1 Lecture 09 – Synthesis of Synchronization Eran Yahav.

Slides:

Advertisements

Similar presentations

Operating Systems Semaphores II

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Abstraction of Source Code (from Bandera lectures and talks)

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

Silberschatz, Galvin and Gagne ©2007 Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Chapter 6 (a): Synchronization.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Martin Vechev IBM Research Michael Kuperstein Technion Eran Yahav Technion (FMCAD’10, PLDI’11) 1.

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Modeling Software Systems Lecture 2 Book: Chapter 4.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Monitor  Giving credit where it is due:  The lecture notes are borrowed from Dr. I-Ling Yen at University of Texas at Dallas  I have modified them and.

ARTIST Summer School in Europe 2009 Autrans (near Grenoble), France September 7-11, 2009 Invited Speaker: Eran Yahav IBM T.J. Watson Research Center.

1 Thread Synchronization: Too Much Milk. 2 Implementing Critical Sections in Software Hard The following example will demonstrate the difficulty of providing.

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Major objective of this course is: Design and analysis of modern algorithms Different variants Accuracy Efficiency Comparing efficiencies Motivation thinking.

COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.

Internet Software Development Controlling Threads Paul J Krause.

Inferring Synchronization under Limited Observability Martin Vechev, Eran Yahav, Greta Yorsh IBM T.J. Watson Research Center (work in progress)

PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 7: Process Synchronization Background The Critical-Section Problem Synchronization.

Memory Consistency Models. Outline Review of multi-threaded program execution on uniprocessor Need for memory consistency models Sequential consistency.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Semantics In Text: Chapter 3.

Pattern-based Synthesis of Synchronization for the C++ Memory Model Yuri Meshman, Noam Rinetzky, Eran Yahav 1.

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Synchronization Emery Berger and Mark Corner University.

1 Previous Lecture Overview  semaphores provide the first high-level synchronization abstraction that is possible to implement efficiently in OS. This.

Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.

Abstractions for Relaxed Memory Models Andrei Dan, Yuri Meshman, Martin Vechev, Eran Yahav 1.

CS 153 Design of Operating Systems Winter 2016 Lecture 7: Synchronization.

CSCI1600: Embedded and Real Time Software Lecture 17: Concurrent Programming Steven Reiss, Fall 2015.

Agenda  Quick Review  Finish Introduction  Java Threads.

CE Operating Systems Lecture 8 Process Scheduling continued and an introduction to process synchronisation.

Implementing Mutual Exclusion Andy Wang Operating Systems COP 4610 / CGS 5765.

Chapter 6 Synchronization Dr. Yingwu Zhu. The Problem with Concurrent Execution Concurrent processes (& threads) often access shared data and resources.

Lecture 20: Consistency Models, TM

“Language Mechanism for Synchronization”

Abstraction-Guided Synthesis

Objective of This Course

Over-Approximating Boolean Programs with Unbounded Thread Creation

Background and Motivation

Synthesis of Memory Fences via Refinement Propagation

Implementing Mutual Exclusion

CSE 153 Design of Operating Systems Winter 19

Lecture: Consistency Models, TM

Process/Thread Synchronization (Part 2)

Abstraction-Guided Synthesis of synchronization

Presentation transcript:

1 Lecture 09 – Synthesis of Synchronization Eran Yahav

Previously  Predicate abstraction  Abstraction refinement  at a high level 2

Today  Synthesis of Synchronization 3

Verification Challenge 4 P  S ?

With abstraction  5 P   S ?

Now what? 6 P   S P   ’ S abstraction refinement

Change the abstraction to match the program A Standard Approach: Abstraction Refinement program specification Abstract counter example abstraction Abstraction Refinement  Abstract counter example Verify Valid 7

Alternatively… 8 P’   S program modification P   S

program specification Abstract counter example abstraction Abstraction Refinement Change the program to match the abstraction   Verify Abstraction-Guided Synthesis [VYY-POPL’10] Program Restriction Implement P’ Abstract counter example 9

Alternatively… 10 P   S’ change specification (but to what?) P   S

Focus on Program Modification  Given a program P, specification S, and an abstraction  such that P   S  find a modified program P’ such that P’   S  how do you find such a program?  very hard in general  there is some hope when considering equivalent programs or restricted programs  changing a program to add new legal behaviors is hard  program restriction natural in concurrent programs  reducing permitted schedules 11

