Specification, Verification, and Synthesis of Concurrency Control Components Tuba Yavuz-Kahveci Tevfik Bultan Department of Computer Science University.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

A Technique for Parallel Reachability Analysis of Java Programs Raghuraman R. Sridhar Iyer G. Sajith.

Operating Systems: Monitors 1 Monitors (C.A.R. Hoare) higher level construct than semaphores a package of grouped procedures, variables and data i.e. object.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

– R 7 :: 1 – 0024 Spring 2010 Parallel Programming 0024 Recitation Week 7 Spring Semester 2010.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Monitors Chapter 7. The semaphore is a low-level primitive because it is unstructured. If we were to build a large system using semaphores alone, the.

Action Language: A Specification Language for Model Checking Reactive Systems Tevfik Bultan Department of Computer Science University of California, Santa.

Infinite State Model Checking with Presburger Arithmetic Constraints Tevfik Bultan Department of Computer Science University of California, Santa Barbara.

5.6 Semaphores Semaphores –Software construct that can be used to enforce mutual exclusion –Contains a protected variable Can be accessed only via wait.

Tools for Specification, Verification, and Synthesis of Concurrency Control Components Tevfik Bultan Department of Computer Science University of California,

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S. Kulkarni and Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer.

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:

Reachability Analysis for Some Models of Infinite-State Transition Systems Oscar H. Ibarra, Tevfik Bultan, and Jianwen Su Department of Computer Science.

Integrating Arithmetic Constraint Based Verification and Shape Analysis Tevfik Bultan Joint work with Tuba Yavuz-Kahveci Department of Computer Science.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

Sanjit A. Seshia and Randal E. Bryant Computer Science Department

Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

CS533 Concepts of Operating Systems Class 3 Monitors.

Tools for Automated Verification of Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Automated Verification of Concurrent Linked Lists with Counters Tuba Yavuz-Kahveci and Tevfik Bultan Department of Computer Science University of California,

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Tools for Specification, Verification, and Synthesis of Reactive Systems Tevfik Bultan Department of Computer Science University of California, Santa Barbara.

02/19/2007CSCI 315 Operating Systems Design1 Process Synchronization Notice: The slides for this lecture have been largely based on those accompanying.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.

Verification of Parameterized Hierarchical State Machines Using Action Language Verifier Tuba Yavuz-Kahveci Tevfik Bultan University of Florida, Gainesville.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 3: Modular Verification with Magic, Predicate Abstraction.

CS6133 Software Specification and Verification

Semaphores, Locks and Monitors By Samah Ibrahim And Dena Missak.

2/19/20031 Introduction to SMV. 2/19/20032 Useful Links CMU Model checking homepage SMV windows version

CSC321 Concurrent Programming: §5 Monitors 1 Section 5 Monitors.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.

ICS 313: Programming Language Theory Chapter 13: Concurrency.

Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods Principal Investigators Matt Dwyer John.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,

Verification & Validation By: Amir Masoud Gharehbaghi

Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.

1 Condition Variables CS 241 Prof. Brighten Godfrey March 16, 2012 University of Illinois.

COSC 3407: Operating Systems Lecture 9: Readers-Writers and Language Support for Synchronization.

/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.

Chapter 6 Synchronization Dr. Yingwu Zhu. The Problem with Concurrent Execution Concurrent processes (& threads) often access shared data and resources.

CS 267: Automated Verification Lecture 17: Infinite State Model Checking, Arithmetic Constraints, Action Language Verifier Instructor: Tevfik Bultan.

Formal methods: Lecture

Arithmetic Constraints and Automata

Monitors Chapter 7.

Over-Approximating Boolean Programs with Unbounded Thread Creation

Semaphore Originally called P() and V() wait (S) { while S <= 0

Monitors Chapter 7.

Monitors Chapter 7.

CSE 451 Section 1/27/2000.

