Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Published byAnn Robertson Modified over 9 years ago

Similar presentations

Presentation on theme: "PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center."— Presentation transcript:

1 PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center

2 2 Plan Motivation Case Study: Concurrent Data Structures Hoare’s CCR Finite State Abstract Interpretation Based Synthesis Memory Fences (Optional)

3 Concurrency is Important

4 Concurrency is Hard “…I develop Mozilla full time all day, and i get this lockup maybe once a day…”

5 Concurrency is Hard “…For nearly two weeks I thought the above solution was correct, until I started to try to prove its correctness...it turned out to be wrong… So there I was. Fooled again.” -- Edsger W. Dijkstra

6 Problem Manually Finding Correct and Efficient Synchronization 6

7 Our Approach Automatically Infer Correct and Efficient Synchronization 7

8 Input 8 Believable starting point – Intuitive to a programmer, e.g. sequential program Specification should be easy to write – Reusability: e.g. sequential consistency Some quantitative notion of efficiency – E.g. Fewer locks

9 9 Output should be a program – Synchronization implemented in the language Output program(s) should be correct – With respect to the specification (checked or verified) Output program(s) should be optimal – With respect to efficiency Output

10 10 Plan Motivation Case Study: Concurrent Data Structures Hoare’s CCR Finite State Abstract Interpretation Based Synthesis Memory Fences (Optional)

11 Concurrent Data Structures Applications (typically) have to share data Need to synchronize Concurrent data structures are critical for performance – Used in various language runtimes, kernels, etc Coarse Locks are often a bad idea – Single thread holding lock can stop global system progress – Coarse-grained locking leads to contention – Fine-grained locking tricky to get right (deadlocks) 11

12 val popRight() { while (true) { rh = RightHat; lh = LeftHat; if (rh->R == rh) return "empty"; if (rh == lh) { if (DCAS(&RightHat, &LeftHat, rh, lh, Dummy, Dummy)) return rh->V; } else { rhL = rh->L; if (DCAS(&RightHat, &rh->L, rh, rhL, rhL, rh)) { result = rh->V; rh->R = Dummy; return result; }}} “Even better DCAS-based concurrent deques”, DISC 2000 2 errors in < 20 lines of code ! Concurrent Data Structures

13 Existing Approaches for Concurrent Object Construction Performance Manual Effort Sequential Naïve STM Fine-grained STM Expert Design This Work Goal 13

14 14 bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=CAS(&pred- >next,  curr,0 ,  entry,0  ) if (  val) goto restart return true } bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false = curr->next lval=CAS(&curr->next,  r,m ,  r,1  ) if (  lval) goto restart pval=CAS(&pred- >next,  curr,0 ,  r,0  ) if (  pval) goto restart return true } Sequential to Highly Concurrent Sets bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry return true } bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true }

15 Generate - Verify Generator Verifier Schema Specification Abstraction Program Yes/No, Counterexample Set Of Optimal Programs

16 Generator: Domain Specific Search less atomic more atomic

17 Generate-Verify

18 Atomicity Reduction: Steps Removing redundant atomicity Reordering statements Optimistic concurrency Add synchronization meta-data 18 s1 s2 s3 s4 s1 s2 s3 s4 If (validate) update else restart read s1 s2 s3 s4 s2 s1 s3 s4 s3 s4 read update s1 s2 s1 If (t > 0) s2 s3 s4

19 19 Concurrent Sets: Generate-Check Schema Correct Algorithm DCAS Sequential DCAS CAS with LOCKS Priority Queue Stack CAS/DCAS … … Michael (PODC’02) Heller et al. (OPODIS’05) Trieber Stack Existing Algorithm New Algorithm

20 locate(pred,curr,key) 20 Step 1: Optimistic Concurrency [Kung & Robinson’81] bool remove(int key){ Entry *pred,*curr,*r atomic locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true } bool remove(int key){ Entry *pred,*curr,*r restart: Read atomic if ( validate ) { Update } goto restart } k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true Update Read

21 Step 2: Generate-Check 21 Generate-Check No correct completion found Insufficient information to write a validation condition bool remove(int key){ Entry *pred,*curr,*r locate(pred,curr,key) atomic if (validate) { k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true } goto restart } truepred->next == currpred == curr ( (pred | curr) (->next)? == (pred | curr) (->next)? ) | true

