Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZING Systematic State Space Exploration of Concurrent Software

Published byMichael Hunt Modified over 6 years ago

Similar presentations

Presentation on theme: "ZING Systematic State Space Exploration of Concurrent Software"— Presentation transcript:

1 ZING Systematic State Space Exploration of Concurrent Software
Jakob Rehof Microsoft Research Joint work with Tony Andrews (MS) Shaz Qadeer (MSR) Sriram K. Rajamani (MSR)

2 Lecture II: Outline ZING language Demos Procedure Summaries
LTM analysis X86 -> ZING Procedure Summaries Conformance Theory (I)

3 Zing Language Zing = C# - some types – inheritance + concurrency + modeling features Concurrency = shared memory + message-passing Modeling features = nondeterminism + sets + symbolic execution

4 Concurrency static activate void foo() { … } async-call-statement
async invocation-expression

5 Modeling choose-expression choose( type ) choose( primary-expression )
event-statement event(integer-expression, integer-expression, boolean-expression) set-declaration set identifier type

6 Channels channel-declaration: chan identifier type send-statement
send(expression, expression);

7 Synchronization select [select-qualifiers] { join-statements }
select-statement select [select-qualifiers] { join-statements } select-qualifier end first visible join-statement join-list -> embedded-statement timeout -> embedded-statement

8 Synchronization join-list join-pattern join-list && join-pattern
wait(boolean-expression) receive(expression, expression) event(integer-expression, integer-expression, boolean-expression)

9 Lecture II: Outline ZING language Demos Procedure Summaries
LTM analysis X86 -> ZING Procedure Summaries Conformance Theory (I)

10 Indigo Transaction Manager LTM Abstracting the LTM
DTM (20K LOC) Client (main) DRM (dbase) VRM (cache) Volatile RM interface Prepare Rollback Commit CreateTx CloneTx DurableEnlist VolatileEnlist Commit Abort Prepared ForceRollback EnlistmentDone LTM (10K LOC) Prepare Rollback Commit LTM interface to RMs LTM interface to Client Durable RM interface

11 Overview of the bug Transactions tx1 and tx2 must be inserted in the same bucket of the hash table. Transaction tx2 is a bystander that ensures that tx1.next is non-null (a necessary precondition). Transaction tx1 is committed. The commit thread and the timer thread interleave (4 context switches at specific locations) such that tx1.next is set to null by the timer thread and subsequently dereferenced by the commit thread. 256 hash table tx1 tx2

12 Lecture II: Outline ZING language Demos Procedure Summaries
LTM analysis X86 -> ZING Procedure Summaries Conformance Theory (I)

13 Lecture II: Outline ZING language Demos Procedure Summaries
LTM analysis X86 -> ZING Procedure Summaries Conformance Theory (I)

14 Procedure Summaries for Concurrent Programs
Generalized CFL-Reachability Algorithm Qadeer, Rajamani, Rehof: Summarizing Procedures in Concurrent Programs. [POPL 2004] Implemented in ZING Approx. one year sustained effort

15 Summarization for sequential programs
Procedure summarization (Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95) is the key to efficiency int x; void incr_by_2() { x++; } void main() { x = 0; incr_by_2(); } Bebop, ESP, Moped, MC, Prefix, …

16 What is a summary in sequential programs?
Summary of a procedure P = Set of all (pre-state  post-state) pairs obtained by invocations of P int x; void incr_by_2() { x++; } void main() { x = 0; incr_by_2(); x = 1; x  x’ 0  2 1  3

17 Assertion checking for sequential programs
Boolean program with: g = number of global vars m = max. number of local vars in any scope k = size of the CFG of the program Complexity is O( k  2 O(g+m) ), linear in the size of CFG Summarization enables termination in the presence of recursion

18 Assertion checking for concurrent programs
Ramalingam 00: There is no algorithm for assertion checking of concurrent boolean programs, even with only two threads.

19 Our contribution Precise semi-algorithm for verifying properties of concurrent programs based on model checking procedure summarization for efficiency Termination for a large class of concurrent programs with recursion and shared variables Generalization of precise interprocedural dataflow analysis for sequential programs

20 What is a summary in concurrent programs?
Unarticulated so far Naïve extension of summaries for sequential programs do not work Call P Return P

21 Attempt 1 s Advantage: summary computable as in a sequential program
Call P Return P s s’ Advantage: summary computable as in a sequential program Disadvantage: summary not usable for executions with interference from other threads

22 Attempt 2 s Advantage: Captures all executions Call P
Return P s s’ Advantage: Captures all executions Disadvantage: s and s’ must comprise full program state summaries are complicated do not offer much reuse

23 The theory of movers (Lipton 75)
r=foo y T3 x S0 S1 S2 acq x T1 R: right movers lock acquire L: left movers lock release S7 T6 S5 rel z S6 B: both right + left movers variable access holding lock N: non-movers access unprotected variable

