the benefits of duality in verifying concurrent programs
play

The Benefits of Duality in Verifying Concurrent Programs under TSO - PowerPoint PPT Presentation

Dec 29, 2022 •462 likes •1.66k views

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

  1. Potentially Bad Behaviours - Dekker Initially: x = y = 0 P0 P1 write: x = 1 write: y = 1 mfence mfence read: y = 0 read: x = 0 critical section critical section P0 x = 1 y = 1 P1 TSO 46

  2. Potentially Bad Behaviours - Dekker Initially: x = y = 0 P0 P1 write: x = 1 write: y = 1 mfence mfence read: y = 0 read: x = 0 critical section critical section P0 x = 1 y = 1 P1 TSO 47

  3. Potentially Bad Behaviours - Dekker At most one process Initially: x = y = 0 P0 executes its CS P1 at any time write: x = 1 write: y = 1 mfence mfence read: y = 0 read: x = 0 critical section critical section P0 x = 1 y = 1 P1 TSO 48

  4. Verification and Correction 49

  5. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 50

  6. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 51

  7. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 52

  8. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 53

  9. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 54

  10. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 55

  11. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no no reordering program correct program incorrect = bug not due to memory model 56

  12. Verification and Correction find reordering and prevent it specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no program correct program incorrect 57

  13. Verification and Correction specification insert fences yes program yes reachability execution reachable? preventable? analysis analysis no no try again program correct program incorrect optimality = smallest set of fences 58 needed for correctness

  14. Verification under TSO is Difficult while (1) write: x=1 P0: write: x = 1 x = 0 P0 P0: write: x = 1 y = 0 … P0: write: x = 1 … 59

  15. Verification under TSO is Difficult while (1) write: x=1 P0: write: x = 1 x = 0 P0 x=1 P0: write: x = 1 y = 0 … P0: write: x = 1 … 60

  16. Verification under TSO is Difficult while (1) write: x=1 P0: write: x = 1 x = 0 P0 x=1 x=1 P0: write: x = 1 y = 0 … P0: write: x = 1 … 61

  17. Verification under TSO is Difficult while (1) write: x=1 P0: write: x = 1 x = 0 … P0 x=1 x=1 x=1 P0: write: x = 1 y = 0 … P0: write: x = 1 … unbounded infinite state buffer space 62

  18. Verification under TSO is Difficult Existing Methods • Under approximation 😟 miss bugs: under-fencing • Over approximation 😟 spurious bugs: over-fencing • Exact verification techniques 😁 find real bugs iff they exist: optimal fencing 63

  19. Exact Verification Techniques Well-Quasi Ordering (WQO) Framework • ordering on state space: • Well-quasi ordering • Monotonic transition system WQO for TSO • Sub-word ordering on store buffers: • monotone? y=1 y=2 x=1 read: y = 2 not possible ⊑ read: y = 2 y=2 x=1 possible 64

  20. Exact Verification Techniques Well-Quasi Ordering (WQO) Framework • ordering on state space: • Well-quasi ordering Monotonicity • Monotonic transition system s 1 s 2 ⊑ WQO for TSO s 3 s 4 • Sub-word ordering on store buffers: • monotone? x = 0 y=1 P0 x=1 y = 0 ⊑ x = 0 P0 x=1 y = 0 65

  21. Exact Verification Techniques Well-Quasi Ordering (WQO) Framework • ordering on state space: • Well-quasi ordering • Monotonic transition system WQO for TSO • Sub-word ordering on store buffers: • monotone? x = 0 y=1 P0 x=1 y = 0 ⊑ x=1 x = 0 P0 y = 0 66

  22. Exact Verification Techniques Well-Quasi Ordering (WQO) Framework • ordering on state space: • Well-quasi ordering • Monotonic transition system WQO for TSO • Sub-word ordering on store buffers: • monotone? x = 0 y=1 P0 x=1 y = 0 ⊑ x = 1 P0 y = 0 67

