Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.
Guy Golan-GuetaTel-Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University G. Ramalingam Microsoft Research Mooly Sagiv Tel-Aviv.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Hongjin Liang and Xinyu Feng
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Interprocedural Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Testing and Quality Assurance
Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.
COLT: Effective Testing of Concurrent Collection Usage Alex Aiken Nathan Bronson Stanford University Martin Vechev Eran Yahav IBM Research Mooly Sagiv.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
Deriving Linearizable Fine-Grained Concurrent Objects Martin Vechev Eran Yahav IBM T. J. Watson Research Center Martin Vechev Eran Yahav IBM T. J. Watson.
1 Martin Vechev IBM T.J. Watson Research Center Joint work with: Hagit Attiya, Rachid Guerraoui, Danny Hendler, Petr Kuznetsov, Maged Michael.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.
Testing Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.
Thread Quantification for Concurrent Shape Analysis Josh BerdineMSR Cambridge Tal Lev-AmiTel Aviv University Roman ManevichTel Aviv University Mooly Sagiv.
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
1 Employing decision procedures for automatic analysis and verification of heap-manipulating programs Greta Yorsh under the supervision of Mooly Sagiv.
Verifying Atomicity via Data Independence Ohad Shacham Yahoo Labs, Israel Eran Yahav Technion, Israel Guy Gueta Yahoo Labs, Israel Alex Aiken Stanford.
Dynamic Analysis of Multithreaded Java Programs Dr. Abhik Roychoudhury National University of Singapore.
The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.
Chameleon Automatic Selection of Collections Ohad Shacham Martin VechevEran Yahav Tel Aviv University IBM T.J. Watson Research Center Presented by: Yingyi.
Refactoring1 Improving the structure of existing code.
Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin.
1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng
1 Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Bindings. Typical stages of program execution First, the program is compiled Then everything is loaded into memory Then it is linked to any library routines.
Data Representation Synthesis PLDI’2011, ESOP’12, PLDI’12 Peter Hawkins, Stanford University Alex Aiken, Stanford University Kathleen Fisher, Tufts Martin.
Generating Precise and Concise Procedure Summaries Greta Yorsh Eran Yahav Satish Chandra.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
Random Test Generation of Unit Tests: Randoop Experience
Reachability Testing of Concurrent Programs1 Reachability Testing of Concurrent Programs Richard Carver, GMU Yu Lei, UTA.
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
Static Analysis Introduction Emerson Murphy-Hill.
1 Active Random Testing of Parallel Programs Koushik Sen University of California, Berkeley.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
Healing Data Races On-The-Fly
CSE 374 Programming Concepts & Tools
Specifying Multithreaded Java semantics for Program Verification
Symbolic Implementation of the Best Transformer
Design by Contract Fall 2016 Version.
Over-Approximating Boolean Programs with Unbounded Thread Creation
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Foundations and Definitions
Presentation transcript:

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

Specifying and Verifying Software Composition Efficient libraries are widely available Composing software in a way which guarantee correctness: –Specification –Verification –Synthesis –Performance

Concurrent Data Structures Writing highly concurrent data structures is complicated Modern programming languages provide efficient concurrent collections with atomic operations. … … … … … … … …

attr = new HashMap(); … Attribute removeAttribute(String name){ Attribute val = null; synchronized(attr) { found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } attr = new ConcurrentHashMap(); … Attribute removeAttribute(String name){ Attribute val = null; /* synchronized(attr) { */ found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } /* } */ return val; } TOMCAT Motivating Example TOMCAT 5.*TOMCAT 6.* Invariant: removeAttribute(name) returns the removed value or null if it does not exist

removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; o attr.put(“A”, o); attr.remove(“A”);  Invariant: removeAttribute(name) returns the removed value or null if it does not exist

Challenge Testing and Verifying the atomicity of composed operations … … … … … … … …

Challenges in Testing Specifying software correctness Bugs occur in rarely executed traces –Especially true in concurrent systems Scalability of dynamic checking –large traces Hard to find programs to test

