Mechanized Verification of Fine-grained Concurrent Programs Ilya - PowerPoint PPT Presentation

Mechanized Verification of   Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski Anindya Banerjee PLDI 2015

Terminology • Coarse-grained Concurrency —   synchronisation between threads via locks ;   • Fine-grained Concurrency —   synchronisation via RMW operations (e.g., CAS ).

Some FG concurrent programs • Spin-lock • Ticketed lock • Bakery lock • Filter lock • Lock-free atomic snapshot • Treiber stack • Michael stack • HSY elimination-based stack • Lock-coupling set • Optimistic list-based set • Lazy concurrent list-based set • Michael-Scott queue • Harris et al.'s MCAS • Concurrent counters • Concurrent allocators • Flat Combiner • Concurrent producer/consumer • Concurrent indices • Concurrent barriers • …

Using and verifying FG concurrency Great scalability —   high performance on multi-core CPU architectures Sophisticated interference between threads —   difficult to specify and verify formally

Specifications in program logics { P } { Q } c precondition postcondition If the initial state satisfies P ,   then, after c terminates,   the final state satisfies Q .

Program logics for concurrency Owicki-Gries (1976) Rely-Guarantee (1983) CSL (2004) Bornat-al (2005) RGSep (2007) SAGL (2007) Gotsman-al (2007) Deny-Guarantee (2009) RSL (2013) LRG (2009) CAP (2010) Jacobs-Piessens (2011) HLRG (2010) HOCAP (2013) RGSim (2012) SCSL (2013) Liang-Feng (2013) TaDA (2014) iCAP (2014) CaReSL (2013) FCSL (2014) CoLoSL (2015) Iris (2015) GPS (2014)

FCSL: Fine-grained Concurrent Separation Logic Nanevski, Ley-Wild, Sergey, Delbianco [ESOP’14] a logic for specifying and verifying   FG concurrent programs and also a verification tool ,   implemented as a DSL in Coq (this talk)

Key Ingredients • Subjective Auxiliary State • State-Transition Systems • Types

Running example Concurrent construction of a spanning tree   of a binary graph

a b c d e

x m l r mark the node x check the node x ... ... letrec span (x : ptr) : bool = { if x == null then return false; else b ← CAS(x->m, 0, 1); if b then (r l ,r r ) ← (span(x->l) || span(x->r)); if ¬r l then x->l := null; if ¬r r then x->r := null; return true; else return false; run in parallel for successors } prune redundant edges

a b c d e

a ✔ ✔ b c d e

a ✔ ✔ ✗ b c ✗ ✔ ✔ d e

a ✔ ✔ b c d e

a b c d e

The verification goal letrec span (x : ptr) : bool = { if x == null then return false; else b ← CAS(x->m, 0, 1); if b then (r l ,r r ) ← (span(x->l) || span(x->r)); if ¬r l then x->l := null; if ¬r r then x->r := null; return true; else return false; } Prove the resulting heap to represent a spanning tree   of the initial one

Establishing correctness of span letrec span (x : ptr) : bool = { if x == null then return false; else b ← CAS(x->m, 0, 1); if b then (r l ,r r ) ← (span(x->l) || span(x->r)); if ¬r l then x->l := null; if ¬r r then x->r := null; return true; else return false; } • All reachable nodes are marked by the end • The graph modified only by the commands of span • The initial call is done from a root node without interference

Key Ingredients • Subjective Auxiliary State   • State-Transition Systems   • Types

Capturing thread contributions a b c d e shared state (heap)

Capturing thread contributions Auxiliary state   of all other threads a a b b c c d e Auxiliary state   of this thread

Accounting for dynamic forking span(x) || span(x->l) span(x->r)

Accounting for dynamic forking s 3 span(x) { s 1 ⊎ s 2 } || span(x->l) span(x->r) s 1 ⊎ s 2

Accounting for dynamic forking s 2 ⊎ s 3 span(x) { s 1 ⊎ s 2 } { s 1 } || || span(x->l) span(x->r) s 1 Nodes that belong to span(x->l)

Accounting for dynamic forking s 1 ⊎ s 3 span(x) { s 1 ⊎ s 2 } { s 1 } { s 2 } || || span(x->l) span(x->r) s 2 Nodes that belong to span(x->r)

Accounting for dynamic forking z 1 ⊎ z 3 span(x) { s 1 ⊎ s 2 } { s 1 } { s 2 } || || span(x->l) span(x->r) z 2 { z 1 } { z 2 }

Accounting for dynamic forking z 3 span(x) { s 1 ⊎ s 2 } { s 1 } { s 2 } || || span(x->l) span(x->r) { z 1 } { z 2 } z 1 ⊎ z 2 { z 1 ⊎ z 2 } span(x) Nodes that belong to span(x) at the end

Key Ingredients • Subjective Auxiliary State   • State-Transition Systems   • Types

