A Calculus of Atomic Actions Tayfun Elmas, Shaz Qadeer and Serdar Tasiran POPL ‘09 236825 – Seminar in Distributed Algorithms Cynthia Disenfeld 27/05/2013.

Slides:

Advertisements

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

The many faces of TM Tim Harris. Granularity Distributed, large-scale atomic actions Composable shared memory data structures Leaf shared memory data.

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Hongjin Liang and Xinyu Feng

Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

(C) 2001 Daniel Sorin Correctly Implementing Value Prediction in Microprocessors that Support Multithreading or Multiprocessing Milo M.K. Martin, Daniel.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Toward Efficient Support for Multithreaded MPI Communication Pavan Balaji 1, Darius Buntinas 1, David Goodell 1, William Gropp 2, and Rajeev Thakur 1 1.

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Verifying Concurrent Programs with Relaxed Conflict Detection Tayfun Elmas, Ismail Kuru, Serdar Taşıran, Omer Subasi Koç University Istanbul, Turkey.

Generalizing Reduction and Abstraction to Simplify Concurrent Programs: The QED Approach Shaz Qadeer Microsoft Research Redmond, WA Serdar Taşıran Serdar.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

Verification of Hierarchical Cache Coherence Protocols for Future Processors Student: Xiaofang Chen Advisor: Ganesh Gopalakrishnan.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz.

Calvinism A static analysis for multithreaded program verification.

4/17/2017 Section 3.6 Program Correctness ch3.6.

1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.

Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.

Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.

ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 0.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

© 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY Tel: Verifying.

C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.

Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

CSE 755, part3 Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP: ::=skip | | | | ; | | Only integer vars; no procedures/fns; vars declared.

Runtime Refinement Checking of Concurrent Data Structures (the VYRD project) Serdar Tasiran Koç University, Istanbul, Turkey Shaz Qadeer Microsoft Research,

Verifying Concurrent Programs with Relaxed Conflict Detection Tayfun Elmas, Ismail Kuru, Serdar Taşıran, Omer Subasi Koç University Istanbul, Turkey.

CS 363 Comparative Programming Languages Semantics.

COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.

Verification of obstruction-free algorithm with contention management Niloufar Shafiei.

11/18/20151 Operating Systems Design (CS 423) Elsa L Gunter 2112 SC, UIUC Based on slides by Roy Campbell, Sam.

1 Lock-Free concurrent algorithm for Linked lists: Verification CSE-COSC6490A : Concurrent Object-Oriented Languages York University - W09 Speaker: Alexandre.

Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.

Concurrent Linked Lists and Linearizability Proofs Companion slides for The Art of Multiprocessor Programming by Maurice Herlihy & Nir Shavit Modified.

Wait-Free Multi-Word Compare- And-Swap using Greedy Helping and Grabbing Håkan Sundell PDPTA 2009.

Automated and Modular Refinement Reasoning for Concurrent Programs Shaz Qadeer.

Program Logic for Concurrency Refinement Verification Xinyu Feng University of Science and Technology of China Joint work with Hongjin Liang (USTC) and.

Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.

Understanding ADTs CSE 331 University of Washington.

Verification of Behavioral Consistency in C by Using Symbolic Simulation and Program Slicer Takeshi Matsumoto Thanyapat Sakunkonchak Hiroshi Saito Masahiro.

/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.

Verifying Transactional Programs with Programmer-Defined Conflict Detection Omer Subasi, Serdar Tasiran (Koç University) Tim Harris (Microsoft Research)

Agenda  Quick Review  Finish Introduction  Java Threads.

Simplifying Linearizability Proofs Using Reduction and Abstraction Serdar Tasiran Koc University, Istanbul, Turkey Tayfun Elmas, Ali Sezgin, Omer Subasi.

A Calculus of Atomic Actions Serdar Tasiran Koc University, Istanbul, Turkey Tayfun ElmasShaz Qadeer Koc University Microsoft Research.

11/22/2016IT 3271 A formal system:Axioms and Rules, for inferring valid specification x := m; y := n; while ¬(x=y) do if x>y then x := x-y else y := y-x.