Presentation transcript:

Specification, Verification, and Synthesis of Concurrency Control Components Tuba Yavuz-Kahveci Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Problem Concurrent programming is difficult and error prone –Sequential programming: states of the variables –Concurrent programming: states of the variables & processes When there is concurrency, testing is not enough –State space increases exponentially with the number of processes We would like to guarantee certain properties of a concurrent system

Our Approach Specification of the concurrency component –Using Action Language Automated verification –Using an infinite state model checker Action Language Verifier Automated code synthesis –Using a symbolic representation manipulator Composite Symbolic Library

Tools for Specification, Verification, and Synthesis of Concurrent Systems Action Language Specification of the Concurrency Component Action Language Parser Verifier Composite Symbolic Library Code Generator OmegaLibraryCUDDPackage Verified code

Outline Monitors Specification of Monitors –Action Language Verification –Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control –Experiments Related Work Conclusions

Concurrency Control with Monitors A set of variables –Modeling shared resources –Cannot be accessed outside of the monitor A set of procedures –Only one can be active at any time Provided my the monitor semantics Synchronization among concurrent processes –Using condition variables

Monitor Basics What happens if a process needs to wait until a condition becomes true? –Create a condition variable that corresponds to that condition Each condition variable has a wait queue –A process waits for a condition in the wait queue of the corresponding condition variable –When a process updates the shared variables that may cause a condition to become true:  it signals the processes in the wait queue of the corresponding condition variable

Monitors Challenges in monitor programming –Condition variables –Wait and signal operations Why not use a single wait queue? –Inefficient: Every waiting process has to wake up when any of the shared variables are updated Even with a few condition variables coordinating wait and signal operations can be difficult –Avoid deadlock –Avoid inefficiency due to unnecessary signaling

Java Monitors A simplified implementation of Hoare monitors –No separate notion of condition variables Can be simulated by objects –Each object associated with a mutual exclusion lock synchronized(o) {…} Synchronized methods wait(), notify(), notifyAll() –Implementing monitors is complicated To implement a monitor as a Java class –Shared resources must be implemented using private fields –All methods can change state of the fields only in synchronized blocks

Outline Monitors Specification of Monitors –Action Language Verification –Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control –Experiments Related Work Conclusions

Action Language A state based language –Actions correspond to state changes States correspond to valuations of variables –Integer (possibly unbounded), boolean and enumerated variables –Parameterized constants Transition relation is defined using actions –Atomic actions: Predicates on current and next state variables –Action composition: synchronous (&) or asynchronous (|) Modular –Modules can have submodules CTL properties –Invariant(p) : p always holds –Eventually(p) : p eventually holds

Readers Writers module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module Reader() boolean reading; initial: !reading; rEnter: !reading and !busy and nr’=nr+1 and reading’; rExit: reading and !reading’ and nr’=nr-1; Reader: rEnter | rExit; endmodule module Writer()... endmodule main: Reader() | Reader() | Writer() | Writer(); spec: invariant([busy => nr=0]) endmodule S : Cartesian product of variable domains defines variable domains defines the set of states the set of states I : Predicates defining the initial states the initial states R : Atomic actions of the Reader Reader R : Transition relation of Reader defined as asynchronous composition of its atomic actions R : Transition relation of main defined as asynchronous composition of two Reader and two Writer processes P : Temporal property of main module

What About Arbitrary Number of Processes? Use counting abstraction –Create an integer variable for each local state of a process type –Each variable will count the number of processes in a particular state Local states of the process types have to be finite –Specify only the process behavior that relates to the correctness of the monitor –Shared variables of the monitor can be unbounded Counting abstraction can be automated

Readers-Writers Monitor Specification After Counting Abstraction module main() integer nr; boolean busy; parameterized integer numReader, numWriter; restrict: nr>=0 and numReader>=0 and numWriter>=0; initial: nr=0 and !busy; module Reader() integer readingF, readingT; initial: readingF=numReader and readingT=0; rEnter: readingF>0 and !busy and nr’=nr+1 and readingF’=readingF-1 and readingT’=readingT+1; rExit: readingT>0 and nr’=nr-1 and readingT’=readingT-1 and readingF’=readingF+1; Reader: rEnter | rExit; endmodule... main: Reader() | Writer(); spec: invariant([busy => nr=0]) endmodule Parameterized constants representing the number of readers and number of writers Variables for counting the number of processes in specific local states When local state changes, decrement current local state counter and increment next local state counter Initialize initial local state counter by the relevant parameterized constant. Initialize other local states to 0