  23. Exact Verification Techniques Well-Quasi Ordering (WQO) Framework • ordering on state space: • Well-quasi ordering • Monotonic transition system WQO for TSO • Sub-word ordering on store buffers: • monotone? NO! x = 0 y=1 P0 x=1 y = 0 ⊑ x = 1 P0 y = 0 68

  24. Exact Verification Techniques Well-Quasi Ordering (WQO) Framework • ordering on state space: • Well-quasi ordering • Monotonic transition system WQO for TSO • Sub-word ordering on store buffers? • Not monotone! • WQO cannot be applied easily to TSO 69

  25. Semantics 2: Single Buffer Model [TACAS’12+13] P1: P1: view pending memory pointer update content P1 P0: write: x = 2 P0 x=1 x=0 P1: write: y = 3 y=1 y=1 P1 … x,P0 y,P1 writing memory written process snapshot variable 70

  26. Semantics 2: Single Buffer Model [TACAS’12+13] P0: P0: view memory no pending pointer content update P0 P1 P0: write: x = 2 P0 x=1 x=0 P1: write: y = 3 y=1 y=1 P1 … x,P1 y,P0 writing memory written process snapshot variable 71

  27. Semantics 2: Single Buffer Model [TACAS’12+13] P0 P1 P0: write: x = 2 P0 x=1 x=0 P1: write: y = 3 y=1 y=1 P1 … x,P1 y,P0 72

  28. Semantics 2: Single Buffer Model [TACAS’12+13] P0 P1 P0: write: x = 2 P0 x=2 x=1 x=0 P1: write: y = 3 y=1 y=1 y=1 P1 … x,P0 x,P1 y,P0 73

  29. Semantics 2: Single Buffer Model [TACAS’12+13] P0 P1 P0: write: x = 2 P0 x=2 x=2 x=1 x=0 P1: write: y = 3 y=3 y=1 y=1 y=1 P1 … y,P1 x,P0 x,P1 y,P0 74

  30. Semantics 2: Single Buffer Model [TACAS’12+13] update view of P0 P0 P1 P0: write: x = 2 P0 x=2 x=2 x=1 x=0 P1: write: y = 3 y=3 y=1 y=1 y=1 P1 … y,P1 x,P0 x,P1 y,P0 75

  31. Semantics 2: Single Buffer Model [TACAS’12+13] P0 P1 P0: write: x = 2 P0 x=1 x=2 x=1 x=0 P1: write: y = 3 y=3 y=1 y=1 y=1 P1 … y,P1 x,P0 x,P1 y,P0 equivalent to classical TSO modulo reachability Sub-word relation on the content of the single buffer is a monotonic WQO 76

  32. Semantics 2: Single Buffer Model [TACAS’12+13] memory costly snapshot overhead cannot be directly viewing ID of writing applied to parameterized pointer process verification 77

  33. Parameterized Verification unbounded number of processes P P P P P P correctness: P lock taken by at most P one process P P P P P example: mutual exclusion protocols 78

  34. Semantics 3: Dual-TSO • Store buffers are replaced by load buffers • Equivalent to classical TSO Exact Verification Technique • Efficient analysis technique based on WQO • Applicable to parameterized verification 79

  35. Semantics 3: Dual-TSO load self buffer message Store Buffers ☛ Load Buffers P0 • Write operations immediately x,1,self x = 1 update the memory y = 0 P1 x,1,other • Load buffers contain expected read operations other message 80

  36. Semantics 3: Dual-TSO P0 x = 0 P0: write: x = 1 y = 0 P0: read: y = 0 P1 81

  37. Semantics 3: Dual-TSO adds self writes to message the memory P0 x,1,self x = 1 P0: write: x = 1 y = 0 P0: read: y = 0 P1 82

  38. Semantics 3: Dual-TSO propagates from the memory P0 x,1,self x = 1 P0: write: x = 1 y = 0 P0: read: y = 0 P1 x,1,other 83