Example int x, y, sign; x = ?; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; 12 Example from “The Trace Partitioning Abstract Domain” Rival&Mauborgne x  [- ,  ], sign   x  [- , -1], sign  [-1, -1] x  [0,  ], sign  [1, 1] x  [- ,  ], sign  [-1, 1] Specification S: no division by zero. Abstract domain  : intervals 0  [-1,1] division by zero seems possible P   S

Now what?  Can use a more refined abstract domain  Disjunctive completion  abstract value = set (disjunction) of intervals 13 int x, y, sign; x = ?; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; x  {[- ,  ]}, sign   x  {[- , -1]}, sign  {[-1, -1]} x  {[0,  ]}, sign  {[1, 1]} x  {[- , -1],[0,  ]}, sign  {[-1, -1],[1,1]} Specification S: no division by zero. Abstract domain  ’: set of intervals 0  [-1, -1] and 0  [1,1] division by zero impossible P   ’ S

Are we done?  Exponential cost !  Can we do better?  Idea: track relationship between x and sign 14 x < 0  sign = -1 x >= 0  sign = 1  Problem: again, expensive  Which relationships should I track?  Domains such as polyhedra won’t help (convex)

Trace partitioning abstract domain  refine abstraction by adding some control history  won’t get into that  further reading  Rival and Mauborgne. The trace partitioning abstract domain. TOPLAS’07.  Holley and Rosen. Qualified data flow problems. POPL'80 15

We can also change the program 16 int x, y, sign; x = ?; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; int x, y, sign; x = ?; if (x<0) { sign = -1; y = x/sign; } else { sign = 1; y = x/sign; } PP’

Modified Program 17 int x, y, sign; x = ?; if (x<0) { sign = -1; y = x/sign; } else { sign = 1; y = x/sign; } x  [- ,  ], sign   x  [- , -1], sign  [-1, -1] x  [0,  ], sign  [1, 1] x  [- ,  ], sign  [-1, 1] Specification S: no division by zero. Abstract domain  : intervals 0  [-1, -1] division by zero impossible 0  [1, 1] division by zero impossible

Another Example 18 while(e) { s; } … if (e) { s; while(e) { s; } … PP’

Process 1Process 2Process 3  Shared memory concurrent program  No synchronization: often incorrect (but “efficient”)  Coarse-grained synchronization: easy to reason about, often inefficient  Fine-grained synchronization: hard to reason about, programmer often gets this wrong Challenge: Correct and Efficient Synchronization 19

Process 1Process 2Process 3  Shared memory concurrent program  No synchronization: often incorrect (but “efficient”)  Coarse-grained synchronization: easy to reason about, often inefficient  Fine-grained synchronization: hard to reason about, programmer often gets this wrong Challenge: Correct and Efficient Synchronization 20

Process 1Process 2Process 3  Shared memory concurrent program  No synchronization: often incorrect (but “efficient”)  Coarse-grained synchronization: easy to reason about, often inefficient  Fine-grained synchronization: hard to reason about, programmer often gets this wrong Challenge: Correct and Efficient Synchronization 21

Challenge Process 1Process 2Process 3 How to synchronize processes to achieve correctness and efficiency? 22

 Atomic sections  Conditional critical region (CCR)  Memory barriers (fences)  CAS  Semaphores  Monitors  Locks .... Synchronization Primitives 23

{ ……………… …… …………………. ……………………. ………………………… } P1() Example: Correct and Efficient Synchronization with Atomic Sections { …………………………… ……………………. … } P2() atomic { ………………….. …… ……………………. ……………… …………………… } P3() atomic Safety Specification: S 24

{ ……………… …… …………………. ……………………. ………………………… } P1() { …………………………… ……………………. … } P2() { ………………….. …… ……………………. ……………… …………………… } P3() Safety Specification: S Assist the programmer by automatically inferring correct and efficient synchronization Example: Correct and Efficient Synchronization with Atomic Sections 25

