Presentation is loading. Please wait.

Presentation is loading. Please wait.

Huayang Guo 1,2, Ming Wu 1, Lidong Zhou 1, Gang Hu 1,2, Junfeng Yang 2, Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University Practical Software.

Published byElisabeth Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Huayang Guo 1,2, Ming Wu 1, Lidong Zhou 1, Gang Hu 1,2, Junfeng Yang 2, Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University Practical Software."— Presentation transcript:

1 Huayang Guo 1,2, Ming Wu 1, Lidong Zhou 1, Gang Hu 1,2, Junfeng Yang 2, Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University Practical Software Model Checking via Dynamic Interface Reduction

2 Building reliable distributed systems is hard Machine failure Message lost Message reorder Thread interleaving Non-determinism leads to tricky bugs Crash Thr1 Thr2 Async I/O

3 Implementation-level software model checkers MaceMC (NSDI ’ 07), MoDist (NSDI ’ 09) Directly check implementations No need to construct abstract model beforehand Crash Thr1 Thr2 Async I/O State Space Explorer …

4 State space explosion MPS: Product-level Paxos Never fully explored 3 nodes 34 years for MoDist …

5 Dynamic Interface Reduction (DIR) Effective 34 years  18 hours (Fully explored MPS-3) Exponential Reduction: 100K : 1 states for MPS and Berkeley DB w/ replication Automatic, no manual efforts required Provably sound and complete Easy to integrate with legacy MCs DeMeter: DIR with MoDist and MaceMC MC specific modifications: ≤ 1k loc 5

6 Outline Insight Challenges Dynamic Interface Reduction Evaluation Related work Conclusion 6

7 Insight Distributed systems: componentized Local non-determinism isolated Empirically, 99.9% do not propagate (Berkeley DB) Previous work: Check components together |m1|*|m2|*|m3| DIR: Check components separately |m1|+|m2|+|m3| 7 Thr1 Thr2 Async I/O Thr3 Thr4 Interface behavior m1 m2 m3

8 Challenges and Solutions How to discover/construct interface behavior of component? Manually or statically construct interface process Impractical for complex software system How to guarantee Completeness: find all bugs Soundness: no false positives Our solution: Dynamically discover interface behaviors Combine discovered interface behaviors Track dependencies 8

9 DIR Overview 9 Global Explorer Explore global interface behaviors Local Explorers Component1 Component2 Component3 Explore local states Interface behavior

10 Example 10 Sum Ckpt Client Primary/Secondary //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Send(P,2); total+=n; Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Client Primary Secondary

11 Produce initial global trace 11 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer -- Produce initial global trace.

12 Construct message trace 12 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer -- Bold statements form the message trace.

13 Project message trace 13 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer -- Project global message trace to components. Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Pri.Recv(Cli, 2) Pri.Send(Sec, 2) Primary Sec.Recv(Pri, 1) Sec.Recv(Pri, 2) Secondary Cli.Send(Pri, 1) Cli.Send(Pri, 2) Client

14 Local explorer for Primary 14 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Pri.Recv(Cli, 2) Pri.Send(Sec, 2) Local explorer for Primary Pri.Ckpt Pri.Sum Pri.Ckpt Pri.Sum Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Pri.Recv(Cli, 2) Pri.Send(Sec, 2) Pri.Sum Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Pri.Recv(Cli, 2) Pri.Send(Sec, 2)

15 Local explorer for Client 15 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer Cli.Send(Pri, 1) Cli.Send(Pri, 2) Local explorer for Client Cli.Choose(2) = 0 Cli.Send(Pri, 1) Cli.Send(Pri, 3) Cli.Choose(2) = 1 Branching Trace

16 Composition 16 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Existing global message trace: Cli.Send(Pri, 1) Cli.Send(Pri, 3) Branching local message trace: dependence ==

17 Composition 17 Client(Cli) Primary/Secondary(Pri/Sec) //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Global explorer Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Cli.Send(Pri, 3) New global message trace:

18 Evaluation Experiment Setup D E M ETER -M O D IST : MPS, an deployed product implementation of Paxos Berkeley DB (BDB) D E M ETER -M ACE MC: Chord, peer-to-peer DHT implementation 18

19 Evaluation Effectiveness of Dynamic Interface Reduction App-n : n is the number of distributed nodes Reduction Ratio: |M w/o DIR | / |M w DIR | 19 AppMPS-2MPS-3BDB-2BDB-3Chord-2Chord-3 Reduction488542944277278481191587 Speedup15321717850 442037547 x1000 x100 DeMeter-ModistDeMeter-MaceMC

20 Related Work Compositional model checking E.M.Clarke et. al. (Symposium on Logic in Computer Science 1989) Partial-order reduction C.Flanagan and P.Godefroid (POPL ’ 05) Model checking network system R.Guerraoui and M.Yabandeh (NSDI ’ 11) 20

21 Conclusion Distributed systems  componentized Local non-determinism does not propagate Dynamic interface reduction Effective, automatic, easy Provably sound and complete DeMeter – enable DIR for legacy MCs 21

Download ppt "Huayang Guo 1,2, Ming Wu 1, Lidong Zhou 1, Gang Hu 1,2, Junfeng Yang 2, Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University Practical Software."

Similar presentations

PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.

PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.
POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Towards Self-Testing in Autonomic Computing Systems Tariq M. King, Djuradj Babich, Jonatan Alava, and Peter J. Clarke Software Testing Research Group Florida.

Towards Self-Testing in Autonomic Computing Systems Tariq M. King, Djuradj Babich, Jonatan Alava, and Peter J. Clarke Software Testing Research Group Florida.
A SOFT Way for OpenFlow Interoperability Testing Marco Canini TU Berlin / T-Labs [CoNEXT’12]

A SOFT Way for OpenFlow Interoperability Testing Marco Canini TU Berlin / T-Labs [CoNEXT’12]
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University

Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
CHESS: A Systematic Testing Tool for Concurrent Software CSCI6900 George.

CHESS: A Systematic Testing Tool for Concurrent Software CSCI6900 George.
Parrot: A Practical Runtime for Deterministic, Stable, and Reliable Threads Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang,

Parrot: A Practical Runtime for Deterministic, Stable, and Reliable Threads Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang,
Effectively Model Checking Real-World Distributed Systems Junfeng Yang Joint work with Huayang Guo, Ming Wu, Lidong Zhou, Gang Hu, Lintao Zhang, Heming.

Effectively Model Checking Real-World Distributed Systems Junfeng Yang Joint work with Huayang Guo, Ming Wu, Lidong Zhou, Gang Hu, Lintao Zhang, Heming.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 DISTRIBUTED SYSTEMS.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1 Cheriton School of Computer Science 2 Department of Computer Science RemusDB: Transparent High Availability for Database Systems Umar Farooq Minhas 1,

1 Cheriton School of Computer Science 2 Department of Computer Science RemusDB: Transparent High Availability for Database Systems Umar Farooq Minhas 1,
Lab 2 Group Communication Andreas Larsson 2011-01-31.

Lab 2 Group Communication Andreas Larsson
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
Freddies: DHT-Based Adaptive Query Processing via Federated Eddies Ryan Huebsch Shawn Jeffery CS 294-4 Peer-to-Peer Systems 12/9/03.

Freddies: DHT-Based Adaptive Query Processing via Federated Eddies Ryan Huebsch Shawn Jeffery CS Peer-to-Peer Systems 12/9/03.

Similar presentations

Ads by Google