Presentation is loading. Please wait.

Presentation is loading. Please wait.

Runtime Safety Analysis of Multithreaded Programs

Published byJonathan de Sequeira Modified over 5 years ago

Similar presentations

Presentation on theme: "Runtime Safety Analysis of Multithreaded Programs"— Presentation transcript:

1 Runtime Safety Analysis of Multithreaded Programs
Koushik Sen University of Illinois at Urbana-Champaign, USA Co-authors Grigore Rosu and Gul Agha

2 Talk Overview Motivation MultiPathExplorer Further Applications
Motivating example Instrumentation based on vector clocks Predict specification violations at runtime System architecture Further Applications Conclusion and Future Work 5/15/2019

3 Increasing Software Reliability
Current solutions Human review of code and testing Most used in practice Usually ad-hoc, intensive human support (Advanced) Static analysis Often scales up False positives and negatives, annotations (Traditional) Formal methods Model checking and theorem proving General, good confidence, do not always scale up 5/15/2019

4 Runtime Verification Merge testing and temporal logic specification
Specify safety properties in proper temporal logic. Monitor safety properties against a run of the program. Examples: JPaX (NASA Ames), Upenn's Java MaC analyzes the observed run. Disadvantage: Lack of coverage. Run Naïve Observer 5/15/2019

5 Our Approach: Smart Observer
Ideas A single execution trace contains more information than appears at first sight Extract other possible runs from a single execution Analyze all these runs intelligently. A technique between model checking and testing. Run Smart Observer 5/15/2019

6 Talk Overview Motivation MultiPathExplorer Further Applications
Motivating example Instrumentation based on vector clocks Predict specification violations at runtime System architecture Further Applications Conclusion and Future Work 5/15/2019

7 MultiPathExplorer – JMPaX (Java)
Based on smart observers Smartness obtained by proper instrumentation: vector clocks Possible global states generated dynamically  form a lattice Analysis is performed on a level-by-level basis in the lattice of global states 5/15/2019

8 Motivating Example “Safe Landing”
Land the air/space craft only after approval from ground and only if, since then, the radio signal has not been lost Three variables: Landing indicating air/space craft is landing Approved indicating landing has been approved Radio indicating radio signal is live Landing  Approved, Radio 5/15/2019

9 Code of a Landing Controller
Two threaded program to control landing int landing = 0, approved = 0, radio = 1; void thread1() { askLandingApproval(); if (approved == 1) { print("Landing approved"); landing=1; print("Landing started") } else { print("Landing not approved") } } void askLandingApproval() { if (radio == 1) { approved = 1 } else { approved = 0} void thread2() { while (true) { checkRadio(); } 5/15/2019

10 Landing Safety Violation
Suppose the plane has received approval for landing and just before it started landing the radio signal went off the plane must abort landing! A simple observer will most likely not detect the bug. JMPaX can construct a possible run in which radio goes off between approval and landing approved = 1 landing = 1 radio = 0 5/15/2019

11 Talk Overview Motivation MultiPathExplorer Further Applications
Motivating example Instrumentation based on vector clocks Predict specification violations at runtime System architecture Further Applications Conclusion and Future Work 5/15/2019

12 Events in Multithreaded Programs
Given n threads p1, p2, ..., pn, A multithreaded execution is a sequence of events e1 e2 … er of type: internal or, read of a shared variable or, write of a shared variable. eij represents the jth event generated by thread pi since the start of its execution. 5/15/2019

13 Causality in Multithreaded Programs
Define the partial order Á on the set of events as follows: eik Á eil if k < l; e Á e' if there is some x 2 S such that e <x e' and at least one of e, e‘ is a write. e Á e'' if e Á e' and e' Á e''. eik Á eil i x i j e e’ 5/15/2019

14 Vector Clocks and Relevant Events
Consider a subset R of relevant events. (typically those writing specification’s variables) R-relevant causality is a relation C µ Á C is a projection of Á on R £ R. We provide a technique based on vector clocks that correctly implements the relevant causality relation. 5/15/2019

15 Vector Clock Algorithm
Let Vi be an n-dimensional vector of natural numbers for each thread pi. Let Vxa and Vxw be vectors for each shared variable x. if eik is relevant, i.e., if eik 2 R, then Vi[i] à Vi[i] + 1 if eik is a read of a variable x then Vi à max{Vi,Vxw} Vxa à max{Vxa,Vi} if eik is a write of a variable x then Vxw à Vxa à Vi à max{Vxa,Vi} if eik is relevant then send message h eik, i, Vi i to observer. 5/15/2019

16 Correspondence with Standard Vector Clocks
x(a) x(w) Read i x(a) x(w) Write 5/15/2019

17 Implementing Causality by Vector Clocks
Theorem: If he, i, Vi and he', j, V' i are messages sent by our algorithm, then e C e' iff V[i] · V'[i] If i and j are not given, then e C e' iff V < V‘ 5/15/2019

18 Example with Two Threads
thread T1 { x++; ... y = x + 1; } thread T2 { z = x + 1; ... x++; } (initially x = -1) T1 T2 e1: hx =0,T1, (1,0) i e3: hy =1,T1, (2,0) i e4: hx =1,T2, (1,2) i e2: hz =1,T2, (1,1) i 5/15/2019

19 Relevant Global State The program state after the events ek11,ek22,...,eknn is called a relevant global multithreaded state or simply a state. A state k1 k2 … kn is called consistent if and only if it can be seen in some possible run of the system. 5/15/2019

20 MultiThreaded Run e1e2 … e|R| is a multithreaded run iff it generates a sequence of global states K0 K1 … K|R| such that each Kr is consistent and Kr after event er becomes Kr+1. (consecutive states) 5/15/2019

