Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz."— Presentation transcript:

1 Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz

2 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking2 Model Checking of Software Models // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker filesystem model filesystem model Model Construction

3 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking3 Model Checking of Software // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker

4 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking4 Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c expressed in terms of concrete state  Calvin theorem proving x

5 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking5 Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c concrete state  Calvin theorem proving abstract state Abstraction Invariant ? x

6 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking6 The Need for Atomicity // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing mostly ok

7 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking7 The Need for Atomicity // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing ok  Atomicity Checker

8 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking8 Atomicity  Serialized execution of inc() X o Y o acq(L) o t=x o x=t+1 o rel(L) o Z o o atomic void inc() { acq(L); int t = x; x = t+1; rel(L); }

9 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking9 Atomicity  Serialized execution of inc()  Non-serialized executions of inc()  inc() is atomic if, for every non-serialized execution, there is a serialized execution with the same overall behavior X o Y o acq(L) o t=x o x=t+1 o rel(L) o Z o o acq(L) o X o t=x o Y o x=t+1 o Z o rel(L) o o acq(L) o t=x o X o Y o x=t+1 o rel(L) o Z o o

10 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking10 Verifying Atomicity via Reduction [Lipton 75] acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0

11 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking11 Verifying Atomicity via Reduction acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0

12 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking12 Verifying Atomicity via Reduction acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 acq(L) S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0

13 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking13 Verifying Atomicity via Reduction acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 acq(L) S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 Y T 2 acq(L) T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0

14 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking14 Verifying Atomicity via Reduction X T 1 Y T 2 acq(L) T 3 t=x S 4 x=t+1 S 5 rel(L) T 6 Z S 7 S0 S0 acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 acq(L) S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 Y T 2 acq(L) T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0

15 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking15 Applications of Reduction for Atomicity  Type systems for concurrency –extended Java’s type system to verify atomicity –atomicity violations in standard libraries  Dynamic checkers –atomicity widespread in Java programs  Model checking –Bogor

16 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking16 public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } atomic public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } Example Violation: java.lang.StringBuffer sb.length() acquires lock on sb, gets length, and releases lock use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) other threads can change sb

17 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking17 Limitations of Reduction r:=1 T 1 assume r=1 T 2 L=0 T 3 S 4 assume r!=1 S 5 S 6 S 7 S0 S0 begin atomic CAS(L,0,r) succeeds end atomic L=0 S 4 r:=1 S 1 S 2 S 3 S0 S0 assume r==1 begin atomic assume r!=1 S 6 S 7 end atomic S 5 CAS(L,0,r) succeeds boolean L; // lock, 0 if not held atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); }

18 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking18 Limitations of Reduction boolean L; // lock, 0 if not held atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); } r:=1 T 1 assume r=1 T 2 L=0 T 3 CAS(L,0,r) succeeds T 4 assume r!=1 T 5 T 6 S 9 S0 S0 begin atomic end atomic L=0 r:=1 S 1 S 2 S 3 CAS(L,0,r) fails S 4 S0 S0 assume r==1 begin atomic S 5 assume r==1 S 6 assume r!=1 S 8 S 9 end atomic CAS(L,0,r) succeeds S 7 9 instructions 7 instructions

19 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking19 Commit-Atomic  Run normal and serial executions of program concurrently, on separate stores  Normal execution runs as normal –threads execute atomic blocks –each atomic block has commit point  Serial execution –runs on separate shadow store –when normal execution commits an atomic block, serial execution runs entire atomic block serially  Check two executions yield same behavior

20 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking20 Commit-Atomic commit atomic block... Normal execution Serial execution compare states

21 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking21 Preliminary Evaluation  Some small benchmarks –Bluetooth device driver atomicity violation due to error –Busy-waiting lock acquire acquire1: 1 line of code in critical section acquire100: 100 lines of code in critical section  Hand translated to PROMELA code –Two versions, with and without commit-atomic

22 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking22 Performance: Bluetooth device driver

23 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking23 Performance: acquire1 and acquire100

24 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking24 Related Work  Reduction –[Lipton 75, Lamport-Schneider 89,...] –type systems [Flanagan-Qadeer 03] –model checking [Stoller-Cohen 03, Flanagan-Qadeer 03, Hatcliff et al 04] –dynamic checking [Flanagan-Freund 04] –procedure summaries [Qadeer et al 04]  Atomicity a canonical concept –Strict serializability in databases –Linearizability for concurrent objects –Languages: Monitors, Argus [Liskov et al 87], Avalon [Eppinger et al 91]  View consistency –[Artho-Biere-Havelund 03, von Praun-Gross 03]

25 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking25 Summary  Atomicity –concise, semantically deep partial specification  Reduction –lightweight technique for verifying atomicity  Commit-Atomicity –more general technique  Future work –combine reduction and commit-atomic –generalizing atomicity temporal logics for determinism?

26 Cormac FlanaganVerifying Commit-Atomicity Using Model Checking26 Future Work: Logics for Determinism?  Software checking: exploits redundancy –between program and types –between program and specification –between different traces of the same program  Do we need temporal logics for determinism? –that is, a logic where we could specify that some traces behave like other traces –express many properties like “atomic”

27 Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz

Download ppt "Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz."

Similar presentations

Operating Systems Semaphores II

Operating Systems Semaphores II
Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.
Guy Golan-GuetaTel-Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University G. Ramalingam Microsoft Research Mooly Sagiv Tel-Aviv.

Guy Golan-GuetaTel-Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University G. Ramalingam Microsoft Research Mooly Sagiv Tel-Aviv.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Ch 7 B.

Ch 7 B.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
/ PSWLAB Concurrent Bug Patterns and How to Test Them by Eitan Farchi, Yarden Nir, Shmuel Ur published in the proceedings of IPDPS’03 (PADTAD2003)

/ PSWLAB Concurrent Bug Patterns and How to Test Them by Eitan Farchi, Yarden Nir, Shmuel Ur published in the proceedings of IPDPS’03 (PADTAD2003)
1 Beyond Reduction.... 2 Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.

1 Beyond Reduction Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.
Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Similar presentations

Ads by Google