Outline Monitors Specification of Monitors –Action Language Verification –Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control –Experiments Related Work Conclusions

Action Language Verifier An infinite state symbolic model checker Composite representation –uses a disjunctive representation to combine different symbolic representations Computes fixpoints by manipulating formulas in composite representation –Heuristics to ensure convergence Widening & collapsing Loop closure Approximate reachable states

Composite Symbolic Library: Class Diagram CUDD LibraryOMEGA Library Symbolic +intersect() +union() +complement() +isSatisfiable() +isSubset() +bacwardImage() +forwardImage() CompSym –representation: list of comAtom +intersect() + union() BoolSym –representation: BDD +intersect() +union() IntSym –representation: Polyhedra +intersect() +union() compAtom –atom: *Symbolic

Outline Monitors Specification of Monitors –Action Language Verification –Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control –Experiments Related Work Conclusions

Synthesizing the Implementation of the Monitor Automated generation of code from the monitor specification –Generate a Java class –Make shared variables private variables –Use synchronization to restrict access Is the generated code efficient? –Yes! –The condition variables can be synthesized automatically –There is no unnecessary thread notification

Naïve Translation: Redundant Signaling Module main() boolean a,b; boolean a,b; initial: a and b; initial: a and b; module SetA() module SetA() SetA: b and a’=true SetA: b and a’=true and b’=false; and b’=false; endmodule endmodule module SetB() module SetB() SetB: a and a’=false SetB: a and a’=false and b’=true; and b’=true; endmodule endmodule main: setA() | setB() main: setA() | setB() …endmodule public class SetAB { private boolean a.b; private boolean a.b; public setAB() { public setAB() { a = true; a = true; b = true; b = true; } public synchronized SetA() { public synchronized SetA() { while (!b) while (!b) try{ wait();} catch(…){..} a = true; a = true; b = false; b = false; notifyAll(); notifyAll(); } public synchronized SetB() { public synchronized SetB() { while (!a) while (!a) try{wait();} catch(…){…} a = false; a = false; b = true; b = true; notifyAll(); notifyAll(); }} Action Language Specification Implementation in Java

Specific Notification Pattern Module main() boolean a,b; boolean a,b; initial: a and b; initial: a and b; module SetA() module SetA() SetA: b and a’=true SetA: b and a’=true and b’=false; and b’=false; endmodule endmodule module SetB() module SetB() SetB: a and a’=false SetB: a and a’=false and b’=true; and b’=true; endmodule endmodule main: setA() | setB() main: setA() | setB() …endmodule Action Language Specification class SetAB { private boolean a.b; private boolean a.b; private Object condA, condB; private Object condA, condB; … private synchronized boolean Guard_SetA() { private synchronized boolean Guard_SetA() { if (b) { a = true; b = false; return true;} if (b) { a = true; b = false; return true;} else return false; else return false; } public void SetA() { public void SetA() { synchronized(condB) { synchronized(condB) { while (!Guard_SetA()) while (!Guard_SetA()) try{ condB.wait(); } catch(…) {…} try{ condB.wait(); } catch(…) {…} } condA.notifyAll(); condA.notifyAll(); } public void SetB() { public void SetB() { synchronized(condA) { synchronized(condA) { while (!Guard_SetB()) while (!Guard_SetB()) try{ condA.wait(); } catch(…) {..} try{ condA.wait(); } catch(…) {..} } condB.notifyAll(); condB.notifyAll(); }} Implementation in Java

Algorithm for Extracting Synchronization Information for each action A do // Does A check any condition? if d s (A)  true then mark A as guarded create condition variable cond A else mark A as unguarded for each action B s.t. A  B do // Can A change the condition B waits on from false to true? if POST(  d s (B),EXP(A))  d s (B)   then add cond B to notification list of A

Readers-Writer Example with Specific Notification Pattern public class ReadersWriters{ private int nr; private boolean busy; private Object rEnterCond, wEnterCond; private synchronized boolean Guard_rEnter() { if (!busy) { nr++; return true; } else return false; } public void rEnter() { synchronized(rEnterCond) { while(!Guard_rEnter()) rEnterCond.wait(); } public void rExit() { synchronized(this) { nr--; } synchronized(wEnterCond) { wEnterCond.notify(); } }... } All condition variables and wait and signal operations are generated automatically

