got object: "+queue.dequeue()); // Important shut-down code… }}).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close(); Race!

Beckman et al. Verifying Concurrent Object Protocols7 State Transition Not Atomic class Blocking_queue { // Class definition... public void close() { atomic: { elements = null; } //... atomic: { closed = true; } }

Beckman et al. Verifying Concurrent Object Protocols8 State Transition Not Atomic class Blocking_queue { // Class definition... public void close() { atomic: { elements = null; } //... atomic: { closed = true; } } Can be observed in inconsistent state!

Beckman et al. Verifying Concurrent Object Protocols9 Outline Overview Blocking Queue Naive Approach Access Permissions Verification with Access Permissions –Client-Side –Provider-Side Contributions/Related Work Conclusion

Beckman et al. Verifying Concurrent Object Protocols10 Verification without Alias public void run() { while( !queue.is_closed() ) System.out.println(“Got object: ” + queue.dequeue()); // Important shut-down code… }

Beckman et al. Verifying Concurrent Object Protocols11 Verification without Alias public void run() { while( !queue.is_closed() ) System.out.println(“Got object: ” + queue.dequeue()); // Important shut-down code… } queue is not closed!

Beckman et al. Verifying Concurrent Object Protocols12 Verification without Alias public void run() { while( !queue.is_closed() ) System.out.println(“Got object: ” + queue.dequeue()); // Important shut-down code… } But could be thread- shared, so forget it…

Beckman et al. Verifying Concurrent Object Protocols13 Verification without Alias public void run() { while( !queue.is_closed() ) System.out.println(“Got object: ” + queue.dequeue()); // Important shut-down code… } Call fails, precondition not met.

Beckman et al. Verifying Concurrent Object Protocols14 Verification without Alias Control final Blocking_queue queue = new Blocking_queue(); (...).start(); // queue escapes to thread for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close();

Beckman et al. Verifying Concurrent Object Protocols15 Verification without Alias Control final Blocking_queue queue = new Blocking_queue(); (...).start(); // queue escapes to thread for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close(); Queue must be OPEN!

Beckman et al. Verifying Concurrent Object Protocols16 Verification without Alias Control final Blocking_queue queue = new Blocking_queue(); (...).start(); // queue escapes to thread for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close(); Queue must be OPEN! We must somehow encode: The producer is ‘in control’ of the protocol!

17 Access Permissions* Predicates associated with program references –Provided at method boundaries by annotations –Tracked statically –Answer 2 questions: “Can other program references point to the object to which this reference points?” “Can this reference be used to modify the object to which it points? Can other references?” *Bierhoff and Aldrich, 2007

Beckman et al. Verifying Concurrent Object Protocols18 Access Permissions in Action public static void Object myObj) { // myObj is the sole reference to the object } public static void Object myObj) { // we can modify object through myObj // (other non-modifying references may exist!) } public static void Object myObj) { // we cannot modify object through myObj // (other references may modify this object!) }

Beckman et al. Verifying Concurrent Object Protocols19 Permission Taxonomy Other references can… Not aliasRead- Only Read- Modify This reference can… Read- Modify Read- Only

Beckman et al. Verifying Concurrent Object Protocols20 Splitting Access Permissions Access permissions act as pre/post conditions –Statically checked for consistency Some permission types can be soundly ‘split’ into other permission types => 1 & N => N => N & M –etc.

Queue Method ensures=“CLOSED”) void ensures=“OPEN”) void @FalseIndicates(“OPEN”) boolean Object dequeue()

Queue Method ensures=“CLOSED”) void ensures=“OPEN”) void @FalseIndicates(“OPEN”) boolean Object dequeue()

Queue Method ensures=“CLOSED”) void ensures=“OPEN”) void @FalseIndicates(“OPEN”) boolean Object dequeue()

Queue Method ensures=“CLOSED”) void ensures=“OPEN”) void @FalseIndicates(“OPEN”) boolean Object dequeue()

Beckman et al. Verifying Concurrent Object Protocols25 Client-Side Verification: No Races on Abstract State Use flow analysis, track permissions and state of references through method body At method call sites, use pre/postconditions Discard object state if permission indicates concurrent modification Unless inside atomic block!

Beckman et al. Verifying Concurrent Object Protocols26 final Blocking_queue queue = new Blocking_queue(); (...).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close();

Beckman et al. Verifying Concurrent Object Protocols27 final Blocking_queue queue = new Blocking_queue(); (...).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); in OPEN

Beckman et al. Verifying Concurrent Object Protocols28 final Blocking_queue queue = new Blocking_queue(); (...).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); in OPEN

Beckman et al. Verifying Concurrent Object Protocols29 final Blocking_queue queue = new Blocking_queue(); (...).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close(); Method precondition met

Beckman et al. Verifying Concurrent Object Protocols30 final Blocking_queue queue = new Blocking_queue(); (...).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); queue.close(); Method precondition met

Beckman et al. Verifying Concurrent Object Protocols31 final Blocking_queue queue = new Blocking_queue(); (...).start(); for( int i=0;i<5;i++ ) queue.enqueue("Object " + i); in CLOSED

Beckman et al. Verifying Concurrent Object public void run() { while( !queue.is_closed() ) System.out.println("Got object: “ + queue.dequeue()); // Important shut-down code… }

Beckman et al. Verifying Concurrent Object public void run() { while( !queue.is_closed() ) System.out.println("Got object: “ + queue.dequeue()); // Important shut-down code… from class invariant...

