Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac."— Presentation transcript:

1 Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac Flanagan, Stephen Freund, Sanjit Seshia

2 Multithreaded software  Examples: operating systems, databases, web servers, Java libraries  Verification problem –for all inputs and interleavings, program satisfies specification  Verifying multithreaded programs is difficult –large and complex

3 Modular verification of multithreaded programs  thread: verify each thread separately using specifications of other threads  procedure: in each thread, verify each procedure separately using specifications of called procedures

4 Method  Reduce verification of multithreaded programs to verification of sequential programs  Analysis of sequential programs well-studied –dataflow analysis –abstract interpretation –theorem proving with verification conditions

5 Action  predicate on unprimed and primed variables –(x’ = y+1  y’ = y)  x := y+1 –(p  x’ = x)  p y –true   skip

6 Atomic operation  actions p and q  p  q : all transitions allowed by p must also be allowed by q  (x’ = y+1  y’ = y)  x’  y’ succeeds  (x’ = y+1  y’ = y)  x’ = y’ fails  skip  p  assert p  p abbreviates p  true

7 Outline  modular verification –without procedure calls –with procedure calls  verification of Mercator

8 Simple multithreaded program Thread1 acq; x := x+1; assert x > 0; rel; Thread2 acq; x := 0; rel; m = i, if held by thread i 0, if unheld Init: x = 0

9 Simple multithreaded program Thread1 ( m=0  m’=1) m ; x := x+1; assert x > 0; ( m’=0) m ; Thread2 ( m=0  m’=2) m ; x := 0; ( m’=0) m ; Init: x = 0

10 Owicki-Gries-Lamport method Thread1 L1: m=0  x  0 (m=0  m’=1) m ; L2: m=1  x  0 x := x+1; L3: m=1  x  1 assert x > 0; L4: m=1  x  1 (m’=0) m ; L5: m=0  x  0 Thread2 M1: m=0  x  0 (m=0  m’=2) m ; M2: m=2  x  0 x := 0; M3: m=2  x  0 (m’=0) m ; M4: m=0  x  0  Sequential correctness  Non-interference

11 Why is Thread 1 correct? Thread 1 view ( m=0  m’=1) m ; ** x := x+1; * assert x > 0; * ( m’=0) m ; 1-abstraction A 1  ; ( m=0  m’=1) m  A 2 ; A 1  ; x := x+1  A 2 ; A 1  ; assert x > 0  A 2 ; A 1  ; ( m’=0) m  A 2 ;  (m’=0  x’  0)  (m = i  m’ = i)  (m = i  x’ = x) Ai Ai  Jones 83

12 Why is Thread 1 correct? Thread 1 view ( m=0  m’=1) m ; ** x := x+1; * assert x > 0; * ( m’=0) m ; 1-abstraction A 1 reflexive- transitive ! Can replace A 1  by A 1 !  A 1 ; (m=0  m’=1) m  A 2 ; A 1 ; x := x+1  A 2 ; A 1 ; assert x > 0  A 2 ; A 1 ; (m’=0) m  A 2 ;  (m’=0  x’  0)  (m = i  m’ = i)  (m = i  x’ = x) Ai Ai  Jones 83

13 Sequential checker Summary of method Thread 1 Thread 2 Thread n 1-abs 2-abs n-abs Sequential checker Sequential checker... yes

14 Assume-guarantee decomposition  Misra-Chandy 81 –processes communicating over channels  Jones 83 –parallel shared-memory programs  Abadi-Lamport 85 –temporal logic  Alur-Henzinger 96, McMillan 97 –Mealy machines (hardware) ...

15 Outline  modular verification –without procedure calls –with procedure calls  verification of Mercator

16 Simple multithreaded program Thread1 acq( ); x := x+1; assert x > 0; rel( ); Thread2 acq( ); x := 0; rel( ); Init: x = 0

17 Mutex implementation is not atomic ! acq( ) { t := i; while (t  0) ACS(m,0,t) ; } ACS(m,v,t)  if (m=v) then m,t := t,m rel( ) { m := 0; } What is the specification of acq( ) and rel( )?

