Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center."— Presentation transcript:

1 Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center

2 High Level Setting 2 Process 1Process 2Process 3

3 High Level Setting 3 Process 1Process 2Process 3

4 High Level Setting 4 Process 1Process 2Process 3

5 High Level Setting 5 Process 1Process 2Process 3

6 Challenge 6 Process 1Process 2Process 3 How to synchronize processes in order to achieve correctness and good performance ?

7 This Work 7 Assist the programmer by automatically inferring correct and efficient synchronization

8 Semaphores Monitors Conditional critical region (CCR) Fine grained (e.g., CAS) Locks.... Synchronization Primitives 8

9 Conditional Critical Regions Syntax of CCR Synchronization code – guard can observe the program state – guard does not modify program state guard  stmt 9

10 High Level Setting 10 Process 1Process 2Process 3

11 CCR Setting 11 Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Specification:  Permissiveness Cost as a language of CCR guards

12 Given a language LG, specification S and program A, program B is maximally permissive, if: – B satisfies S – B is obtained from A by adding guards from LG – Cannot obtain a program C that is correct and more permissive than B from A via LG: 12 Maximal Permissiveness if  B    C  then C does not satisfy S

13 Two Algorithms to infer CCR guards – Greedy – Exhaustive Guarantee maximal permissiveness – Greedy: under some conditions – Exhaustive: always Implementation in SPIN – prototype, examples Contributions

14 This Work Safety, No Stuck States Specification: Language of Guards Cost: Automatic Inference of Guards Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Process 1Process 2Process 3 g1  s1;s2; s5; g2  s7; s6; s3;s4; Correct and Maximally Permissive

15 Inference Algorithm Construct transition system of input program and specification Remove a (minimal) set of transitions such that the result satisfies the specification Implement resulting transition system as program by strengthening guards of CCRs in the program 15

16 GREEDY(P : Program) : Program { R = ∅ while (true) { ts = if valid(ts) return implement(P,R) B = cut-transitions(ts) if B = ∅ abort “cannot find valid synchronization” select a transition t ∈ B R = R ∪ equiv(t) } Inference Algorithm 16

17 Example Language: Observability Obs: Variables that can be read by CCR guards LE(Obs): language of boolean combinations of equalities between variables in Obs and constants Example: Obs: {x, y, z} Guard Expression in LE(Obs): (x!=1 || y!=0 || z!=0) 17

18 Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

19 What is in a state s,s,s 0,0,0 X Y Z PC1 PC2 PC3

20 Build Transition System s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 20

21 Select Transitions to Remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 21

22 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 22 e,s,e 1,0,1 e,e,e 1,2,1 y=x+1 z=y+1 Build Transition System x!=1 || y!=0 || z!=0  Correct and Maximally Permissive

23 Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 (x!=1 || y!=0 || z!=0)  z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

24 Example: Limited Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

25 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 25 Build Transition System

26 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 26

27 Select transition to remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 27

28 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 28 Select All Equivalent Transitions Implementability

29 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 29 Side-effects e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Build Transition System

30 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 30 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Select transitions to remove

31 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,3 1,2,0 e,2,e 1,0,1 e,e,3 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 x!=1 || z!=0  x!=0 || z!=0  x!=1 || z!=0  x!=0|| z!=0  31 Build Transition System Correct and Maximally Permissive

32 Example: Limited Observability Automatic Inference of Guards (x!=1 || z!=0)  z=y+1; Process 1 (x!=0 || z!=0)  x=z+1; y=x+1; Process 2 Process 3 z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost:

33 Inference Algorithms Greedy algorithm – Resulting program satisfies the specification – No side-effects guarantees maximal permissiveness – Experience: maximally permissive with side-effects – Polynomial Exhaustive algorithm – Resulting program satisfies the specification – Maximally permissive – Exponential 33

34 Implementation Prototype – Greedy algorithm – Using SPIN Examples – Dining philosophers – Asynchronous counters – Race correction 34

35 Infinite Transition System Preliminary Work – Finite state abstraction – Same algorithm – Conservatively eliminate potentially stuck states – Cannot guarantee maximally permissive Future Work – Refine when state becomes potentially stuck – Specialized abstractions for stuckness – Related to abstractions for termination 35

36 Summary Algorithms for CCR guard inferences – Greedy (polynomial) and Exhaustive (exponential) – Produce maximally permissive programs – Parametric on User-specified Cost – Deals with side effects and implementability 36

37 Related Work Recovery and predication mechanisms – STM, Isolator, Tolerace Synthesis from temporal specification Game theory – Memoryless winning strategy for Buchi games 37

38 Ongoing and Future Work Conditions for maximal permissiveness of greedy Infer other synchronization mechanisms – meta-data, atomic sections, non-blocking Abstraction for stuck states 38

Download ppt "Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center."

Similar presentations

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
1.6 Behavioral Equivalence. 2 Two very important concepts in the study and analysis of programs –Equivalence between programs –Congruence between statements.

1.6 Behavioral Equivalence. 2 Two very important concepts in the study and analysis of programs –Equivalence between programs –Congruence between statements.
Solving Timed Games with Variable Observations: Proof of Concept Peter Bulychev Franck Cassez Alexandre David Kim G. Larsen Jean-François Raskin Pierre-Alain.

Solving Timed Games with Variable Observations: Proof of Concept Peter Bulychev Franck Cassez Alexandre David Kim G. Larsen Jean-François Raskin Pierre-Alain.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Timed Automata.

Timed Automata.
Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.

PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.
6.5 Semaphore Can only be accessed via two indivisible (atomic) operations wait (S) { while S

6.5 Semaphore Can only be accessed via two indivisible (atomic) operations wait (S) { while S
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
1 Lecture 09 – Synthesis of Synchronization Eran Yahav.

1 Lecture 09 – Synthesis of Synchronization Eran Yahav.
Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S. Kulkarni and Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer.

Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S. Kulkarni and Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer.

Similar presentations

Ads by Google