Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstraction-Guided Synthesis

Published byDewi Sudjarwadi Modified over 5 years ago

Similar presentations

Presentation on theme: "Abstraction-Guided Synthesis"— Presentation transcript:

1 Abstraction-Guided Synthesis
Eran Yahav Technion Joint work with Martin Vechev, Greta Yorsh, Michael Kuperstein, Veselyn Raychev

2 Verification with Abstraction
P  S ?

3 Now what? P ’ S Refine the abstraction P  S

4 Alternatively… P ’ S’ Relax the specification (but to what?) P  S

5 Alternatively… P’ ’ S Change the program P  S

6 Focus on Program Modification
Given a program P, specification S, and an abstraction  such that P  S find a modified program P’ such that P’  S how? some hope for equivalent programs or restricted programs Semantic preserving compiler transformations But changing a program to add new legal behaviors is hard program restriction natural in concurrent programs reducing permitted schedules

7 Restriction of Concurrent Programs
Restrict permitted schedules by adding synchronization Synchronization primitives Atomic sections Conditional critical region (CCR) Barriers Memory barriers (fences) Semaphores Monitors Locks ....

8 Example: Correct and Efficient Synchronization with Atomic Sections
Boids simulation Craig Reynolds in 1986 Sequential implementation by Paul Richmond (U. of Sheffield) Global state contains shared array of Boid locations N Boids

9 Boids Simulation Generate initial locations Spawn N Boid Tasks
Shared Memory (Global State) Locations of N Boids Main task Boid task Generate initial locations Spawn N Boid Tasks While (true) { Read locations of all boids Render boids } While (true) { Read locations of other boids Compute new location Update my location } atomic atomic

10 Specification (for now): guarantee conflict-freedom
Boid Task Boid task pid=2 Boid task pid=3 Read locations of other boids Read locations of other boids Update my location Update my location pid=2 Conflict: two threads are enabled to access the same memory location and (at least) one of these accesses is a write Specification (for now): guarantee conflict-freedom

11 Challenge Find minimal synchronization that makes the program satisfy the specification Avoid all bad schedules while permitting as many good schedules as possible Assumption: we can prove that serial executions satisfy the specification Interested in bad behaviors due to concurrency Handle infinite-state programs

12 Abstraction-Guided Synthesis of Synchronization
Synthesis of synchronization via abstract interpretation Compute over-approximation of all possible program executions Add minimal synchronization to avoid (over-approximation of) bad schedules Interplay between abstraction and synchronization Finer abstraction may enable finer synchronization Coarse synchronization may enable coarser abstraction

13 A Standard Approach: Abstraction Refinement
program Valid specification Abstract counter example Verify abstraction Abstract counter example Abstraction Refinement Change the abstraction to match the program

14 Abstraction-Guided Synthesis [VYY-POPL’10]
program P’ Program Restriction Implement specification Abstract counter example Verify Notes: Should say here --- could have many solutions, implement is picking one based on quantitative criterion Constraint captures changes to the program execution --- what is permitted during program execution abstraction Abstract counter example Abstraction Refinement Change the program to match the abstraction

15 AGS Algorithm – High Level
Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under   = true while(true) { BadTraces = { |   (P  ) and   S } if (BadTraces is empty) return implement(P,) select   BadTraces if (?) {  = avoid() if (  false)  =    else abort } else { ’ = refine(, ) if (’ )  = ’ }

16 Avoid and Implement Desired output – program satisfying the spec
Implementability guides the choice of constraint language Examples Atomic sections [POPL’10] Conditional critical regions (CCRs) [TACAS’09] Memory fences (for relaxed memory models) [FMCAD’10 + PLDI’11] Barriers

17 Avoiding a schedule with atomic sections
Adding atomicity constraints Atomicity predicate [l1,l2] –statements at l1 and l2 must execute together atomically avoid() A disjunction of all possible atomicity predicates that would prevent  avoid() = { [lbl(i),lbl(j)] | 0  i  ||, j > i + 1. tid(i) = tid(j) s.t. k.i < k < j, tid(i)tid(k) } Ability to eliminate a single trace

18 Avoid with atomicity constraints
1,1 Thread A A1 A2 Thread B B1 B2 A1 B1 2,1 1,2  = A1 B1 A2 B2 A2 B1 A1 B2 avoid() = [A1,A2]  [B1,B2] 2,2 1,3 3,1 A2 B2 A1 B1 3,2 2,3 B2 A2 3,3