Challenge  Find minimal synchronization that makes the program satisfy the specification  Avoid all bad interleavings while permitting as many good interleavings as possible  Assumption: we can prove that serial executions satisfy the specification  Interested in bad behaviors due to concurrency  Handle infinite-state programs 26

Abstraction-Guided Synthesis of Synchronization  Synthesis of synchronization via abstract interpretation  Compute over-approximation of all possible program executions  Add minimal synchronization to avoid (over-approximation of) bad interleavings  Interplay between abstraction and synchronization  Finer abstraction may enable finer synchronization  Coarse synchronization may enable coarser abstraction 27

program specification Abstract counter example abstraction Abstraction Refinement Change the program to match the abstraction   Verify Abstraction-Guided Synthesis Program Restriction Implement P’ Abstract counter example 28

AGS Algorithm – High Level  = true while(true) { BadTraces = {  |   (  P       ) and   S } if (BadTraces is empty) return implement(P,  ) select   BadTraces if (?) {  = avoid(  ) if (   false)  =    else abort } else {  ’ = refine( ,  ) if (  ’   )  =  ’ else abort } Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under  29

Avoid and Implement  Desired output – program satisfying the spec  Implementability guides the choice of constraint language  Examples  Atomic sections [POPL’10]  Conditional critical regions (CCRs) [TACAS’09]  Memory fences (for weak memory models) [FMCAD’10 + abstractions in progress]  … 30

Avoiding an interleaving with atomic sections  Adding atomicity constraints  Atomicity predicate [l1,l2] – no context switch allowed between execution of statements at l1 and l2  avoid(  )  A disjunction of all possible atomicity predicates that would prevent  Thread A A1 A2 Thread B B1 B2  = A 1 B 1 A 2 B 2 avoid(  ) = [A 1,A 2 ]  [B 1,B 2 ] 31

Avoid and abstraction   = avoid(  )  Enforcing  avoids any abstract trace  ’ such that  ’    Potentially avoiding “good traces”  Abstraction may affect our ability to avoid a smaller set of traces 32

Example T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } 33

Example: Concrete Values y2 y1 1 Concrete values T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } x += z; x += z; z++;z++;y1=f(x);y2=x;assert  y1=5,y2=0 z++; x+=z; y1=f(x); z++; x+=z; y2=x;assert  y1=3,y2=3 … 34

Example: Parity Abstraction y2 y1 1 Concrete values T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } x += z; x += z; z++;z++;y1=f(x);y2=x;assert  y1=Odd,y2=Even y2 y1 1 Parity abstraction (even/odd) 35

Example: Avoiding Bad Interleavings avoid(  1 ) = [z++,z++]  = [z++,z++]  = true while(true) { BadTraces={  |  (  P       ) and   S } if (BadTraces is empty) return implement(P,  ) select   BadTraces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } 36

Example: Avoiding Bad Interleavings avoid(  2 ) =[x+=z,x+=z]  = [z++,z++]  = [z++,z++]  [x+=z,x+=z]  = true while(true) { BadTraces={  |  (  P       ) and   S } if (BadTraces is empty) return implement(P,  ) select   BadTraces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } 37

Example: Avoiding Bad Interleavings T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)  = [z++,z++]  [x+=z,x+=z] 38  = true while(true) { BadTraces={  |  (  P       ) and   S } if (BadTraces is empty) return implement(P,  ) select   BadTraces if (?) {  =   avoid(  ) } else {  = refine( ,  ) }

y2 y1 1 parity  parity x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 Example: Avoiding Bad Interleavings But we can also refine the abstraction… 39

y2 y parity interval octagon     (a)(b) (c) (d)(e) (f)(g) parity interval octagon x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 40

Multiple Solutions  Performance: smallest atomic sections  Interval abstraction for our example produces the atomicity constraint: ([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++])  Minimal satisfying assignments   1 = [z++,z++]   2 = [x+=z,x+=z] 41

Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under   = true while(true) { BadTraces = {  |   (  P       ) and   S } if (BadTraces is empty) return implement(P,  ) select   BadTraces if (?) {  = avoid(  ) if (   false)  =    else abort } else {  ’ = refine( ,  ) if (  ’   )  =  ’ else abort } Choosing between abstraction refinement and program restriction - not always possible to refine/avoid - may try and backtrack AGS Algorithm – More Details Forward Abstract Interpretation, taking  into account for pruning infeasible interleavings Backward exploration of invalid Interleavings using  to prune infeasible interleavings. Order of selection matters Up to this point did not commit to a synchronization mechanism 42