22 Step 2: Counterexample 22 -- 159  head tail predcurr r predcurr T1: remove(5) T2: add(7) ||

23 Step 2: Counterexample 23 -- 159  head tail pred curr T1: remove(5) T2: add(7) || 7 How to deal with removed nodes?

24 Dealing with Removed Nodes? Observability (Meta-Data) Synchronization Time 24

25 25 Step 3: Apply Transformation keynextkeynext marked REMOVE = { R1: k = (curr->key ≠ key) R2: if (k) return false R3: curr->marked = true R4: mp =  pred->marked R5: mc =  curr->marked R6: val= (pred->next == curr) (  mp)? (  mc)? R7: if (  val) goto restart R8: r = curr->next R9: pred->next = r } OBJECT

26 Step 4: Run Generate-Verify 26 bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE return true } REMOVE = { R1: k = (curr->key ≠ key) R2: if (k) return false R3: curr->marked = true R4: mp =  pred->marked R5: mc =  curr->marked R6: val= (pred->next == curr) ? (  mp) ? (  mc) R7: if (  val) goto restart R8: r = curr->next R9: pred->next = r } bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE return true } REMOVE = { k = (curr->key ≠ key) if (k) return false curr->marked = true r = curr->next atomic mp =  pred->marked val=(pred->next==curr)  mp if (  val) goto restart pred->next = r } Generate- Verify

27 27 -- 19  head tail predcurr r predcurr T1: remove(5) T2: add(7) || Fixed Previous Counterexample add(7) observes pred “5” is marked and restarts predcurr 5

28 28 bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=CAS(&pred->next,  curr,0 ,  entry,0  ) if (  val) goto restart return true } bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false = curr->next lval=CAS(&curr->next,  r,m ,  r,1  ) if (  lval) goto restart pval=CAS(&pred->next,  curr,0 ,  r,0  ) if (  pval) goto restart return true } Final Result bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false return true }

29 Lessons Generate-Verify Shortcomings – Generate can produce programs that cannot be verified – Verifier doing redundant work Expressing insights as syntactic templates is cumbersome Concurrency inherently tied to Space

30 – Enable automatic verification to do inference Verification: no longer only a yes/no answer – Input: A (possibly incorrect) concurrent program – Output: A set of programs (possibly empty set) Verification-Driven Synthesis

31 31 Plan Motivation Case Study: Concurrent Data Structures Hoare’s CCR Finite State Abstract Interpretation Based Synthesis Memory Fences (Optional)

32 High Level Setting 32 Process 1Process 2Process 3

33 High Level Setting 33 Process 1Process 2Process 3

34 High Level Setting 34 Process 1Process 2Process 3

35 High Level Setting 35 Process 1Process 2Process 3

36 Challenge 36 Process 1Process 2Process 3 How to synchronize processes in order to achieve correctness and good performance ?

37 Semaphores Monitors Conditional critical region (CCR) Fine grained (e.g., CAS) Atomics.... Synchronization Primitives 37

38 Conditional Critical Regions Syntax of CCR Synchronization code – guard can observe the program state – guard does not modify program state guard  stmt 38

39 High Level Setting 39 Process 1Process 2Process 3

40 CCR Setting 40 Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Specification:  Permissiveness Cost as a language of CCR guards

41 Given a language LG, specification S and program A, program B is maximally permissive, if: – B satisfies S – B is obtained from A by adding guards from LG – Cannot obtain a program C that is correct and more permissive than B from A via LG: 41 Maximal Permissiveness if  B    C  then C does not satisfy S

42 Two Algorithms to infer CCR guards – Greedy – Exhaustive Guarantee maximal permissiveness – Greedy: under some conditions – Exhaustive: always Implementation in SPIN – prototype, examples Contributions

43 This Work Safety, No Stuck States Specification: Language of Guards Cost: Automatic Inference of Guards Process 1Process 2Process 3 s1;s2; s5; s7; s6; s3;s4; Process 1Process 2Process 3 g1  s1;s2; s5; g2  s7; s6; s3;s4; Correct and Maximally Permissive

44 Inference Algorithm Construct transition system of input program and specification Remove a (minimal) set of transitions such that the result satisfies the specification Implement resulting transition system as program by strengthening guards of CCRs in the program 44

45 GREEDY(P : Program) : Program { R = ∅ while (true) { ts = if valid(ts) return implement(P,R) B = cut-transitions(ts) if B = ∅ abort “cannot find valid synchronization” select a transition t ∈ B R = R ∪ equiv(t) } Inference Algorithm 45

46 Example Language: Observability Obs: Variables that can be read by CCR guards LE(Obs): language of boolean combinations of equalities between variables in Obs and constants Example: Obs: {x, y, z} Guard Expression in LE(Obs): (x!=1 || y!=0 || z!=0) 46

47 Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

48 What is in a state s,s,s 0,0,0 X Y Z PC1 PC2 PC3

49 Build Transition System s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 49

50 Select Transitions to Remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 50

51 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 51 e,s,e 1,0,1 e,e,e 1,2,1 y=x+1 z=y+1 Build Transition System x!=1 || y!=0 || z!=0  Correct and Maximally Permissive