19 Avoid and abstraction  = avoid()
Enforcing  avoids any abstract trace ’ such that ’   Potentially avoiding “good traces” as well

20 Example Initially x = z = 0 Every single statement is atomic
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } Initially x = z = 0 Every single statement is atomic f(x) is atomic

21 Example: Concrete Values
y1 6 5 x += z; x += z; z++;z++;y1=f(x);y2=x;assert  y1=5,y2=0 4 3 2 z++; x+=z; y1=f(x); z++; x+=z; y2=x;assert  y1=3,y2=3 1 1 2 3 4 y2 Concrete values T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 }

22 Example: Parity Abstraction
2 3 1 4 5 6 y2 y1 6 5 4 3 2 1 1 2 3 4 y2 Concrete values Parity abstraction (even/odd) x += z; x += z; z++;z++;y1=f(x);y2=x;assert  y1=Odd,y2=Even T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 }

23 Example: Avoiding Bad Interleavings
z++  = true while(true) { BadTraces={|(P  ) and   S } if (BadTraces is empty) return implement(P,) select   BadTraces if (?) {  =   avoid() } else {  = refine(, ) } z++ avoid(1) = [z++,z++]  = true  = [z++,z++]

24 Example: Avoiding Bad Interleavings
 = true while(true) { BadTraces={|(P  ) and   S } if (BadTraces is empty) return implement(P,) select   BadTraces if (?) {  =   avoid() } else {  = refine(, ) } x+=z x+=z avoid(2) =[x+=z,x+=z]  = [z++,z++][x+=z,x+=z]  = [z++,z++]

25 Example: Avoiding Bad Interleavings
1: x += z 2: x += z  = true while(true) { BadTraces={|(P  ) and   S } if (BadTraces is empty) return implement(P,) select   BadTraces if (?) {  =   avoid() } else {  = refine(, ) } T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)  = [z++,z++][x+=z,x+=z]

26 Example: Avoiding Bad Interleavings
parity parity parity 2 3 1 4 5 6 y2 y1 1 2 3 4 5 6 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 6 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 5 4 3 2 1 1 2 3 4 But we can also change the abstraction…

27        parity parity parity 2 3 1 4 5 6 1 2 3 4 5 6 6 5 4 3 2 1
2 3 1 4 5 6 y2 y1 1 2 3 4 5 6 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 6 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 5 4 3 2 1 1 2 3 4 (a) (b) (c) interval interval 6 1 2 3 4 5 6 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 5 4 3 2 1 1 2 3 4 (d) (e) octagon octagon 6 1 2 3 4 5 6 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 5 4 3 2 1 1 2 3 4 (f) (g)

28 Multiple Solutions Performance: smallest atomic sections
Interval abstraction for our example produces the atomicity constraint: ([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++]) Minimal satisfying assignments 1 = [z++,z++] 2 = [x+=z,x+=z]

29 AGS Algorithm – More Details
Forward Abstract Interpretation, taking  into account for pruning infeasible interleavings Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under   = true while(true) { BadTraces = { |   (P  ) and   S } if (BadTraces is empty) return implement(P,) select   BadTraces if (?) {  = avoid() if (  false)  =    else abort } else { ’ = refine(, ) if (’ )  = ’ } Order of selection matters Choosing between abstraction refinement and program restriction not always possible to refine/avoid may try and backtrack Backward exploration of invalid Interleavings using  to prune infeasible interleavings. Up to this point did not commit to a synchronization mechanism Notes: In general, both “avoid” and “implement” are pluggable procedures Language of constraints may need to be adapted though

30 Implementability Separation between schedule constraints and how they are realized Can realize in program: atomic sections, locks,… Can realize in scheduler: benevolent scheduler T1 1: while(*) { 2: x++ 3: x++ 4: } T2 1: assert (x != 1) No program transformations (e.g., loop unrolling) Memoryless strategy

31 TEMP Abstractions Synchronization mechanisms
Modular synthesis algorithm

32 AGS with guarded commands
Implementation mechanism: conditional critical region (CCR) Constraint language: Boolean combinations of equalities over variables (x == c) Abstraction: what variables a guard can observe guard  stmt

