Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t =

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t ="— Presentation transcript:

1 Part II: Atomicity for Software Model Checking

2 Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t = balance + n; if (t > MAX) return false; balance = t; assert(MIN  balance  MAX); return true; } bool synchronized withdraw(int n) { int t = balance – n; if (t < MIN) return false; balance = t; assert(MIN  balance  MAX); return true; } Account a = new Account(); Account b = new Account(); async a.deposit(5); async b.withdraw(10);

3 Model checker for concurrent software –assertions, deadlocks Rich input language –Procedures, dynamic object creation, dynamic thread creation –Shared-memory (via globals and channels) –Message-passing (via channels) Joint work with Tony Andrews, Jakob Rehof, and Sriram Rajamani http://www.research.microsoft.com/zing

4 Analysis of concurrent programs is difficult (1) Finite-data single-procedure program –n lines –m states for global data variables 1 thread –n * m states K threads –(n) K * m states

5  B: both right + left movers –variable access holding lock  N : non-movers –access unprotected variable The theory of movers (Lipton 75) R : right movers –lock acquire  L: left movers –lock release

6 Transaction S0S0. S5S5 R* N L*xY... S0S0. S5S5 R* N L* xY... Other threads need not be scheduled in the middle of a transaction Lipton: any sequence (R|B)*; [N] ; (L|B)* is a transaction Pre-commit Post-commit

7 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid Instrumented state:

8 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1 Instrumented state: 1 R | B

9 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, pre, 1 Instrumented state: 1 R | B 1 R | B

10 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, post, 1 Instrumented state: 1 R | B 1 N | L

11 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, post, 1 Instrumented state: s 3, post, 1 1 R | B 1 N | L 1 L | B

12 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, post, 1 Instrumented state: s 3, post, 1 s 4, post, 1 1 R | B 1 N | L 1 L | B 1 L | B

13 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, post, 1 Instrumented state: s 3, -, - s 4, pre, 1 1 R | B 1 N | L 1 L | B 1 R

14 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, post, 1 Instrumented state: s 3, -, - 1 R | B 1 N | L 1 L | B Schedule thread 2

15 Algorithm: 1.Schedule all threads in the initial state. 2.For each state s discovered by executing a thread t: If s is inside a transaction, schedule only thread t from s. Otherwise, schedule all threads from s. s 0, -, - State, Phase, Tid s 1, pre, 1s 2, post, 1 Instrumented state: s 3, -, - s 4, pre, 2 1 R | B 1 N | L 1 L | B 2 R

16 Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t = balance + n; if (t > MAX) return false; balance = t; assert(MIN  balance  MAX); return true; } bool synchronized withdraw(int n) { int t = balance – n; if (t < MIN) return false; balance = t; assert(MIN  balance  MAX); return true; } Account a = new Account(); Account b = new Account(); async a.deposit(5); async b.withdraw(10); Execution of a.deposit(5) is a transaction. Execution of b.withdraw(10) is a transaction. ZING explores two interleavings only!

17 Unsoundness problem What if a transaction does not terminate? T1 g = 1; while (true) skip; T2 assert(g == 0); Initially g == 0; Thread 2 never gets scheduled here!

18 ZING: Work in progress Algorithm for sound transaction-based model checking Inferring mover information for accesses to the heap and globals

19 Related work Partial-order reduction –stubborn sets (Valmari 91), ample sets (Peled 96), sleep sets (Godefroid 96) –used mostly for message-passing systems (no shared memory) Bogor model checker (Dwyer et al. 04) –applied classic partial-order reduction to shared- memory Java programs Transaction-based reduction (Stoller-Cohen 03)

20 Analysis of concurrent programs is difficult (2) Finite-data program with procedures –n lines –m states for global data variables 1 thread –Infinite number of states –Can still decide assertions in O(n * m 3 ) –SLAM, ESP, BLAST implement this algorithm K  2 threads –Undecidable!

21 Transaction S0S0. S5S5 R* N L*xY... S0S0. S5S5 R* N L* xY... Other threads need not be scheduled in the middle of a transaction  Transactions may be summarized Lipton: any sequence (R+B)*; (N+  ) ; (L+B)* is a transaction

22 Summarization for sequential programs Procedure summarization (Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95) is the key to efficiency int x; void incr_by_2() { x++; } void main() { … x = 0; incr_by_2(); … x = 0; incr_by_2(); … } Bebop, ESP, Moped, MC, Prefix, …

23 Assertion checking for sequential programs Boolean program with: –g = number of global vars –m = max. number of local vars in any scope –k = size of the CFG of the program Complexity is O( k  2 O(g+m) ), linear in the size of CFG Summarization enables termination in the presence of recursion

24 Assertion checking for concurrent programs Ramalingam 00: There is no algorithm for assertion checking of concurrent boolean programs, even with only two threads.