52 Example: Full Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x, y, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 (x!=1 || y!=0 || z!=0)  z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

53 Example: Limited Observability ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost: Automatic Inference of Guards z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3

54 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 54 Build Transition System

55 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 55

56 Select transition to remove s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 56

57 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 57 Select All Equivalent Transitions Implementability

58 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 58 Stuck states e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Build Transition System

59 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 x=z+1 z=y+1 x=z+1 y=x+1 59 e,e,s 1,2,0 e,s,e 1,0,1 e,e,s 1,1,0 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 y=x+1 z=y+1 x!=1 || z!=0  z=y+1 x!=1 || z!=0  Select transitions to remove

60 s,s,s 0,0,0 e,s,s 1,0,0 s,e,s 0,1,0 s,s,e 0,0,1 e,e,3 1,2,0 e,2,e 1,0,1 e,e,3 1,1,0 s,e,e 0,1,2 e,s,e 2,0,1 s,e,e 0,1,1 e,e,e 1,2,3 e,e,e 1,2,1 e,e,e 1,1,2 e,e,e 3,1,2 e,e,e, 2,3,1 e,e,e 2,1,1 x=z+1 y=x+1 z=y+1 y=x+1 z=y+1 x=z+1 z=y+1 x=z+1 y=x+1 x!=1 || z!=0  x!=0 || z!=0  x!=1 || z!=0  x!=0|| z!=0  60 Build Transition System Correct and Maximally Permissive

61 Example: Limited Observability Automatic Inference of Guards (x!=1 || z!=0)  z=y+1; Process 1 (x!=0 || z!=0)  x=z+1; y=x+1; Process 2 Process 3 z=y+1; Process 1 x=z+1; y=x+1; Process 2 Process 3 ! (y = 2 && z = 1) No Stuck States Specification: LE( { x,, z } ) Cost:

62 Inference Algorithms Greedy algorithm – Resulting program satisfies the specification – No side-effects guarantees maximal permissiveness – Experience: maximally permissive with side-effects – Polynomial Exhaustive algorithm – Resulting program satisfies the specification – Maximally permissive – Exponential 62

63 Implementation Prototype – Greedy algorithm – Using SPIN Examples – Dining philosophers – Asynchronous counters – Race correction 63

64 Summary Algorithms for CCR guard inference – Greedy (polynomial) and Exhaustive (exponential) – Produce maximally permissive programs – Parametric on User-specified Cost – Deals with side effects and implementability 64

65 Future Work Conditions for maximal permissiveness of greedy Infer other synchronization mechanisms – meta-data, atomic sections, non-blocking Abstraction for stuck states 65

66 66 Plan Motivation Case Study: Concurrent Data Structures Hoare’s CCR Finite State Abstract Interpretation Based Synthesis Memory Fences (Optional)

67 Crash Course on Abstract Interpretation Verify that property holds on all executions Challenge: programs with unbounded state  bad news: problem is undecidable good news: can use over-approximation – Consider a superset of possible executions – sound: a yes is a yes! – incomplete: a no is a maybe … 67

68 Verification Challenge main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Determine what states can arise during any execution Challenge: set of states is unbounded 68

69 Abstract Interpretation Recipe 1)Abstraction 2)Transformers 3)Exploration main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states Determine what states can arise during any execution 69

70 1) Abstraction concrete state abstract state main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y }  : Var  Z  # : Var  {+, 0, -, ?} xyi 31 7 xyi ++ + 32 6 xyi … 70

71 2) Transformers concrete transformer abstract transformer main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } xyi ++ 0 xyi 31 0 y = y + 1 xyi 32 0 xyi ++ 0 +- 0 +? 0 + 00 ++ 0 +? 0 +? 0 71

72 3) Exploration ++ ? ++ ? xyi main(int i) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } ++ ? ++ ? ?? ? xyi ++ ? ++ ? ++ ? ++ ? ++ ? ++ ? 72

73 Incompleteness  main(int i) { int x=3,y=1; do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y } +? ? +? ? xyi +? ? ++ ? ?? ? xyi +? ? +? ? +? ? 73

74 Concurrent Program Specification Abstraction Abstract Interpreter  Refine Counter Example Change the abstraction to match the program  Automatic Verification with Abstraction

75 Concurrent Program Specification Abstraction Abstract Interpreter  Refine Counter Example Restrict the program to match the abstraction   Avoid Counter Example Program Automatic Construction with Abstraction

76 AGS Algorithm – High Level  = true while(true) { Traces = {  |   (  P       ) and   S} if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } Input: Program P, Specification S, Abstraction  Output: Program P’ satisfying S under 

77 Trace Avoidance: avoid(  ) :: Thread A A1 A2 Thread B B1 B2 Atomicity predicate [ st1, st2 ] disables a context switch avoid(  ) – disjunction of all possible atomicity predicates that would prevent  A1 A2 B1 B2 avoid(  ) = [A 1,A 2 ]  [B 1,B 2 ]

78 Example T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } How to place synchronization to achieve correctness and performance?

