testing and verifying atomicity of composed concurrent
play

Testing and Verifying Atomicity of Composed Concurrent Operations - PowerPoint PPT Presentation

Oct 11, 2023 •98 likes •458 views

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

  1. Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

  2. Concurrent Data Structures • Writing highly concurrent data structures is complicated • Modern programming languages provide efficient concurrent collections with atomic operations … … … … … … … . … .

  3. TOMCAT Motivating Example TOMCAT 6.* TOMCAT 5.* attr = new ConcurrentHashMap(); attr = new HashMap(); … … Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute val = null; Attribute val = null; synchronized(attr) { /* synchronized(attr) { */ found = attr.containsKey(name) ; found = attr.containsKey(name) ; if (found) { if (found) { val = attr.get(name); val = attr.get(name); attr.remove(name); attr.remove(name); } } /* } */ } return val; return val; } } Invariant: removeAttribute(name) returns the removed value or null if it does not exist

  4. removeAttribute (“A”) { Attribute val = null; attr.put (“A”, o); found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); attr.remove (“A”); } o return val;  Invariant: removeAttribute(name) returns the removed value or null if it does not exist

  5. Challenge Testing and Verifying the atomicity of composed operations … … … … … … … …

  6. Challenges in Testing • Specifying software correctness • Bugs occur in rarely executed traces – Especially true in concurrent systems • Scalability of dynamic checking – large traces • Hard to find programs to test

  7. Challenges in Verification • Specifying software correctness • Many sources of unboundedness – Data • Integers • Stack • Heap • … – Interleavings • Scalability of static checking – Large programs • Hard to find programs to verify

  8. Testing atomicity of composed operations OOPSLA’ 11

  9. Challenge 1: Long traces • Assume that composed operations are written inside encapsulated methods • Modular testing – Unit testing in all contexts – Composed operations need to be correct in all contexts • May lead to false warnings

  10. False Warning if (m.contains(k)) m.remove(k); return m.get(k); else return k; • False warning in clients without remove • Sometimes indicate “future bugs”

  11. Challenge 2: Specification • Check that composed operations are Linearizable [Herlihy & Wing, TOPLAS’ 90] – Returns the same result as some sequential run

  12. Linearizability removeAttribute (“A”) { Attribute val = null; attr.put (“A”, o); null found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); o attr.remove (“A”); } return val; o attr.put(“A”, o); null attr.put(“A”, o); removeAttribute(“A”) { null removeAttribute(“A”) { Attribute val = null; attr.remove(“A”); o found = attr.containsKey(“A”) ; Attribute val = null; removeAttribute(“A”) { found = attr.containsKey(“A”) ; if (found) { Attribute val = null; return val; if (found) { null found = attr.containsKey(“A”) ; val = attr.get(“A”); attr.put(“A”, o); null if (found) { attr.remove(“A”); attr.remove(“A”); return val; null } o o return val; attr.remove(“A”); null

  13. But Linearizability errors only occur in rarely executed paths removeAttribute (“A”) { Attribute val = null; attr.put (“A”, o); found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); attr.remove (“A”); } return val;

  14. Linearizability errors only occur in rarely executed path • Only consider “atomic” executions of the base collection operation [TACAS’ 10, Ball et. al.] • Employ commutativity/influence of base collection operations – Operations on different key commute – Partial order reduction using the collection interface

  15. Influence table Operation Condition Potential Action get(k) get(k) == null put(k,*) get(k) get(k) != null remove(k) containsKey(k) get(k) == null put(k,*) containsKey(k) get(k) != null remove(k) remove(k) get(k) == null put(k,*) remove(k) get(k) != null remove(k)

  16. COLT Tester program CO extractor library spec Timeout Non-Lin candidate COs CO instrument Execution key/value driver linearizability influence driver checking

  17. Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } removeAttribute (“A”) { Attribute val = null; attr.put(“A”, o); null found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); o attr.remove (“A”); } return val; o

  18. removeAttribute (“A”) { Attribute val = null; attr.put(“A”, o); null found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); o attr.remove (“A”); } return val; o attr.put(“A”, o); null attr.put(“A”, o); removeAttribute(“A”) { null removeAttribute(“A”) { Attribute val = null; attr.remove(“A”); o found = attr.containsKey(“A”) ; Attribute val = null; removeAttribute(“A”) { found = attr.containsKey(“A”) ; if (found) { Attribute val = null; null return val; if (found) { found = attr.containsKey(“A”) ; val = attr.get(“A”); attr.put(“A”, o); null if (found) { attr.remove(“A”); attr.remove(“A”); return val; o null } o return val; attr.remove(“A”); null

  19. Evaluation • Use Google code search and Koders to search for collection operations methods with at least two operations • Used simple static analysis to extract composed operations – 29% needed manual modification • Check Linearizability of all public domain composed • Extracted 112 composed operations from 55 applications – Apache Tomcat, Cassandra, MyFaces – Trinidad, … • Each run took less than a second • Without influence timeout always occur