Challenges in Verification Specifying software correctness Many sources of unboundedness –Data Integers Stack Heap … –Interleavings Scalability of static checking –Large programs Hard to find programs to verify

Testing atomicity of composed operations OOPSLA’11

Challenge 1: Long traces Assume that composed operations are written inside encapsulated methods Modular testing –Unit testing in all contexts –Composed operations need to be correct in all contexts May lead to false warnings

False Warning if (m.contains(k)) return m.get(k); else return k; False warning in clients without remove Sometimes indicate “future bugs” m.remove(k);

Challenge 2: Specification Check that composed operations are Linearizable [Herlihy & Wing, TOPLAS’90] –Returns the same result as some sequential run

Linearizability removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; attr.put(“A”, o); attr.remove(“A”); attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; o o null o o o attr.remove(“A”);

But Linearizability errors only occur in rarely executed paths removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”);

Linearizability errors only occur in rarely executed paths Only consider “atomic” executions of base collection operations [TACAS’10, Ball et. al.] Employ commutativity/influence of base collection operations –Operations on different key commute –Partial order reduction using the collection interface

Influence table OperationConditionPotential Action get(k)get(k) == nullput(k,*) get(k)get(k) != nullremove(k) containsKey(k)get(k) == nullput(k,*) containsKey(k)get(k) != nullremove(k) get(k) == nullput(k,*) remove(k)get(k) != nullremove(k)

removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”); Influence trace

COLT Tester program CO extractor candidate COs Timeout instrument linearizability checking CO key/value driver Non-Lin Execution library spec influence driver

removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } attr.put(“A”, o); attr.remove(“A”); o o null

attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; attr.put(“A”, o); attr.remove(“A”); attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; o o null o o o removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”);

Evaluation Use Google code search and Koders to search for collection operations methods with at least two operations Used simple static analysis to extract composed operations –29% needed manual modification Check Linearizability of all public domain composed operations Extracted 112 composed operations from 55 applications –Apache Tomcat, Cassandra, MyFaces – Trinidad, … Each run took less than a second Without influence timeout always occur

112 Unknown

59 Non Linearizable 53 Unknown

42 Non Linearizable 17 Open Non Linearizable

42 Non Linearizable 31 Linearizable 22 Globals

31 Linearizable 81 Non-Linearizable

Results Reported the bugs with fixes Even bugs in open environment As a result of the paper the Java library is being changed “A preliminary version is in the pre-java8 "jsr166e" package as ConcurrentHashMapV8. We can't release the actual version yet because it relies on Java8 lambda (closure) syntax support. See links from including: ncurrentHashMapV8.html Good luck continuing to find errors and misuses that can help us create better concurrency components!” ncurrentHashMapV8.html

Verifying atomicity of composed operations

Motivation Unbounded number of potential composed operations –There exists no “thick” interface Automatically prove Linearizability for composed operations beyond the ones provided –Already supports the existing interface –No higher order functions Zero false alarms –beyond modularity

Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Easy detection

Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Data independent [Wolper, POPL’86] Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; }

Verifying data independent operations using Linearization points in the code Data independentVerified using single input Influence CO adds one value Map elements are bounded Single Mutation

Verifying data independent operations Small model reduction Decidable when the local state is bounded Explore all possible executions using: –One input key and finite number of values –Influenced based environment uses single value Employ SPIN

program Composed Operation extractor candidate COs CO Library spec Data Independent verifier SCM/FCM Input keys/values Lin Linearizability verifier generator Non-Lin CO SPIN Promela Input keys/values Linearizability tester generator CO Execution Java No SCM key/value driver Influence driver Unknown Non-Lin Influence driver

31 Linearizable 81 Non-Linearizable

Summary Writing concurrent data structures is hard Employing atomic library operations is error prone Modular linearizability checking Leverage influence Leverage data independence Sweet spot –Identify important bugs together with a traces showing and explaining the violations –Hard to find –Prove the linearizability of several composed operations –Simple and efficient technique

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.