18 Modular verification of sequential programs  verify each procedure separately using specifications of called procedures requires x > 0 modifies x ensures x’ = x+1 inc( ) { x := x+1; }. assert x > 0; (x’ = x+1) ;. assume x > 0; x_pre := x; y_pre := y; x := x+1; assert x = x_pre+1; assert y = y_pre;

19 Pre/post-conditions not enough ! Thread1 acq( ); x := x+1; assert x > 0; rel( ); acq( ) { t := 1; while (t  0) ACS(m,0,t) ; } modifies x, m ensures m=1  x  0 abstraction boundary A 1 ; t := 1  A 2 ; while (t  0) { A 1 ; ACS(m,0,t)  A 2 ; } A 1 ; assert m=1  x  0 ;  (m’=0  x’  0)  (m = i  m’ = i)  (m = i  x’ = x) Ai Ai 

20 Specification of acq() for Thread i Impl: acq( ) { t := i; while (t  0) ACS(m,0,t) ; } Spec: skip * ; ( m=0  m’=i) m skip ( m=0  m’=i) m m0m0 m=0 Often, witness can be guessed automatically ! Need witness to synchronize spec actions with impl actions !

21 Verification of acq() for Thread 1 true ; t := 1  skip; true ; while (t  0) { true ; ACS(m,0,t)  } Spec: skip * ; ( m=0  m’=1) m  m  0  skip  m=0  (m=0  m’=1) m ; In general, assumption could involve variables in scope.

22 Specification of rel() for Thread i Impl: rel( ) { m := 0; } Spec: ( m’=0) m

23 Generalization of pre/post-conditions requires p modifies U ensures q f( ) {... } assert p ; true U  ; assume q f( ) {... }

24 Why is Thread 1 correct? Thread1 skip * ; ( m=0  m’=1) m ; x := x+1; assert x > 0; ( m’=0) m ; Thread1 acq( ); x := x+1; assert x > 0; rel( ); A 1 ; { skip  A 2 ; A 1 ; }  ; (m=0  m’=1) m  A 2 ; A 1 ; x := x+1  A 2 ; A 1 ; assert x > 0  A 2 ; A 1 ; (m’=0) m  A 2 ;  (m’=0  x’  0)  (m = i  m’ = i)  (m = i  x’ = x) Ai Ai 

25 Summary  for each thread i –write assumption –write specifications for procedures –check each specification by inlining specifications of called procedures –check assumptions of other threads

26 Outline  modular verification –without procedure calls –with procedure calls  verification of Mercator

27 Implementation  Extended Static Checker for Java (Detlefs- Leino-Nelson-Saxe 98)  verification conditions proved by Simplify (Nelson 81)

28 More details  atomic operation is read/write of a heap variable  optimizations for reducing assumptions between atomic operations  assume sequential consistency  witness guessed automatically

29 Mercator (Heydon-Najork 99)  multithreaded web crawler written in Java  in production use at Altavista  synchronization based on Java monitors and reader-writer locks

30 Mercator architecture RAMDISK... TCTC T1T1 T NUM Checkpointing Thread Worker Threads URL set URL queue

31 Reader-writer locks  lock L 1 : –checkpointing thread acquires in write mode –worker threads acquire in read mode  lock L 2 : –protects data structure on disk –worker thread acquires in write mode to write and in read mode to read

32 Race detection  checkpointing thread –must hold L 1 in write mode  worker thread –must hold L 1 in read mode –reading: must hold L 2 in read mode –writing: must hold L 2 in write mode

33 Verification  analyzed ~1500 LOC  Mercator’s reader-writer locks implement specification –acq_read( ), acq_write( ), rel_read(), rel_write( )  absence of races –threads obey protocol for accessing shared data  found bug introduced by us

34 Annotation cost  55 annotations  Scales with complexity of synchronization patterns, not size of program

35 Verification of java.util.vector  synchronization with Java monitors  ~450 LOC  4 annotations  found known race (Flanagan-Freund 00)

36 Annotation overhead CategoryFraction of Total Read/Write Constraints & Data Invariants 6/55 Specification of Readers-Writer Locks 21/55 Other Interface Specifications 16/55 Environment Assumptions 12/55

37 File system Web server Disk Buffer cache Mutex module Mutex { /* Data */ boolean b; int m; /* Code */ acq() { } rel() { } } create() {. acq();. }

38 module Mutex { /* Data */ boolean b; int m; invariant  b  m = 0; /* Code */ spec …… acq() {. assert b;. } spec …… rel() { } }

39 Programs S  SeqProg ::=  atomic operation | S 1 ; S 2 composition | S 1  S 2 choice | S 1  iteration | call p procedure call P  ParProg ::= S 1 ||... || S n

40 Modular verification of multithreaded programs  one procedure active for each thread  interleaving of atomic actions of active procedures  atomic action is unit of induction  pre/post-conditions not enough  need abstraction of each atomic action of a procedure  specification is an abstract program

Download ppt "Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac."

Similar presentations

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center

Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.

ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

Similar presentations

Ads by Google