  20. 112 Unknown

  21. 59 53 Non Unknown Linearizable

  22. 17 Open Non Linearizable 53 Unknown 42 Non Linearizable

  23. 17 31 Open Non Linearizable Linearizable 42 22 Non Globals Linearizable

  24. 31 Linearizable 81 Non-Linearizable

  25. Results • Reported the bugs with fixes • Even bugs in open environment • As a result of the paper the Java library is being changed “A preliminary version is in the pre -java8 "jsr166e" package as ConcurrentHashMapV8. We can't release the actual version yet because it relies on Java8 lambda (closure) syntax support. See links from http://gee.cs.oswego.edu/dl/concurrency-interest/index.html including: http://gee.cs.oswego.edu/dl/jsr166/dist/jsr166edocs/jsr166e/Co ncurrentHashMapV8.html Good luck continuing to find errors and misuses that can help us create better concurrency components!”

  26. Verifying atomicity of composed operations

  27. Motivation • Unbounded number of potential composed operations – There exists no “thick” interface • Automatically prove Linearizability for composed operations beyond the ones provided – Already supports the existing interface – No higher order functions • Zero false alarms (beyond modularity)

  28. Data independent [Wolper , POPL’ 86] Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute val = null; Attribute val = null; Attribute val = null; Attribute val = null; found = attr.containsKey(name) ; found = attr.containsKey(name) ; found = attr.containsKey(name) ; found = attr.containsKey(name) ; if (found) { if (found) { if (found) { if (found) { val = attr.get(name); val = attr.get(name); val = attr.get(name); val = attr.get(name); attr.remove(name); attr.remove(name); attr.remove(name); attr.remove(name); } } } } return val; return val; return val; return val; } } } }

  29. Verifying data independent operations using Linearization points in the code Single Mutation Data independent Verified using single input CO adds one value Influence Map elements are bounded

  30. Verifying data independent operations • Small model reduction • Decidable when the local state is bounded • Explore all possible executions using: – One input key and finite number of values – Influenced based environment uses single value • Employ SPIN

  33. program Composed Operation extractor Library spec candidate COs CO Data Independent verifier SCM/FCM No SCM Input keys/values CO CO key/value driver Input keys/values Influence driver Influence driver Linearizability Linearizability verifier tester generator generator Promela Java Lin Unknown SPIN Execution Non-Lin Non-Lin

  34. 31 Linearizable 81 Non-Linearizable

  35. Summary • Writing concurrent data structures is hard • Employing atomic library operations is error prone • Modular linearizability checking • Leverage influence • Leverage data independence • Sweet spot – Identify important bugs together with a traces showing and explaining the violations – Hard to find – Prove the linearizability of several composed operations – Simple and efficient technique

Recommend

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd Millstein Jens Palsberg Concurrent Data Structures class ConcurrentHashmap<K, V> { // data structure V get(K k) { ... } void put(K k, V v)

512 views • 36 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Testing atomicity Finding race conditions by random testing John Hughes "We know there is a

Testing atomicity Finding race conditions by random testing John Hughes "We know there is a

Testing atomicity Finding race conditions by random testing John Hughes "We know there is a lurking bug somewhere in the dets code. We have got 'bad object' and 'premature eof' every other month the last year. We have not been able to

584 views • 29 slides
Types Against Races Atomicity Analysis of Concurrent Software Cormac Flanagan Stephen N. Freund

Types Against Races Atomicity Analysis of Concurrent Software Cormac Flanagan Stephen N. Freund

Types Against Races Atomicity Analysis of Concurrent Software Cormac Flanagan Stephen N. Freund UC Santa Cruz Williams College Shaz Qadeer Microsoft Research Moore s Law Moore s Law is Over Transistors per chip doubles every 18

133 views • 9 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Testing for Linearizability Gavin Lowe Testing for Linearizability 02 Linearizability

Testing for Linearizability Gavin Lowe Testing for Linearizability 02 Linearizability

Testing for Linearizability 01 Testing for Linearizability Gavin Lowe Testing for Linearizability 02 Linearizability Linearizability is a well-established and accepted correctness condition for concurrent datatypes. Informally, a concurrent

577 views • 18 slides
Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop

Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop

Design and Implementation Issues for Atomicity Dan Grossman University of Washington Workshop on Declarative Programming Languages for Multicore Architectures 15 January 2006 Atomicity Overview Atomicity: what, why, and why relevant

605 views • 17 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha Jagadeesan James Riely Alasdair Armstrong Atomicity abstraction and weak memory How do we provide reliable atomicity abstractions? Concurrent

1.03k views • 59 slides
ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a transaction happens or it does not Consistency: a correct database is still correct afterwards i.e. money balanced, no dangling pointers 3 ACID

712 views • 29 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI & Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides

More recommend