T1 0: if (y==0) goto L 1: x++ 2: L: T2 0: y=2 1: x+=1 2: assert x !=y Choosing a trace to avoid pc1,pc2 x,y 0,0 0,1 0,2 2,0 0,0 1,1 0,2 2,1 0,2 2,2 1,2 2,1 1,2 2,2 y=2 if (y==0) x++ x+=1 if (y==0) y=2 x+=1 legend 0,0 E,E 0,1 E,E 2,0 E,E 1,1 E,E 2,1 T,E 2,2 T,E y=2 if (y==0) x++ x+=1 if (y==0) y=2 x+=1 43

Implementability  No program transformations (e.g., loop unrolling)  Memoryless strategy T1 1: while(*) { 2: x++ 3: x++ 4: } T2 1: assert (x != 1)  Separation between schedule constraints and how they are realized  Can realize in program: atomic sections, locks,…  Can realize in scheduler: benevolent scheduler 44

Atomic sections results  If we can show disjoint access we can avoid synchronization  Requires abstractions rich enough to capture access pattern to shared data Parity Intervals ProgramRefine StepsAvoid Steps Double buffering12 Defragmentation18 3D array update223 Array Removal117 Array Init156 45

AGS with guarded commands  Implementation mechanism: conditional critical region (CCR)  Constraint language: Boolean combinations of equalities over variables (x == c)  Abstraction: what variables a guard can observe guard  stmt 46

Avoiding a transition using a guard  Add guard to z = y+1 to prevent execution from state s 1  Guard for s 1 : (x  1  y  1  z  0)  Can affect other transitions where z = y+1 is executed x=1, y=1, z=0 y=x+1 z=y+1 x=1, y=1, z=2 x=1, y=2, z=0 s1s1 s2s2 s3s3 47

Example: full observability  (y = 2  z = 1) No Stuck States Specification: { x, y, z } Abstraction: T1 1: x = z + 1 T2 1: y = x + 1 T3 1: z = y

Build Transition System 1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 1,1,1 0,0,0 X Y Z PC1 PC2 PC3 legend 49

Avoid transition 1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 50

1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,1 1,2,0 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 e,1,e 1,0,1 e,e,e 1,2,1 y=x+1 x  1  y  0  z  0  Correct and Maximally Permissive Result is valid 51 x  1  y  0  z  0  z=y+1

Resulting program  (y = 2  z = 1) No Stuck States Specification: { x, y, z } Abstraction: T1 1: x = z + 1 T2 1: y = x + 1 T3 1: z = y + 1 T1 1: x = z + 1 T2 1: y = x + 1 T3 1: (x  1  y  0  z  0)  z = y

 (y = 2  z = 1) No Stuck States Specification: { x, z } Abstraction: Example: limited observability T1 1: x = z + 1 T2 1: y = x + 1 T3 1: z = y

1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 Build transition system 1,1,1 0,0,0 X Y Z PC1 PC2 PC3 legend 54

Avoid bad state 1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 55

1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 Implementability Select all equivalent transitions 56

1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 side-effects e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x  1  z  0  z=y+1 x  1  z  0  Result has stuck states 57

1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 e,e,1 1,2,0 e,1,e 1,0,1 e,e,1 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x  1  z  0  z=y+1 x  1  z  0  Select transition to remove 58

1,1,1 0,0,0 e,1,1 1,0,0 1,e,1 0,1,0 1,1,e 0,0,1 e,e,3 1,2,0 e,2,e 1,0,1 e,e,3 1,1,0 1,e,e 0,1,2 e,1,e 2,0,1 1,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e,2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 x  1  z  0  x  0  z  0  x  1  z  0  x  0 z  0x  0 z  0 Result is valid Correct and Maximally Permissive 59

Resulting program ! (y = 2 && z = 1) No Stuck States Specification: { x, z } Abstraction: T1 1: x = z + 1 T2 1: y = x + 1 T3 1: z = y + 1 T1 1: (x  0  z  0)  x = z + 1 T2 1: y = x + 1 T3 1: (x  1  z  0)  z = y