Outline Monitors Specification of Monitors –Action Language Verification –Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control –Experiments Related Work Conclusions

Airport Ground Traffic Control [Zhong 97] Modeling of airport operations using an object oriented approach A concurrent program simulating the airport ground traffic control –multiple planes –multiple runways and taxiways Can be used by controllers as advisory input Simulate behavior of each airplane with a thread Use a monitor which keeps track of number of airplanes on each runway and each taxiway

A simplified model of Seattle Tacoma International Airport from [Zhong 97]

Airport Ground Traffic Control Monitor Action Language specification –Has 13 integer variables –Has 4 Boolean variables per arriving airplane process to keep the local state of each airplane –Has 2 Boolean variables per departing airplane process to keep the local state of each airplane Automatically generated monitor class –Has 13 integer variables –Has 14 condition variables –Has 34 procedures

Experiments ProcessesConstruction (sec) Verify-P1 (sec) Verify-P2 (sec) Verify-P3 (sec) A,PD A,PD A,PD A,PD PA,2D PA,4D PA,8D PA,16D PA,PD A: Arriving Airplane D: Departing Airplane P: Arbitrary number of processes

Related Work: [Demartini et al., 99], [Corbett et al., 00], [Havelund et al., 00] –Extracting compact models from the implementation Employing techniques such as slicing and abstraction –Automated verification of the model Finite state model checker Explicit state model checking techniques

Related Work: [Mizuno-99] Given a concurrency problem and a global invariant –Provides a course-grain solution or Translates the course-grain solution to a Java program –Using Specific Notification Pattern Creates a separate condition variable c B for each guard B When S may change B to true c B is signaled –Preserving the global invariant Not automated

Related Work [Deng et al., 02] Extends and automates Mizuno’s approach Synthesizes the code from a global invariant: –A logic formula Uses a decision procedure –A pattern specification Bound, Exclusion, Resource, Barrier, Relay, and Group Automatically verifies –synthesized synchronization code + functional application code –Uses a finite state model checker

Conclusions and Future Work We can automatically verify and synthesize nontrivial monitors in Java Our tools can deal with boolean, enumerated and (unbounded) integer variables What about recursive data types? –shape analysis –[SAS’02] Verification of Concurrent Linked Lists

Readers Writers Monitor in Action Language module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module Reader() boolean reading; initial: !reading; rEnter: !reading and !busy and nr’=nr+1 and reading’; rExit: reading and !reading’ and nr’=nr-1; Reader: rEnter | rExit; endmodule module Writer() boolean writing; initial: !writing; wEnter: !writing and nr=0 and !busy and busy’ and writing’; wExit: writing and !writing’ and !busy’; Writer: wEnter | wExit; endmodule main: Reader() | Reader() | Writer() | Writer(); spec: invariant([busy => nr=0]) endmodule

Action Language Verifier An infinite state symbolic model checker Uses composite symbolic representation to encode a system defined by (S,I,R) –S: set of states, I: set if initial states, R: transition relation Maps each variable type to a symbolic representation type –Maps boolean and enumerated types to BDD representation –Maps integer type to arithmetic constraint representation Uses a disjunctive representation to combine symbolic representations –Each disjunct is a conjunction of formulas represented by different symbolic representations

Temporal Properties  Fixpoints Invariant(p) pppp Initialstates initial states that violate Invariant(p) Backwardfixpoint Forwardfixpoint Initialstates states that can reach  p i.e., states that violate Invariant(p) reachable states of the system pppp backwardImage of  p of  p reachable states that violate p forward image of initial states

Control Logic An airplane can land using 16R only if no airplane is using 16R at the moment An airplane can takeoff using 16L only if no airplane is using 16L at the moment An airplane taxiing on one of the exits C3-C8 can cross runway 16L only if no airplane is taking off at the moment An airplane can start using 16L for taking off only if none of the crossing exits C3-C8 is occupied at the moment (arriving airplanes have higher priority) Only one airplane can use a taxiway at a time

Synchronization Among Processes condA signal Ready Queue Executing Process Process k wait Waiting Queue Process i Process m Process k Process i Process k