21 Computation Lattice We say  À ' when there is some run in which  and ' are consecutive states Consistent global states together with the transitive closure of À form a lattice Multithreaded runs are paths in the lattice 5/15/2019

22 Example Revisited thread T1 { x++; ... y = x + 1; } thread T2 {
z = x + 1; ... x++; } 5/15/2019

23 Monitoring Safety Formula
e1 : h x=0,T1, (1,0) i e2 : h z=1,T2, (1,1) i e3 : h y=1,T1, (2,0) i e4 : h x=1,T2, (1,2) i 0,0 x = -1, y = 0, z = 0 2,2 x = 1, y = 1, z = 1 1,2 x = 1, y = 0, z = 1 2,1 x = 0, y = 1, z = 1 2,0 x = 0, y = 1, z = 0 1,1 x = 0, y = 0, z = 1 1,0 x = 0, y = 0, z = 0 (x > 0) ! [(y = 0), (y > z))s 5/15/2019

24 Safety Violation in a Possible Run
e1 : h x=0,T1, (1,0) i e2 : h z=1,T2, (1,1) i e3 : h y=1,T1, (2,0) i e4 : h x=1,T2, (1,2) i 0,0 x = -1, y = 0, z = 0 2,2 x = 1, y = 1, z = 1 1,2 x = 1, y = 0, z = 1 2,1 x = 0, y = 1, z = 1 2,0 x = 0, y = 1, z = 0 1,1 x = 0, y = 0, z = 1 1,0 x = 0, y = 0, z = 0 (x > 0) ! [(y = 0), (y > z))s 5/15/2019

25 Talk Overview Motivation MultiPathExplorer Further Applications
Motivating example Instrumentation based on vector clocks Predict specification violations at runtime System architecture Further Applications Conclusion and Future Work 5/15/2019

26 Safety Against All Runs
Number of possible runs can be exponential Traverse the state lattice level by level Avoids analyzing an exponential number of runs Maintain a queue of events Enqueue an event as soon as it arrives Construct a new level from the set of states in the previous level and the events in the queue Monitor safety formula against all states in a level using dynamic programming and intelligent merging. 5/15/2019

27 Algorithm Pseudocode for each (e 2 Q) {
if exists s 2 CurrentLevel s.t. isNextState(s,e) then NextLevel à addToSet(NextLevel,createState(s,e)); if isUnnecessary(s) then remove(s,CurrentLevel); if isEmpty(CurrentLevel) then { monitorAll(NextLevel); CurrentLevel à NextLevel; NextLevel à {}; Q à removeUnnecessaryEvents(CurrentLevel,Q); } 5/15/2019

28 Complexity Time complexity is O(w.2m.n) Memory used is O(w.2m’)
w – width of the lattice m – size of the formula n – length of the run Memory used is O(w.2m’) m’ – number of temporal operators in the formula Further optimizations Consider bounded width w of queue Q 5/15/2019

29 Reason for Efficiency s00 s11 s21 s31 s41 s00 s12 s21 s31 s41 s00 s12
5/15/2019

30 Java multithreaded program
JMPaX Architecture Specification Java multithreaded program Translator Instrumentor Bytecode Instrumented code SpecificationImpl JVM LTL monitor Events 5/15/2019

31 Further Applications Security Security policies as safety requirements
Predict safety violations efficiently! communicate(A,B,K)   (sendKey(S,(A,B),K)   requestKey(S,A,B)) 5/15/2019

32 Contributions Introduce vector clock algorithm in multithreaded systems to capture relevant causality. Efficiently Predict safety errors from successful runs. A modular implementation of the above ideas in a analysis tool, JMPaX. for JMPaX prototype. 5/15/2019

33 Future Work Evaluate JMPaX on real, large applications
Develop predictive algorithms for other requirements specification logics Consider a superset of partial order to gain efficiency Find more scalable techniques that can fill the gap between model checking and testing Integrate with NASA Ames’ Java PathExplorer Tool (JPaX). 5/15/2019

Download ppt "Runtime Safety Analysis of Multithreaded Programs"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.

Modeling and Analyzing Periodic Distributed Computations Anurag Agarwal Vijay Garg Vinit Ogale The University.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Runtime Verification Ali Akkaya Boğaziçi University.

Runtime Verification Ali Akkaya Boğaziçi University.
RV: A Runtime Verification Framework for Monitoring, Prediction and Mining Patrick Meredith Grigore Rosu University of Illinois at Urbana-Champaign (UIUC)

RV: A Runtime Verification Framework for Monitoring, Prediction and Mining Patrick Meredith Grigore Rosu University of Illinois at Urbana-Champaign (UIUC)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.
Distributed Systems Fall 2009 Logical time, global states, and debugging.

Distributed Systems Fall 2009 Logical time, global states, and debugging.
CPSC 668Set 12: Causality1 CPSC 668 Distributed Algorithms and Systems Fall 2009 Prof. Jennifer Welch.

CPSC 668Set 12: Causality1 CPSC 668 Distributed Algorithms and Systems Fall 2009 Prof. Jennifer Welch.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
VESTA: A Statistical Model- checker and Analyzer for Probabilistic Systems Authors: Koushik Sen Mahesh Viswanathan Gul Agha University of Illinois at Urbana-Champaign.

VESTA: A Statistical Model- checker and Analyzer for Probabilistic Systems Authors: Koushik Sen Mahesh Viswanathan Gul Agha University of Illinois at Urbana-Champaign.
Testing and Monitoring at Penn An Integrated Framework for Validating Model-based Embedded Software Li Tan University of Pennsylvania September, 2003.

Testing and Monitoring at Penn An Integrated Framework for Validating Model-based Embedded Software Li Tan University of Pennsylvania September, 2003.

Similar presentations

Ads by Google