T1 x = z + 1 T2 y = x + 1 T3 z = y + 1  T1 x = z + 1 T2 y = x + 1 T3 (x  1  z  0)  z = y + 1  T1 (x  0  z  0)  x = z + 1 T2 y = x + 1 T3 (x  1  z  0)  z = y + 1 T1 x = z + 1 T2 y = x + 1 T3 z = y + 1 T1 x = z + 1 T2 y = x + 1 T3 (x  1  y  0  z  0)  z = y + 1 { x } { x,z } { x,y,z } T1 x = z + 1 T2 y = x + 1 T3 z = y + 1  T1 x = z + 1 T2 y = x + 1 T3 (x  1)  z = y + 1  T1 (x  0)  x = z + 1 T2 y = x + 1 T3 (x  1)  z = y + 1  61

AGS with memory fences  Avoidable transition more tricky to define  Operational semantics of weak memory models  Special abstraction required to deal with potentially unbounded store-buffers  Even for finite-state programs  Informally “finer abstraction = fewer fences” 62

Synthesis Results 63  Mostly mutual exclusion primitives  Different variations of the abstraction ProgramFD k=0FD k=1PD k=0PD k=1PD k=2 Sense0   Pet0  Dek0  Lam0T/O  Fast0T/O  Fast1a   Fast1b    Fast1cT/O  

Chase-Lev Work-Stealing Queue 1 int take() { 2 long b = bottom – 1; 3 item_t * q = wsq; 4 bottom = b 5 fence(“store-load”); 6 long t = top 7 if (b < t) { 8 bottom = t; 9 return EMPTY; 10 } 11 task = q->ap[b % q->size]; 12 if (b > t) 13 return task 14 if (!CAS(&top, t, t+1)) 15 return EMPTY; 16 bottom = t + 1; 17 return task; 18 } 1 void push(int task) { 2 long b = bottom; 3 long t = top; 4 item_t * q = wsq; 5 if (b – t >= q->size – 1) { 6 wsq = expand(); 7 q = wsq; 8 } 9 q->ap[b % q->size] = task; 10 fence(“store-store”); 11 bottom = b + 1; 12} 1 int steal() { 2 long t = top; 3 fence(“load-load”); 4 long b = bottom; 5 fence(“load-load”); 6 item_t * q = wsq; 7 if (t >= b) 8 return EMPTY; 9 task = q->ap[t % q->size]; 10 fence(“load-store”); 11 if (!CAS(&top, t, t+1)) 12 return ABORT; 13 return task; 14} Specification: no lost items, no phantom items, memory safety 1item_t* expand() { 2int newsize = wsq->size * 2; 3int* newitems = (int *) malloc(newsize*sizeof(int)); 4item_t *newq = (item_t *)malloc(sizeof(item_t)); 5for (long i = top; i < bottom; i++) { 6 newitems[i % newsize] = wsq->ap[i % wsq->size]; 7} 8newq->size = newsize; 9newq->ap = newitems; 10fence("store-store"); 11wsq = newq; 12return newq; }

Results

Performance

Some AGS instances AvoidImplementation Mechanism Abstraction Space (examples) Reference Context switchAtomic sectionsNumerical abstractions[POPL’10] TransitionConditional critical regions (CCRs) Observability[TACAS’09] ReorderingMemory fencesPartial-Coherence abstractions for Store buffers [FMCAD’10] [PLDI’11] … 67

program specification Abstract counter example abstraction Abstraction Refinement Change the specification to match the abstraction   Verify General Setting Revisited Program Restriction Implement P’ Abstract counter example S’ Spec Weakening  68

Summary  Modifying the program to fit an abstraction  examples inspired by the trace partitioning domain  (trace partitioning domain can capture these effects, and more, without changing the program)  An algorithm for Abstraction-Guided Synthesis  Synthesize efficient and correct synchronization  Handles infinite-state systems based on abstract interpretation  Refine the abstraction and/or restrict program behavior  Interplay between abstraction and synchronization  Separate characterization of solution from choosing optimal solutions (e.g., smallest atomic sections) 69