79 Example: Parity Abstraction 023 1 2 3 4 5 4 6 y2 y1 1 Concrete values 023 1 2 3 4 5 4 6 y2 y1 1 Parity abstraction (even/odd)

80 avoid(  1 ) = [z++,z++]  = [z++,z++]  = true while(true) { Traces={  |  (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } Example: Avoiding Bad Traces

81 avoid(  2 ) =[x+=z,x+=z]  = [z++,z++]  = [z++,z++]  [x+=z,x+=z]  = true while(true) { Traces={  |  (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } Example: Avoiding Bad Traces

82 T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)  = [z++,z++]  [x+=z,x+=z]  = true while(true) { Traces={  |  (  P       ) and   S } if (Traces is empty) return implement(P,  ) select   Traces if (?) {  =   avoid(  ) } else {  = refine( ,  ) } Example: Avoiding Bad Traces

83 023 1 2 3 4 5 4 6 y2 y1 1 parity 0123 1 2 3 4 5 4 6  x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 0123 1 2 3 4 5 4 6 parity x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 But we can also refine the abstraction… Example: Avoiding Bad Traces

84 023 1 2 3 4 5 4 6 y2 y1 1 0123 1 2 3 4 5 4 6 0123 1 2 3 4 5 4 6 parity interval octagon 0123 1 2 3 4 5 4 6 0123 1 2 3 4 5 4 6 0123 1 2 3 4 5 4 6 0123 1 2 3 4 5 4 6     (a)(b) (c) (d)(e) (f)(g) parity interval octagon x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3 x+=z; x+=z z++; y1=f(x) y2=x assert y1!= y2 T1 T2 T3

85 Choosing a solution Interval abstraction for our example: ([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++]) Minimal satisfying assignments –  1 = [z++, z++] –  2 = [x+=z, x+=z] Different Quantitative Notions: – Example: preference to solutions with fewer write operations inside atomic sections

86  Separation between scheduling constraints in  and how they are realized  Can realize in program via atomic sections  Can realize in scheduler via benevolent scheduler Implementation

87 Examples ProgramRefine StepsAvoid Steps Double buffering12 Defragmentation18 3D array update223 Array Removal117 Array Init156 Simplified versions of – Double buffering – Defragmentation – …

88 Future Work Add more powerful abstractions – E.g. Heap, Polyhedra Synthesize more complex synchronization – Infer practical concurrent algorithms

89 89 Plan Motivation Case Study: Concurrent Data Structures Hoare’s CCR Finite State Abstract Interpretation Based Synthesis Memory Fences (Optional)

90 Results Partial-Coherence Abstractions for Weak Memory Models Kuperstein M., Vechev M., Yahav E. Submitted Automatic Inference of Memory Fences Kuperstein M., Vechev M., Yahav E. Submitted Verifying Linearizability with Hindsight O'Hearn P., Rinetzky N., Vechev M., Yahav E., Yorsh G. PODC '10: Symposium on Principles of Distributed Computing PODC '10 Abstraction-Guided Synthesis Vechev M., Yahav E., Yorsh G. POPL '10: 37th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages POPL '10 Experience with Model Checking Linearizability Vechev M., Yahav E., Yorsh G. SPIN '09: 16th International SPIN Workshop on Model Checking of Software SPIN '09 Inferring Synchronization Under Limited Observability Vechev M., Yahav E., Yorsh G. TACAS '09: 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems TACAS '09 Deriving Linearizable Fine-Grained Concurrent Objects Vechev M., Yahav E PLDI '08: ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation. PLDI '08 CGCExplorer: A Semi-Automated Search Procedure for Provably Correct Concurrent Collectors Vechev M., Yahav E., Bacon D.F., and Rinetzky N. PLDI '07: ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation. PLDI '07 Correctness-Preserving Derivation of Concurrent Garbage Collection Algorithms Vechev M., Yahav E., and Bacon D.F. PLDI '06: ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation. PLDI '06 90 http://www.research.ibm.com/paraglide/

91 Thanks

Download ppt "PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Ch 7 B.

Ch 7 B.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.
Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.

Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Similar presentations

Ads by Google