POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

This algorithm is used for dimension reduction. Input: a set of vectors {Xn є }, and dimension d,d
Zing: Exploiting Program Structure for Model Checking Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research Yichen.
The Derivative in Graphing and Application
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.
THE PREPROCESSOR. Preprocessing is (apparently) done before actual compilation begins. The preprocessor doesnt know (very much) C. Major kinds of preprocessor.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
1) Scope a] Ada scope rules b] C scope rules 2) Parameter passing a] Ada parameter modes b) Parameter passing mechanisms COMP205 IMPERATIVE LANGUAGES 13.
Partial Order Reduction: Main Idea
Model Checking Concurrent Software Shaz Qadeer Microsoft Research.
The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.
Effective Static Deadlock Detection
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.
1 Semantics Driven Dynamic Partial-order Reduction of MPI-based Parallel Programs Robert Palmer Intel Validation Research Labs, Hillsboro, OR (work done.
Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
1 Distributed Dynamic Partial Order Reduction based Verification of Threaded Software Yu Yang (PhD student; summer intern at CBL) Xiaofang Chen (PhD student;
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Partial Order Reduction for Scalable Testing of SystemC TLM Designs Sudipta Kundu, University of California, San Diego Malay Ganai, NEC Laboratories America.
Argonne National Laboratory School of Computing and SCI Institute, University of Utah Practical Model-Checking Method For Verifying Correctness of MPI.
1 Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN August, Los Angeles, USA.
Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t =
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
1 VeriSoft A Tool for the Automatic Analysis of Concurrent Reactive Software Represents By Miller Ofer.
Verifying Atomicity via Data Independence Ohad Shacham Yahoo Labs, Israel Eran Yahav Technion, Israel Guy Gueta Yahoo Labs, Israel Alex Aiken Stanford.
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.
Huayang Guo 1,2, Ming Wu 1, Lidong Zhou 1, Gang Hu 1,2, Junfeng Yang 2, Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University Practical Software.
Pallavi Joshi* Mayur Naik † Koushik Sen* David Gay ‡ *UC Berkeley † Intel Labs Berkeley ‡ Google Inc.
Model construction and verification for dynamic programming languages Radu Iosif
Simultaneously Learning and Filtering Juan F. Mancilla-Caceres CS498EA - Fall 2011 Some slides from Connecting Learning and Logic, Eyal Amir 2006.
SDS Foil no 1 V&V&S Verification, Validation and Synthesis: doing away with defects Verification, Validation and Synthesis: doing away with defects.
Model Checking Java Programs David Park, Ulrich Stern, Jens Skakkebaek, and David L. Dill Stanford University.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi State merging, Concolic Execution.
Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Relaxed Memory Effects and its Verification.
Classification Schemes to Aid in the Analysis of Real-Time Systems Paul Z. Kolano Trusted Systems Laboratories trustedsyslabs.com Richard.
A Calculus of Atomic Actions Tayfun Elmas, Shaz Qadeer and Serdar Tasiran POPL ‘ – Seminar in Distributed Algorithms Cynthia Disenfeld 27/05/2013.
Simplifying Linearizability Proofs Using Reduction and Abstraction Serdar Tasiran Koc University, Istanbul, Turkey Tayfun Elmas, Ali Sezgin, Omer Subasi.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
Complexity Relief Techniques for Model Checking METU, Aug SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,
24 September 2002© Willem Visser Partial-Order Reductions Reduce the number of interleavings of independent concurrent transitions x := 1 || y :=
Hybrid Type Checking An implementation of λ H David Waern Rickard Nilsson.
SS 2017 Software Verification SMT Solving, Partial Order Methods
Chapter 15, Exploring the Digital Domain
Atomicity in Multithreaded Software
Model Checking for an Executable Subset of UML
Over-Approximating Boolean Programs with Unbounded Thread Creation
Reachability testing for concurrent programs
An explicit state model checker
Producing short counterexamples using “crucial events”
SOFTWARE ENGINEERING INSTITUTE
The Bogor Model Checking Framework
Presentation transcript:

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice Godefroid Bell Labs

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan2 Software model checking is prone to state explosion Two main causes –input nondeterminism –scheduling nondeterminism Example: –naive model checking: n! interleavings, 2 n states Partial-order reduction –explores subset of the state space, without sacrificing soundness Motivation Thread 1 x1 := 1 stop Thread n xn := 1 stop Thread 2 x2 := 1 stop...

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan3 Independent transitions B and R are independent transitions if 1.they commute: B R = R B 2.neither enables nor disables the other B R R B s Example: x := 3 and y := 1 are independent

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan4 Persistent transitions B is a persistent transition if it is independent with every transition R reachable from S without executing B If B is persistent then it is sound to only explore B Persistent sets - generalization to many threads B s R independent

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan5 Static partial-order reduction Use static analysis to predict locations red accesses after s –if static analysis proves that red thread only accesses y and z –then x := 1 is a persistent transition from s x := 1 s y := 2 z := 3 independent static analysis

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan6 Static partial-order reduction Use static analysis to predict locations red accesses after s Pointers? –coarse analysis information => limited POR => state explosion *p := 1 s *q1 := 2 *q2 := 3 independent static analysis

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan7 Example: static partial-order reduction Global Vars lock m int t1,t2 int x=0 int n=100 char[] a Thread 2 lock(m) t2 := x++ unlock(m) for( ;t2<n; t2+=2) a[t2] := r Thread 1 lock(m) t1 := x++ unlock(m) for( ;t1<n; t1+=2) a[t1] := b Static analysis gives –t1, t2 are thread-local –x is protected by m –but a[t1] and a[t2] may alias Static POR gives O(n 2 ) explored states and transitions –but only two possible terminating states may-alias (according to static analysis) never alias (in practice)

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan8 Dynamic partial-order reduction Static POR relies on static analysis –to yield approximate information about run-time behavior –pointers => coarse information => limited POR => state explosion Dynamic POR –while model checker explores the programs state space, it sees exactly which threads access which locations –use to simulaneously reduce the state space while model-checking We present a solution for –safety properties (deadlocks, assertion violations, etc.) –acyclic state spaces

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan9 Dynamic partial-order reduction Execute initial arbitrary execution trace to completion Examine transitions performed by each thread –identify and explore other interleavings that may behave differently –dynamic alias analysis is easy *(0x2FC3) := 3 independent s coarse static analysis precise dynamic analysis *(0x1DA7) := 7 s backtrack set { } exit()

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan10 backtrack set { } Dynamic partial-order reduction Execute initial arbitrary execution trace to completion Examine transitions performed by each thread –identify and explore other interleavings that may behave differently –dynamic alias analysis is trivial *(0x2FC3) := 3 dependent s precise dynamic analysis s backtrack set { red } *(0x2FC3) := 7

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan11 Dynamic partial-order reduction example Initial trace unlock(m) t1 := x++ lock(m) a[0]:=b a[2]:=b unlock(m) t2 := x++ lock(m) a[1]:=r a[3]:=r Thread 2 lock(m) t2 := x++ unlock(m) for( ;t2<n; t2+=2) a[t2] := r Thread 1 lock(m) t1 := x++ unlock(m) for( ;t1<n; t1+=2) a[t1] := b

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan12 Dynamic partial-order reduction example Initial trace unlock(m) t1 := x++ lock(m) a[0]:=b a[2]:=b unlock(m) t2 := x++ lock(m) a[1]:=r a[3]:=r not co- enabled t1 := x++ happens-before red gets here Happens-before relation transitive closure of dependency relation represent using clock vectors backtrack on red before lock(m) no (dynamic) conflicts on a[] => good POR DPOR Algorithm For each transition R of red thread, add a backtracking point for red before last transition B such that 1.B is dependent with R 2.B does not happen-before R 3.B is co-enabled with R

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan13 t2 := x++ happens-before blue gets here Dynamic partial-order reduction example lock(m) unlock(m) t2 := x++ a[0]:=r a[2]:=r unlock(m) t1 := x++ lock(m) a[1]:=b a[3]:=b not co- enabled Initial trace unlock(m) t1 := x++ lock(m) a[0]:=b unlock(m) t2 := x++ lock(m) a[1]:=r a[2]:=b a[3]:=r not co- enabled t1 := x++ happens-before red gets here no (dynamic) conflicts on a[] => good POR backtracked on blue before lock(m). Already done! backtrack on red before lock(m)

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan14 Dynamic partial-order reduction algorithm Dynamic POR algorithm for –safety properties (deadlocks, assertion violations, etc.) –acyclic state spaces Dynamically computes a persistent set in each explored state –compatible and complementary with sleep sets Complexity: O(m 2.r) –m = number of threads –r = size of reduced state space –some assumptions on dependence relation

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan15 Evaluation Two (small) benchmarks –Indexer benchmark threads insert messages into shared hash table static analysis cannot predict absence of hash table collisions –all hash table operations are dependent –Filesystem benchmark synchronization idiom from Frangipani threads allocate shared disk blocks to inodes Ten model checking configurations –no POR vs. static POR vs. dynamic POR (stateless) –sleep sets vs. no sleep sets –stateful search vs. stateless search

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan16 Indexer Benchmark

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan17 Filesystem Benchmark

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan18 Summary Dynamic partial-order reduction –tackles state explosion due to scheduling nondeterminism –no approximate/expensive/complicated static analysis –supports pointer-rich data structures –supports dynamic creation of threads/object/channels etc –compatible and complementary with sleep sets Future work –stateful DPOR, handling cycles –liveness properties and full temporal logic –incorporate into industrial-strength model checker for multithreaded software (POSIX threads, Java, C# ?)

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan19 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice Godefroid Bell Labs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.