33 Avoiding a transition using a guard
x=1, y=1, z=0 y=x+1 z=y+1 s2 s3 x=1, y=2, z=0 x=1, y=1, z=2 Add guard to z = y+1 to prevent execution from state s1 Guard for s1 : (x  1  y  1  z  0) Can affect other transitions where z = y+1 is executed

34 Example: full observability
1: x = z + 1 T2 1: y = x + 1 T3 1: z = y + 1 Specification: (y = 2  z = 1) No Stuck States Spec is a global invariant. Abstraction: { x, y, z }

35 Build Transition System
1,1,1 0,0,0 X Y Z PC1 PC2 PC3 legend 1,1,1 0,0,0 y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 y=x+1 z=y+1 z=y+1 y=x+1 x=z+1 x=z+1 e,e,1 1,2,0 Say what are the contents of the circles. e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 35

36 Avoid transition 1,1,1 0,0,0 y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0
e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 36

37  Result is valid Correct and Maximally Permissive 1,1,1 0,0,0
x1  y0  z0  y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 x1  y0  z0  y=x+1 x1  y0  z0  z=y+1 z=y+1 y=x+1 x=z+1 x=z+1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 x1  y0  z0  x1  y0  z0  z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 37

38 Resulting program T1 1: x = z + 1 T2 1: y = x + 1 T3 1: z = y + 1
Specification: Abstraction: (y = 2  z = 1) No Stuck States { x, y, z } Spec is a global invariant. T1 1: x = z + 1 T2 1: y = x + 1 T3 1: (x  1  y  0  z  0) z = y + 1

39 Example: limited observability
1: x = z + 1 T2 1: y = x + 1 T3 1: z = y + 1 Specification: (y = 2  z = 1) No Stuck States Spec is a global invariant. Abstraction: { x, z }

40 Build transition system
1,1,1 0,0,0 X Y Z PC1 PC2 PC3 legend 1,1,1 0,0,0 y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 y=x+1 z=y+1 z=y+1 y=x+1 x=z+1 x=z+1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 40

41 Avoid bad state 1,1,1 0,0,0 y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0
e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 41

42 Select all equivalent transitions
1,1,1 0,0,0 y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 y=x+1 z=y+1 z=y+1 y=x+1 x=z+1 x=z+1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 Implementability 42

43 Result has stuck states
1,1,1 0,0,0 x1  z0  y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 x1  z0  x1  z0  y=x+1 z=y+1 z=y+1 y=x+1 x=z+1 x=z+1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 x1  z0  z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 side-effects 43

44 Select transition to remove
1,1,1 0,0,0 x1  z0  y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 x1  z0  x1  z0  y=x+1 z=y+1 z=y+1 y=x+1 x=z+1 x=z+1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 x  1  z  0  z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1 44

45  Result is valid Correct and Maximally Permissive 1,1,1 0,0,0
x  1  z  0  x0  z0  y=x+1 z=y+1 x=z+1 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 x1  z0  x  1  z  0  y=x+1 x  0  z  0 z=y+1 z=y+1 x0  z0  y=x+1 x=z+1 x=z+1 e,e,3 1,2,0 e,2,e 1,0,1 e,e,3 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 x1  z0  x1  z0  x  0  z  0  x0  z0  z=y+1 y=x+1 y=x+1 z=y+1 x=z+1 x=z+1 e,e,e1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e3,1,2 e,e,e,2,3,1 e,e,e2,1,1

46 Resulting program T1 1: x = z + 1 T2 1: y = x + 1 T3 1: z = y + 1
Specification: Abstraction: ! (y = 2 && z = 1) No Stuck States { x, z } Spec is a global invariant. T1 1: (x  0  z  0) x = z + 1 T2 1: y = x + 1 T3 1: (x  1  z  0)  z = y + 1

47         T1 x = z + 1 T2 y = x + 1 T3 (x  1) z = y + 1 T1
(x  0) x = z + 1 T2 y = x + 1 T3 (x  1) z = y + 1 T1 x = z + 1 T2 y = x + 1 T3 z = y + 1 { x,z } T1 x = z + 1 T2 y = x + 1 T3 z = y + 1 T1 x = z + 1 T2 y = x + 1 T3 (x  1  z  0)  z = y + 1 T1 (x  0  z  0) x = z + 1 T2 y = x + 1 T3 (x  1  z  0)  z = y + 1 { x,y,z } T1 x = z + 1 T2 y = x + 1 T3 z = y + 1 T1 x = z + 1 T2 y = x + 1 T3 (x  1  y  0  z  0) z = y + 1