Beckman et al. Verifying Concurrent Object public void run() { while( !queue.is_closed() ) System.out.println("Got object: “ + queue.dequeue()); // Important shut-down code… in OPEN

Beckman et al. Verifying Concurrent Object public void run() { while( !queue.is_closed() ) System.out.println("Got object: “ + queue.dequeue()); // Important shut-down code… in OPEN

Beckman et al. Verifying Concurrent Object public void run() { while( !queue.is_closed() ) System.out.println("Got object: “ + queue.dequeue()); // Important shut-down code… } ERROR!

Beckman et al. Verifying Concurrent Object Protocols37 But with public void run() { while( true ) { atomic: { if( !queue.is_closed() ) System.out.println("Got object: “+queue.dequeue()); else return; } // Important shut-down code… }

Beckman et al. Verifying Concurrent Object Protocols38 Implementation-Side Verification: Transitions are Atomic States can be annotated with concrete invariants –Predicates over fields Use packing/unpacking for modular verification –Invariants must be reestablished before method returns object must be within an atomic block

Beckman et al. Verifying Concurrent Object Protocols39 inv=“closed == true * elements == null”),...}) class Blocking_queue { private List elements; private boolean closed; void close() { atomic: { elements = null; } //... atomic: { closed = true; } } //... }

Beckman et al. Verifying Concurrent Object Protocols40 inv=“closed == true * elements == null”),...}) class Blocking_queue { private List elements; private boolean closed; void close() { atomic: { elements = null; } //... atomic: { closed = true; } } //... }

41 inv=“closed == true * elements == null”),...}) class Blocking_queue { private List elements; private boolean closed; void close() { atomic: { elements = null; } //... atomic: { closed = true; } } //... } Unpacks from OPEN state.

42 inv=“closed == true * elements == null”),...}) class Blocking_queue { private List elements; private boolean closed; void close() { atomic: { elements = null; } //... atomic: { closed = true; } } //... } Packs to CLOSED state.

43 inv=“closed == true * elements == null”),...}) class Blocking_queue { private List elements; private boolean closed; void close() { atomic: { elements = null; } //... atomic: { closed = true; } } //... } Error! Atomic block ends while receiver unpacked

Beckman et al. Verifying Concurrent Object Protocols44 Outline Overview Blocking Queue Naive Approach Access Permissions Verification with Access Permissions –Client-Side –Provider-Side Contributions/Related Work Conclusion

Beckman et al. Verifying Concurrent Object Protocols45 Contributions Implementation Formalized as Type System Proven sound in multi-threaded programs –Proof includes explicit threads and sharing –At run-time, object can never be in “wrong state.” –Bierhoff & Aldrich don’t consider threads (OOPSLA ’07) Full/Pure is both useful and surprising...

Beckman et al. Verifying Concurrent Object Protocols46 Maintaining Knowledge Over Thread- Shared Objects With Full: –One object can depend on state of a mutable, thread- shared, un-encapsulated object Works b/c of exclusive nature of Full

47 Maintaining Knowledge Over Thread- Shared Objects With Full: –One object can depend on state of a mutable, thread- shared, un-encapsulated object Works b/c of exclusive nature of Full Thread Pool Queue Consumer Thread Obj. Consumer Thread Obj. Worker Thread Obj.

48 Maintaining Knowledge Over Thread- Shared Objects With Full: –One object can depend on state of a mutable, thread- shared, un-encapsulated object Works b/c of exclusive nature inv=“full(queue) in inv=“full(queue) in CLOSED”) }) class ThreadPool { private Blocking_queue queue;... } Thread Pool Queue Consumer Thread Obj. Consumer Thread Obj. Worker Thread Obj.

49 Maintaining Knowledge Over Thread- Shared Objects With Full: –One object can depend on state of a mutable, thread- shared, un-encapsulated object Not possible in existing approaches –Concurrent Sep Logic: unique, immutable, ‘critical-protected’ –Jacobs et al., Rodriguez et inv=“full(queue) in inv=“full(queue) in CLOSED”) }) class ThreadPool { private Blocking_queue queue;... }

Beckman et al. Verifying Concurrent Object Protocols50 Related Work Other Differences: –Abstract Mutable Object State Other approaches powerful, but low level –Atomic Blocks Discussed in Paper –OO Verification Jacobs et al. (Spec#) Rodriguez et al. (JML) Vaziri et al. –Concurrency Logics Owicki/Gries & Conccurrent Sep. Logic Rely/Guarantee Fractional Permissions –Data Race Detectors

Beckman et al. Verifying Concurrent Object Protocols51 Conclusion Static, Modular Verification of Object Protocols in Concurrent Programs –Access Permissions for alias control –Atomic blocks for mutual exclusion –Proven Sound (See Paper, TR) Download the tool, source, more examples – –(Also provides Dimensions and Fractions)