Key Ingredients • Subjective Auxiliary State —   capturing thread-specific contributions • State-Transition Systems   • Types

Establishing correctness of span letrec span (x : ptr) : bool = { if x == null then return false; else b ← CAS(x->m, 0, 1); if b then (r l ,r r ) ← (span(x->l) || span(x->r)); if ¬r l then x->l := null; if ¬r r then x->r := null; return true; else return false; } • All reachable nodes are marked by the end • The graph modified only by the commands of span • The initial call is done from a root node without interference

Transition 1: marking a node a b b c mark(b) a d e b c d e marked by this thread   (Guarantee)

Transition 1: marking a node marked by other thread   (Rely) a b c mark(b) T a d e b b c d e

Transition 2: pruning an edge a a n u l l i f y ( b - > r ) b c b c b b d e d e No other thread can do it!

Pseudocode implementation span (x : ptr) : bool { if x == null then return false; else b ← CAS(x->m, 0, 1); if b then (r l ,r r ) ← (span(x->l) || span(x->r)); if ¬r l then x->l := null; if ¬r r then x->r := null; return true; else return false; }

FCSL/Coq implementation Program Definition span : span_tp := ffix ( fun (loop : span_tp) (x : ptr) => Do ( if x == null then ret false else b <-- trymark x; if b then xl <-- read_child x Left; xr <-- read_child x Right; rs <-- par (loop xl) (loop xr); ( if ~~rs.1 then nullify x Left else ret tt);; ( if ~~rs.2 then nullify x Right else ret tt);; ret true else ret false)). Transition-aware commands (equivalent to CAS , write , etc.)

Key Ingredients • Subjective Auxiliary State —   capturing thread-specific contributions • State-Transition Systems   • Types

Key Ingredients • Subjective Auxiliary State —   capturing thread-specific contributions • State-Transition Systems —   specification of concurrent protocols • Types

Key Ingredients • Subjective Auxiliary State —   capturing thread-specific contributions • State-Transition Systems —   specification of concurrent protocols • Dependent Types

FCSL/Coq implementation Specification (loop invariant) Program Definition span : span_tp := span_tp ffix ( fun (loop : span_tp) (x : ptr) => Do ( if x == null then ret false else b <-- trymark x; if b then xl <-- read_child x Left; xr <-- read_child x Right; rs <-- par (loop xl) (loop xr); ( if ~~rs.1 then nullify x Left else ret tt);; ( if ~~rs.2 then nullify x Right else ret tt);; ret true else ret false)). (about 200 LOC) Next Obligation. Qed.

Specification for span starting node Definition (x : ptr) := span_tp {i (g1 : graph (joint i))}, STsep [SpanTree] ( fun s1 => i = s1 ⋀ (x == null ⋁ x ∈ dom (joint s1)), fun (r : bool) s2 => exists g2 : graph (joint s2), subgraph g1 g2 ⋀ if r then x != null ⋀ exists (t : set ptr), self s2 = self i ⊎ t ⋀ tree g2 x t ⋀ maximal g2 t ⋀ front g1 t (self s2 ⊎ other s2) else (x == null ⋁ mark g2 x) ⋀ self s2 = self i).

Specification for span concurrent protocol Definition (x : ptr) := span_tp {i (g1 : graph (joint i))}, STsep [SpanTree] ( fun s1 => i = s1 ⋀ (x == null ⋁ x ∈ dom (joint s1)), fun (r : bool) s2 => exists g2 : graph (joint s2), subgraph g1 g2 ⋀ if r then x != null ⋀ exists (t : set ptr), self s2 = self i ⊎ t ⋀ tree g2 x t ⋀ maximal g2 t ⋀ front g1 t (self s2 ⊎ other s2) else (x == null ⋁ mark g2 x) ⋀ self s2 = self i).

Mechanized Verification of Fine-grained Concurrent Programs Ilya - PowerPoint PPT Presentation

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski Anindya Banerjee PLDI 2015 Terminology Coarse-grained Concurrency synchronisation between threads via locks ; Fine-grained

Communicating State Transition Systems for Fine-Grained Concurrent Resources Aleksandar Nanevski

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Parts of Speech More Fine-Grained Classes More

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey

Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012

Mesos A Platform for Fine-Grained Resource Sharing in the

Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood

Owen S. Hofmann, Xuan Wang, Emmett Witchel, Donald E. Porter 1 Fine-grained locking -

The Role of Human Creativity in Mechanized Verification J Strother Moore Department of Computer

Part-based R-CNNs for Fine-grained Category Detec7on

The Role of Human Creativity in Mechanized Verification J Strother Moore Department of Computer

Interpreting Fine-grained Dermatological Classification with Deep Learning S Mishra [1] , H

Combining Data-Intense and Compute-Intense Methods for Fine-Grained Morphological Analyses Petra

A Fine-Grained Analogue of Schaefers Theorem in P: Dichotomy of k -Quantified

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser