Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Slides:



Advertisements
Similar presentations
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Advertisements

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
1.6 Behavioral Equivalence. 2 Two very important concepts in the study and analysis of programs –Equivalence between programs –Congruence between statements.
Solving Timed Games with Variable Observations: Proof of Concept Peter Bulychev Franck Cassez Alexandre David Kim G. Larsen Jean-François Raskin Pierre-Alain.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Timed Automata.
Chapter 6 Process Synchronization Bernard Chen Spring 2007.
Chapter 6: Process Synchronization
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.
6.5 Semaphore Can only be accessed via two indivisible (atomic) operations wait (S) { while S
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
1 Lecture 09 – Synthesis of Synchronization Eran Yahav.
Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S. Kulkarni and Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer.
Approaches to Reactive System Synthesis J.-H. Roland Jiang.
Deriving Linearizable Fine-Grained Concurrent Objects Martin Vechev Eran Yahav IBM T. J. Watson Research Center Martin Vechev Eran Yahav IBM T. J. Watson.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
Language Support for Lightweight transactions Tim Harris & Keir Fraser Presented by Narayanan Sundaram 04/28/2008.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.
6: Process Synchonization II 1 PROCESS SYNCHRONIZATION II THE BOUNDED BUFFER ( PRODUCER / CONSUMER ) PROBLEM: This is the same producer / consumer problem.
Monitor  Giving credit where it is due:  The lecture notes are borrowed from Dr. I-Ling Yen at University of Texas at Dallas  I have modified them and.
1 Thread Synchronization: Too Much Milk. 2 Implementing Critical Sections in Software Hard The following example will demonstrate the difficulty of providing.
Comp 245 Data Structures Software Engineering. What is Software Engineering? Most students obtain the problem and immediately start coding the solution.
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Concurrency, Mutual Exclusion and Synchronization.
Space Complexity. Reminder: P, NP classes P NP is the class of problems for which: –Guessing phase: A polynomial time algorithm generates a plausible.
Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.
6.3 Peterson’s Solution The two processes share two variables: Int turn; Boolean flag[2] The variable turn indicates whose turn it is to enter the critical.
ABSTRACT The real world is concurrent. Several things may happen at the same time. Computer systems must increasingly contend with concurrent applications.
Internet Software Development Controlling Threads Paul J Krause.
Inferring Synchronization under Limited Observability Martin Vechev, Eran Yahav, Greta Yorsh IBM T.J. Watson Research Center (work in progress)
PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 7: Process Synchronization Background The Critical-Section Problem Synchronization.
Lecture 8 Page 1 CS 111 Online Other Important Synchronization Primitives Semaphores Mutexes Monitors.
Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
1 First order theories (Chapter 1, Sections 1.4 – 1.5) From the slides for the book “Decision procedures” by D.Kroening and O.Strichman.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.
Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.
Space Complexity. Reminder: P, NP classes P is the class of problems that can be solved with algorithms that runs in polynomial time NP is the class of.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Algorithms and Decision Procedures for Regular Languages Chapter 9.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
24 September 2002© Willem Visser Program Model Checking Enabling Technology Abstraction void add(Object o) { buffer[head] = o; head = (head+1)%size;
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
SS 2017 Software Verification Bounded Model Checking, Outlook
“Language Mechanism for Synchronization”
Outline Other synchronization primitives
Other Important Synchronization Primitives
Program Synthesis is a Game
Abstraction-Guided Synthesis
Module 7a: Classic Synchronization
Concurrency: Mutual Exclusion and Process Synchronization
Monitor Giving credit where it is due:
Dichotomies in CSP Karl Lieberherr inspired by the paper:
CSE 542: Operating Systems
Abstraction-Guided Synthesis of synchronization
CSE 542: Operating Systems
Presentation transcript:

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center

High Level Setting 2 Process 1Process 2Process 3

High Level Setting 3 Process 1Process 2Process 3

High Level Setting 4 Process 1Process 2Process 3

High Level Setting 5 Process 1Process 2Process 3

Challenge 6 Process 1Process 2Process 3 How to synchronize processes in order to achieve correctness and good performance ?

This Work 7 Assist the programmer by automatically inferring correct and efficient synchronization

Semaphores Monitors Conditional critical region (CCR) Fine grained (e.g., CAS) Locks.... Synchronization Primitives 8

Conditional Critical Regions Syntax of CCR Synchronization code – guard can observe the program state – guard does not modify program state guard  stmt 9

High Level Setting 10 Process 1Process 2Process 3

CCR Setting 11 Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Specification:  Permissiveness Cost as a language of CCR guards

Given a language LG, specification S and program A, program B is maximally permissive, if: – B satisfies S – B is obtained from A by adding guards from LG – Cannot obtain a program C that is correct and more permissive than B from A via LG: 12 Maximal Permissiveness if  B    C  then C does not satisfy S

Two Algorithms to infer CCR guards – Greedy – Exhaustive Guarantee maximal permissiveness – Greedy: under some conditions – Exhaustive: always Implementation in SPIN – prototype, examples Contributions

This Work Safety, No Stuck States Specification: Language of Guards Cost: Automatic Inference of Guards Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Process 1Process 2Process 3 g1  s1;s2; s5; g2  s7; s6; s3;s4; Correct and Maximally Permissive

Inference Algorithm Construct transition system of input program and specification Remove a (minimal) set of transitions such that the result satisfies the specification Implement resulting transition system as program by strengthening guards of CCRs in the program 15

GREEDY(P : Program) : Program { R = ∅ while (true) { ts = if valid(ts) return implement(P,R) B = cut-transitions(ts) if B = ∅ abort “cannot find valid synchronization” select a transition t ∈ B R = R ∪ equiv(t) } Inference Algorithm 16

Example Language: Observability Obs: Variables that can be read by CCR guards LE(Obs): language of boolean combinations of equalities between variables in Obs and constants Example: Obs: {x, y, z} Guard Expression in LE(Obs): (x!=1 || y!=0 || z!=0) 17

Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

What is in a state s,s,s 0,0,0 X Y Z PC1 PC2 PC3

Build Transition System s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 20

Select Transitions to Remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 21

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 22 e,s,e 1,0,1 e,e,e 1,2,1 y=x+1 z=y+1 Build Transition System x!=1 || y!=0 || z!=0  Correct and Maximally Permissive

Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 (x!=1 || y!=0 || z!=0)  z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

Example: Limited Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 25 Build Transition System

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 26

Select transition to remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 27

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 28 Select All Equivalent Transitions Implementability

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 29 Side-effects e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Build Transition System

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 30 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Select transitions to remove

s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,3 1,2,0 e,2,e 1,0,1 e,e,3 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 x!=1 || z!=0  x!=0 || z!=0  x!=1 || z!=0  x!=0|| z!=0  31 Build Transition System Correct and Maximally Permissive

Example: Limited Observability Automatic Inference of Guards (x!=1 || z!=0)  z=y+1; Process 1 (x!=0 || z!=0)  x=z+1; y=x+1; Process 2 Process 3 z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost:

Inference Algorithms Greedy algorithm – Resulting program satisfies the specification – No side-effects guarantees maximal permissiveness – Experience: maximally permissive with side-effects – Polynomial Exhaustive algorithm – Resulting program satisfies the specification – Maximally permissive – Exponential 33

Implementation Prototype – Greedy algorithm – Using SPIN Examples – Dining philosophers – Asynchronous counters – Race correction 34

Infinite Transition System Preliminary Work – Finite state abstraction – Same algorithm – Conservatively eliminate potentially stuck states – Cannot guarantee maximally permissive Future Work – Refine when state becomes potentially stuck – Specialized abstractions for stuckness – Related to abstractions for termination 35

Summary Algorithms for CCR guard inferences – Greedy (polynomial) and Exhaustive (exponential) – Produce maximally permissive programs – Parametric on User-specified Cost – Deals with side effects and implementability 36

Related Work Recovery and predication mechanisms – STM, Isolator, Tolerace Synthesis from temporal specification Game theory – Memoryless winning strategy for Buchi games 37

Ongoing and Future Work Conditions for maximal permissiveness of greedy Infer other synchronization mechanisms – meta-data, atomic sections, non-blocking Abstraction for stuck states 38