Healing Data Races On-The-Fly

Håkan Sundell Philippas Tsigas

Threads Cannot Be Implemented As a Library

Automating Induction for Solving Horn Clauses

Verification of Concurrent Programs

Threads and Memory Models Hal Perkins Autumn 2011

Atomicity in Multithreaded Software

Over-Approximating Boolean Programs with Unbounded Thread Creation

Threads and Memory Models Hal Perkins Autumn 2009

A Refinement Calculus for Promela

CSE 153 Design of Operating Systems Winter 19

COP4020 Programming Languages

Presentation transcript:

A Calculus of Atomic Actions Tayfun Elmas, Shaz Qadeer and Serdar Tasiran POPL ‘ – Seminar in Distributed Algorithms Cynthia Disenfeld 27/05/2013 *Some slides are based on those of the authors

Goal Statically verifying (partial) correctness of shared-memory multithreaded programs Difficult: understand thread-interaction + shared memory Single-thread programs: pre/post conditions, loop invariants Multithreaded programs: consider the effect of all thread-interleavings (e.g. Owicki-Gries)

Approach (Sound) program transformations ◦ Abstraction ◦ Reduction Invariant strengthening

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

Motivating examples void inc() { int t; acquire(lock); t := x; t := t+1; x := t; release(lock); } void inc() { int t; [havoc t; x := x+1;] } Lock-based atomic increment

Motivating examples void inc() { int t; while(true){ t := x; if (CAS(x,t,t+1) break; } void inc() { int t; while(*){ t := x; assume x!=t; } t := x; [assume x==t; x := t+1]; } Lock-free atomic increment * Transformation from Flanagan et al.[2005]

Motivating examples void inc() { int t; while(*){ t := x; assume x!=t; } t := x; [assume x==t; x := t+1]; } void inc() { int t; while (*) { havoc t; skip; } havoc t; [assume x==t; x := t+1]; } Lock-free atomic increment

Motivating examples void inc() { int t; while (*) { havoc t; skip; } havoc t; [assume x==t; x := t+1]; } void inc() { int t; havoc t; havoc t; [assume x==t; x := t+1]; } Lock-free atomic increment void inc() { int t; [havoc t; x := x+1]; }

Motivating examples void add(int n){ while (0<n) { inc() n := n-1; } void add(int n){ while (0<n){ [x := x+1] n := n-1; } Client of inc void add(int n){ [assert 0<=n; x := x+n; n := 0]; }

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

QED approach ProgramInvariant Fine-grained concurrency Hard to prove! Invariant = True Coarse-grained concurrency Easy to prove Proof step If the original program may fail the new program may fail

Soundness For all If then exists or

Soundness For each proof step Proof steps: Invariant strengthening Reduction: build more coarse-grained atomic blocks Abstraction: add (possibly failing) behaviors

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

Reduction inc() { int t; acquire(lock); t := x; t := t+1; x := t; release(lock); } main() { x := 0; inc(); || inc(); assert(x==2); }

Reduction inc() { int t; acquire(lock); R t := x; B t := t+1; B x := t; B release(lock); L } inc() { int t; acquire(lock); t := x; t := t+1; x := t; release(lock); } inc() x := x+1 REDUCE-SEQUENTIAL Right Mover

Reduction main() { x := 0; inc(); || inc(); assert(x==2); } main() { x := 0; B x := x+1; || x := x+1; B assert(x==2); } main() { x := 0; x := x+1; assert(x==2); } INLINE-CALL REDUCE-PARALLEL

Static mover check Check using the current invariant if they access different variables, or are not enabled at the same time Each statement consists of: when can it be applied? how is the state changed?

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

Abstraction rule Replace with if For all If then exists or

Abstraction void inc() { int t; while(*){ t := x; assume x!=t; } t := x; [assume x==t; x := t+1]; } void inc() { int t; while (*) { havoc t; skip; } havoc t; [assume x==t; x := t+1]; } SIMULATE Then, we can reduce havoc t + skip while (*){…}  havoc t

Abstraction Adding non-determinism ◦ Guards  if(*) ◦ t := x  havoc t ◦ assume …  skip Adding behaviors that may go wrong ◦ x := x+1  if (x==0) fail; x := x+1 ◦ y := y-x  assert (y>x); y := y-x

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

Example – Sorted linked list Hand-over-hand locking Find, insert, delete Local assertions Class invariant Atomic  easy! But… implementation with fine-grained locking

Insert(5)

Insert(x) p := find(x); //locks p n := p.next; t := new Node(); t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); //they are linked as they should and their values have increasing order UNLOCK(p);

Insert(x) invariant: list is sorted p := find(x); n := p.next; t := new Node(); t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); UNLOCK(p); p.val and p.next are not affected by other threads t.val and t.next are not affected by other threads

Proof p := find(x); n := p.next; t := new Node(); t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); UNLOCK(p); find appropriate p LOCK(p) n := p.next; t := new Node(); R t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); UNLOCK(p); L

Proof find appropriate p LOCK(p) n := p.next; t := new Node(); R t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); UNLOCK(p); L find appropriate p LOCK(p) n := p.next; t := new Node(); t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); UNLOCK(p); how to continue?