48 AGS with memory fences Avoidable transition more tricky to define
Operational semantics of weak memory models Special abstraction required to deal with potentially unbounded store-buffers Even for finite-state programs Informally “finer abstraction = fewer fences”

49 Synthesis Results Mostly mutual exclusion primitives
Different variations of the abstraction Program FD k=0 FD k=1 PD k=0 PD k=1 PD k=2 Sense0 Pet0 Dek0 Lam0 T/O Fast0 Fast1a Fast1b Fast1c FD can not handle Lam0, Fas0, Fast1c. PD can handle Lam0 and Fast0 partially, and Fast1c fully.

50 Chase-Lev Work-Stealing Queue
1 int take() { long b = bottom – 1; item_t * q = wsq; bottom = b fence(“store-load”); long t = top if (b < t) { bottom = t; return EMPTY; } task = q->ap[b % q->size]; if (b > t) return task if (!CAS(&top, t, t+1)) bottom = t + 1; return task; 1 void push(int task) { long b = bottom; long t = top; item_t * q = wsq; if (b – t >= q->size – 1) { wsq = expand(); q = wsq; } q->ap[b % q->size] = task; fence(“store-store”); bottom = b + 1; 1 int steal() { long t = top; fence(“load-load”); long b = bottom; item_t * q = wsq; if (t >= b) return EMPTY; task = q->ap[t % q->size]; fence(“load-store”); if (!CAS(&top, t, t+1)) return ABORT; return task; } item_t* expand() { int newsize = wsq->size * 2; int* newitems = (int *) malloc(newsize*sizeof(int)); item_t *newq = (item_t *)malloc(sizeof(item_t)); for (long i = top; i < bottom; i++) { newitems[i % newsize] = wsq->ap[i % wsq->size]; } newq->size = newsize; newq->ap = newitems; fence("store-store"); wsq = newq; return newq; Chase-Lev queue Specification: no lost items, no phantom items, memory safety

51 Some AGS instances … Avoid Implementation Mechanism
Abstraction Space (examples) Reference Context switch Atomic sections Numerical abstractions [POPL’10] Transition Conditional critical regions (CCRs) Observability [TACAS’09] Intra-thread ordering Memory fences Partial-Coherence abstractions for Store buffers [FMCAD’10] [PLDI’11] inter-thread ordering Synch barriers [in progress]

52 Back to Boids With synchronization barriers
Numerical abstractions for tracking array indices Establishing conflict-freedom of array accesses that may happen in parallel Computing forces can be done in parallel Different Boids write to disjoint parts of the array

53 Boids Main Task Generate initial locations Spawn N Boid Tasks
Generate initial locations Spawn N Boid Tasks While (true) { Wait on display-barrier Read locations of all boids Render boids }

54 Boid Task While (true) { Read locations of other boids
Read locations of other boids Wait on message-barrier Compute “forces” Update my location Wait on display-barrier }

55 General Setting Revisited
program P’ Program Restriction Implement specification Abstract counter example S’ Verify Spec Weakening Notes: Should say here --- could have many solutions, implement is picking one based on quantitative criterion Constraint captures changes to the program execution --- what is permitted during program execution abstraction Abstract counter example Abstraction Refinement Change the specification to match the abstraction

56 Summary An algorithm for Abstraction-Guided Synthesis
Synthesize efficient and correct synchronization Handles infinite-state systems based on abstract interpretation Refine the abstraction and/or restrict program behavior Interplay between abstraction and synchronization Quantitative Synthesis Separate characterization of solution from choosing optimal solutions (e.g., smallest atomic sections)

57 Invited Questions What about other synchronization mechanisms?
Why not start from the most constrained program and work downwards (relaxing constraints)? Can’t you solve the problem purely by brute force search of all atomic section placements? Why are you enumerating traces? Can’t you compute your solution via state-based semantics? Why use only a single CEX at a time? Could use information about the whole (abstract) transition system? How is this related to supervisor synthesis?

58 “Don't answer the question you were asked
“Don't answer the question you were asked. Answer the question you wish you were asked.” -- Robert McNamara

59 Verification Challenge
? P  S

60

61 division by zero seems possible
Example int x, y, sign; x = ?; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; x  [-, ], sign   x  [-, -1], sign  [-1, -1] x  [0, ], sign  [1, 1] 0 [-1,1] division by zero seems possible P  S x  [-, ], sign  [-1, 1] Specification S: no division by zero. Abstract domain : intervals Example from “The Trace Partitioning Abstract Domain” Rival&Mauborgne

62 division by zero impossible
Now what? Can use a more refined abstract domain Disjunctive completion abstract value = set (disjunction) of intervals int x, y, sign; x = ?; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; x  {[-, ]}, sign   0  [-1, -1] and 0 [1,1] division by zero impossible P ’ S x  {[-, -1]}, sign  {[-1, -1]} x  {[0, ]}, sign  {[1, 1]} x  {[-, -1],[0, ]}, sign  {[-1, -1],[1,1]} Specification S: no division by zero. Abstract domain ’: set of intervals

63 Are we done? Exponential cost ! Can we do better?
Idea: track relationship between x and sign x < 0  sign = -1 x >= 0  sign = 1 Problem: again, expensive Which relationships should I track? Domains such as polyhedra won’t help (convex)

64 Trace partitioning abstract domain
refine abstraction by adding some control history won’t get into that further reading Rival and Mauborgne. The trace partitioning abstract domain. TOPLAS’07. Holley and Rosen. Qualified data flow problems. POPL'80

65 change the program to fit abstraction
int x, y, sign; x = ?; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; int x, y, sign; x = ?; if (x<0) { sign = -1; y = x/sign; } else { sign = 1; } P P’

66 Modified Program int x, y, sign; x = ?; if (x<0) { sign = -1; y = x/sign; } else { sign = 1; } x  [-, ], sign   0  [-1, -1] division by zero impossible x  [-, -1], sign  [-1, -1] x  [0, ], sign  [1, 1] 0  [1, 1] division by zero impossible x  [-, ], sign  [-1, 1] Specification S: no division by zero. Abstract domain : intervals

67 Another Example while(e) { s; } … if (e) { s; while(e) { } P P’

68 Atomic sections results
If we can show disjoint access we can avoid synchronization Requires abstractions rich enough to capture access pattern to shared data Parity Intervals Program Refine Steps Avoid Steps Double buffering 1 2 Defragmentation 8 3D array update 23 Array Removal 17 Array Init 56

69 Choosing a trace to avoid
0,0 0,0 0,1 0,2 2,0 0,0 1,1 0,2 2,1 0,2 2,2 1,2 2,1 1,2 2,2 2,2 y=2 if (y==0) x++ x+=1 0,0 E,E 0,1 E,E 2,0 E,E 1,1 E,E 2,1 T,E 2,2 T,E y=2 if (y==0) x++ x+=1 Goal: show that the order in which you pick traces matters T1 0: if (y==0) goto L 1: x++ 2: L: T2 0: y=2 1: x+=1 2: assert x !=y legend pc1,pc2 x,y

70 Boids Main Task } atomic Generate initial locations …
Spawn N Boid Tasks While (true) { atomic Read locations of all boids Render boids }

71

72 Boid Task While (true) { Read locations of other boids
atomic Read locations of other boids Compute “forces” Update my location }

73 Lock-step Boids Generate initial locations While (true) {
parallel-for b in 1..N { Read locations of other boids Compute new location Update my location } Read locations of all boids Render boids

Download ppt "Abstraction-Guided Synthesis"

Similar presentations

Operating Systems Semaphores II

Operating Systems Semaphores II
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.

Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Silberschatz, Galvin and Gagne ©2007 Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Chapter 6 (a): Synchronization.

Silberschatz, Galvin and Gagne ©2007 Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Chapter 6 (a): Synchronization.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Concurrent Programming James Adkison 02/28/2008. What is concurrency? “happens-before relation – A happens before B if A and B belong to the same process.

Concurrent Programming James Adkison 02/28/2008. What is concurrency? “happens-before relation – A happens before B if A and B belong to the same process.
CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.

CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.
PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.

PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.
Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.
Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.
Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.
1 Lecture 09 – Synthesis of Synchronization Eran Yahav.

1 Lecture 09 – Synthesis of Synchronization Eran Yahav.
Modeling Software Systems Lecture 2 Book: Chapter 4.

Modeling Software Systems Lecture 2 Book: Chapter 4.

Similar presentations

Ads by Google