25 Our contribution Precise semi-algorithm for verifying properties of concurrent programs –based on model checking –procedure summarization for efficiency Termination for a large class of concurrent programs with recursion and shared variables Generalization of precise interprocedural dataflow analysis for sequential programs

26 What is a summary in sequential programs? Summary of a procedure P = Set of all (pre-state  post-state) pairs obtained by invocations of P int x; void incr_by_2() { x++; } void main() { … x = 0; incr_by_2(); … x = 0; incr_by_2(); … x = 1; incr_by_2(); … } x  x’ 0  2 1  3

27 What is a summary in concurrent programs? Unarticulated so far Naïve extension of summaries for sequential programs do not work Call PReturn P

28 Call P Return P s s’ Disadvantage: summary not usable for executions with interference from other threads Attempt 1 Advantage: summary computable as in a sequential program

29 Attempt 2 Call P Return P s s’ Advantage: Captures all executions Disadvantage: s and s’ must comprise full program state summaries are complicated do not offer much reuse

30 Choose N = 2 Summaries:  m, (a[0],a[1])    i’, m’, (a[0]’,a[1]’)   0, (0, 0)    2, 0, (0,0)   0, (0, 1)    1, 0, (0,0)   0, (1, 0)    0, 0, (0,0)   0, (1, 1)    0, 0, (0,1)  If a procedure body is a single transaction, summarize as in a sequential program bool available[N]; mutex m; int getResource() { int i = 0; L0: acquire(m); L1: while (i < N) { L2: if (available[i]) { L3: available[i] = false; L4: release(m); L5: return i; } L6: i++; } L7: release(m); L8: return i; }

31 Transactional procedures In the Atomizer benchmarks (Flanagan- Freund 04), a majority of procedures are transactional

32 Choose N = 2 Summaries:  pc,i,(m[0],m[1]),(a[0],a[1])    pc’,i’,(m[0]’,m[1]’),(a[0]’,a[1]’)   L0, 0, (0,*), (0,*)    L1, 1, (0,*), (0,*)   L0, 0, (0,*), (1,*)    L5, 0, (0,*), (0,*)   L1, 1, (*,0), (*,0)    L8, 2, (*,0), (*,0)   L1, 1, (*,0), (*,1)    L5, 1, (*,0), (*,0)  What if a procedure body comprises multiple transactions? bool available[N]; mutex m[N]; int getResource() { int i = 0; L0: while (i < N) { L1: acquire(m[i]); L2: if (available[i]) { L3: available[i] = false; L4: release(m[i]); L5: return i; } else { L6: release(m[i]); } L7: i++; } L8: return i; }

33 What if a transaction 1.starts in caller and ends in callee? 2.starts in callee and ends in caller? void foo() { acquire(m); x++; bar(); x--; release(m); } void bar() { release(m); acquire(m); } int x; mutex m; 2 1

34 What if a transaction 1.starts in caller and ends in callee? 2.starts in callee and ends in caller? void foo() { acquire(m); x++; bar(); x--; release(m); } void bar() { release(m); acquire(m); } int x; mutex m; Solution: 1.Split the summary into pieces 2.Annotate each piece to indicate whether transaction continues past it 2 1

35 Two-level model checking Top level performs state exploration Bottom level performs summarization Top level uses summaries to explore reduced set of interleavings –Maintains a stack for each thread –Pushes a stack frame if annotated summary edge ends in a call –Pops a stack frame if annotated summary edge ends in a return

36 Termination Theorem: –If all recursive functions are transactional, then our algorithm terminates. –The algorithm reports an error iff there is an error in the program.

37 Concurrency + recursion Summaries for foo:  pc,r,m,g    pc’,r’,m’,g’   L0,1,0,0    L5,1,0,1   L0,1,0,1    L5,1,0,2  void main() { int q = choose({0,1}); M0: foo(q); M1: acquire(m) M2: assert(g >= 1); M3: release(m); M4: return; } Prog = main() || main() int g = 0; mutex m; void foo(int r) { L0: if (r == 0) { L1: foo(r); } else { L2: acquire(m); L3: g++; L4: release(m); } L5: return; }

38 Sequential programs For a sequential program, the whole execution is a transaction Algorithm behaves exactly like classic interprocedural dataflow analysis

39 Related work Summarizing sequential programs –Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95, Ball-Rajamani 00, Esparza-Schwoon 01 Concurrency+Procedures –Duesterwald-Soffa 91, Dwyer-Clarke 94, Alur- Grosu 00, Esparza-Podelski 00, Bouajjani- Esparza-Touili 02

Download ppt "Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t ="

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Zing: A Systematic State Explorer for Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Zing: A Systematic State Explorer for Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Zing: Exploiting Program Structure for Model Checking Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research Yichen.

Zing: Exploiting Program Structure for Model Checking Concurrent Software Tony Andrews Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research Yichen.
QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
1 Beyond Reduction.... 2 Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.

1 Beyond Reduction Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.
Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Similar presentations

Ads by Google