Apparent interference p.next := t; n := p.next; Thread AThread B

Apparent interference p.next := t; n := p.next; Thread AThread B But: both p’s are locked!

Ruling out interference - 1 assert owner[p]==A p.next := t; assert owner[p]==A p.next := t; assert owner[p]==B n := p.next; assert owner[p]==B n := p.next; Thread AThread B

Ruling out interference - 2 assert !inList[t] t.next := n; assert !inList[t] t.next := n; assert inList[p] n := p.next; assert inList[p] n := p.next; Thread AThread B

Reduction after abstraction find appropriate p LOCK(p) assert inList[p]&&owner[p]==tid n := p.next; t := new Node(); t.val := x; assert !inList[t] t.next := n; assert inList[p]&&owner[p]==tid p.next := t; assert (p, t, n sorted); assert owner[p]==tid UNLOCK(p); find appropriate p LOCK(p) assert inList[p]&&owner[p]==tid n := p.next; t := new Node(); t.val := x; assert !inList[t] t.next := n; assert inList[p]&&owner[p]==tid p.next := t; assert (p, t, n sorted); assert owner[p]==tid UNLOCK(p);

Borrowed assertions find appropriate p LOCK(p) assert inList[p]&&owner[p]==tid n := p.next; t := new Node(); t.val := x; assert !inList[t] t.next := n; assert inList[p]&&owner[p]==tid p.next := t; assert (p, t, n sorted); assert owner[p]==tid UNLOCK(p); find appropriate p LOCK(p) assert inList[p]&&owner[p]==tid n := p.next; t := new Node(); t.val := x; assert !inList[t] t.next := n; assert inList[p]&&owner[p]==tid p.next := t; assert (p, t, n sorted); assert owner[p]==tid UNLOCK(p);

Completing the proof find appropriate p LOCK(p) n := p.next; t := new Node(); t.val := x; t.next := n; p.next := t; assert (p, t, n sorted); UNLOCK(p); Invariant : List is sorted

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

Tactics High-level strategies  multiple rule proofs ◦ abstract from a read, write ◦ add invariants ◦ synchronization mechanisms

inc() { int t; acquire(lock); t := x; t := t+1; x := t; release(lock); } Example acquire(lock) { assume lock==false; lock := true; } release(lock) { lock := false; } mutex P, x 1, …, x n mutex (lock==true), x

Tactic - mutex inc() { int t; acquire(lock); a=tid; t := x; t := t+1; x := t; release(lock); a=0; } AUX-ANNOTATE Invariant: lock==true iff a !=0

Tactic - mutex inc() { int t; acquire(lock); a=tid; t := x; t := t+1; x := t; release(lock); a=0; } SIMULATE inc() { int t; acquire(lock); a=tid; assert a==tid;t := x; t := t+1; assert a==tid;x := t; assert a==tid; release(lock); a=0; }

Tactic - mutex inc() { int t; acquire(lock); a=tid; R assert a==tid;t := x; B t := t+1; B assert a==tid;x := t; B assert a==tid; release(lock); a=0; L }

Tactic - mutex REDUCE & RELAX inc() { int t; acquire(lock); a=tid; assert a==tid; t := x; t := t+1; assert a==tid; x := t; assert a==tid; release(lock); a=0; }

Outline Motivating examples Approach – Soundness Reduction Abstraction Borrowing assertions Tactics Experience / Conclusions

Experience Implementation ◦ Boogie + parallel composition ◦ Verification conditions for validity of each step: Z3 SMT Solver Benchmarks  without complicated global invariants Fine-grained locking ◦ Multiset ◦ Hand-over-hand locking Non-blocking algorithms

Future work More tactics More synchronization mechanisms C / Spec# Larger verification problems

Conclusions A formal and sound proof calculus for atomicity was presented Abstraction helps applying reduction and the other way around Assertions can be added and checked only later The program is simplified by obtaining coarser atomic actions Tactics can be defined to represent different synchronization mechanisms