24 Transaction Lipton: any sequence (R+B)*; (N+) ; (L+B)* is a transaction S0 . S5 R* N L* x Y animation for ; and * Other threads need not be scheduled in the middle of a transaction  Transactions may be summarized

25 If a procedure body is a single transaction,
summarize as in a sequential program bool available[N]; mutex m; int getResource() { int i = 0; L0: acquire(m); L1: while (i < N) { L2: if (available[i]) { L3: available[i] = false; L4: release(m); L5: return i; } L6: i++; L7: release(m); L8: return i; Choose N = 2 Summaries:  m, (a[0],a[1])    i’, m’, (a[0]’,a[1]’)   0, (0, 0)    2, 0, (0,0)   0, (0, 1)    1, 0, (0,0)   0, (1, 0)    0, 0, (0,0)   0, (1, 1)    0, 0, (0,1)  Point out that these are summaries of uninterrupted executions of getResource by a thread. That is why there is no summary edge beginning with m = 1. Also, pc and i are strictly not needed. Perhaps I can simplify the summaries for this example.

26 Transactional procedures
In the Atomizer benchmarks (Flanagan-Freund 04), a majority of procedures are transactional

27 What if a procedure body comprises multiple transactions?
bool available[N]; mutex m[N]; int getResource() { int i = 0; L0: while (i < N) { L1: acquire(m[i]); L2: if (available[i]) { L3: available[i] = false; L4: release(m[i]); L5: return i; } else { L6: release(m[i]); } L7: i++; L8: return i; Choose N = 2 Summaries:  pc,i,(m[0],m[1]),(a[0],a[1])    pc’,i’,(m[0]’,m[1]’),(a[0]’,a[1]’)   L0, 0, (0,*), (0,*)    L1, 1, (0,*), (0,*)   L0, 0, (0,*), (1,*)    L5, 0, (0,*), (0,*)   L1, 1, (*,0), (*,0)    L8, 2, (*,0), (*,0)   L1, 1, (*,0), (*,1)    L5, 1, (*,0), (*,0)  The first set of summaries are for the first iteration of the loop. The first in this set corresponds to unsuccessful iteration and the last corresponds to successful one. The second set of summaries are for the second iteration of the loop.

28 starts in caller and ends in callee?
What if a transaction starts in caller and ends in callee? starts in callee and ends in caller? void foo() { acquire(m); x++; bar(); x--; release(m); } void bar() { int x; mutex m; 1 2

29 starts in caller and ends in callee?
What if a transaction starts in caller and ends in callee? starts in callee and ends in caller? int x; mutex m; void foo() { acquire(m); x++; bar(); x--; release(m); } void bar() { release(m); acquire(m); } 1 2 Solution: Split the summary into pieces Annotate each piece to indicate whether transaction continues past it

30 Two-level model checking
Top level performs state exploration Bottom level performs summarization Top level uses summaries to explore reduced set of interleavings Maintains a stack for each thread Pushes a stack frame if annotated summary edge ends in a call Pops a stack frame if annotated summary edge ends in a return

31 Termination Theorem: If all recursive functions are transactional, then our algorithm terminates. The algorithm reports an error iff there is an error in the program.

32 Concurrency + recursion
int g = 0; mutex m; void foo(int r) { L0: if (r == 0) { L1: foo(r); } else { L2: acquire(m); L3: g++; L4: release(m); } L5: return; Summaries for foo:  pc,r,m,g    pc’,r’,m’,g’   L0,1,0,0    L5,1,0,1   L0,1,0,1    L5,1,0,2  void main() { int q = choose({0,1}); M0: foo(q); M1: acquire(m) M2: assert(g >= 1); M3: release(m); M4: return; } Prog = main() || main()

33 Summary (!) Transactions enable summarization
Identify transactions using the theory of movers Transaction boundaries may not coincide with procedure boundaries Two level model checking algorithm Top level maintains a stacks for each thread Bottom level maintains summaries

34 Sequential programs For a sequential program, the whole execution is a transaction Algorithm behaves exactly like classic interprocedural dataflow analysis

Download ppt "ZING Systematic State Space Exploration of Concurrent Software"

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Zing: A Systematic State Explorer for Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Zing: A Systematic State Explorer for Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Zing: Exploiting Program Structure for Model Checking Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research Yichen.

Zing: Exploiting Program Structure for Model Checking Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research Yichen.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Model Checking Concurrent Software Shaz Qadeer Microsoft Research.

Model Checking Concurrent Software Shaz Qadeer Microsoft Research.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Programming Languages and Paradigms

Programming Languages and Paradigms
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
ZING Systematic State Space Exploration of Concurrent Software Jakob Rehof Microsoft Research

ZING Systematic State Space Exploration of Concurrent Software Jakob Rehof Microsoft Research
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.

Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.

Similar presentations

Ads by Google