  39. Semantics 3: Dual-TSO propagates from the memory P0 x,1,self y,0,other x = 1 P0: write: x = 1 y = 0 P0: read: y = 0 P1 x,1,other 84

  40. Semantics 3: Dual-TSO deletes the oldest message P0 x,1,self y,0,other x = 1 P0: write: x = 1 y = 0 P0: read: y = 0 P1 x,1,other 85

  41. Semantics 3: Dual-TSO reads the oldest message P0 y,0,other x = 1 P0: write: x = 1 y = 0 P0: read: y = 0 P1 x,1,other 86

  42. Semantics 3: Dual-TSO Theorem The Dual-TSO semantics is equivalent to the TSO semantics with respect to the reachability problem. 87

  43. Outline • Classical TSO semantics • New semantics (Dual-TSO) allows: - Efficient verification - Parameterised verification • Verification under Dual-TSO • Experimental Results • Conclusions 88

  44. WQO under Dual-TSO partition of load buffer x,2,self y,1,self x,1,other y,0,self x,0,other newest self newest self Old New message on x message on y 89

  45. WQO under Dual-TSO Extension of sub-word ordering x,2,self y,1,self x,1,other y,0,self x,0,other = = x,2,self y,0,self x,0,other y,1,self 90

  46. WQO under Dual-TSO Extension of sub-word ordering x,2,self y,1,self x,1,other y,0,self x,0,other ⊑ ⊑ = = x,2,self y,0,self x,0,other y,1,self 91

  47. WQO under Dual-TSO P0 P1 WQO for Dual-TSO … … … … • Same local states of processes • Same shared memory P0 x,1,self x = 1 • Sub-word relation on load buffers y = 0 P1 x,1,other 92

  48. WQO under Dual-TSO P0 P1 WQO for Dual-TSO … … … … • Same local states of processes • Same shared memory P0 x,1,self x = 1 • Sub-word relation on load buffers y = 0 P1 x,1,other 93

  49. WQO under Dual-TSO P0 P1 WQO for Dual-TSO … … … … • Same local states of processes • Same shared memory P0 x,1,self x = 1 • Sub-word relation on load buffers y = 0 P1 x,1,other 94

  50. Dual-TSO vs Single Buffer Dual-TSO Single Buffer efficient NO memory snapshot Need memory snapshot No viewing pointer, ID of Need viewing pointers, IDs of processes process Several channels: one Only one channel channel per process Buffers have read Buffers have write operations operations can be applied to parameterised verification

  51. Outline • Classical TSO semantics • New semantics (Dual-TSO) allows: - Efficient verification - Parameterised verification • Verification under Dual-TSO • Experimental Results • Conclusions 96

  52. Experimental Results Single buffer approach (exact method [TACAS12+13]) Dual-TSO vs Memorax • Running time • Memory consumption 97 https://www.it.uu.se/katalog/tuang296/dual-tso

  53. Experimental Results Dual-TSO vs Memorax • Running time • Memory consumption standard benchmarks: litmus tests and mutual algorithms 98

  54. running time Experimental Results in seconds Dual-TSO vs Memorax • Running time • Memory consumption 99

  55. generated Experimental Results configurations Dual-TSO vs Memorax • Running time • Memory consumption Dual-TSO is faster and uses less memory in most of examples 100

Recommend

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT

From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT

From Concurrent Programs to Simulating Sequential Programs: Correctness of a Transformation VPT 2017 Allan Blanchard, Fr ed eric Loulergue, Nikolai Kosmatov April 29 th , 2017 From Concurrent Programs to Simulating Sequential Programs

488 views • 37 slides
+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1

+ The HARPO Verifier Status 2018 October 15 Verifying the Correctness of HARPO Programs 1 Verifying the Correctness of HARPO Programs Presented at NECEC 2018, St. Johns NL Inaam Ahmed Computer Engineering Research Labs, Dept. ECE, MUN

492 views • 23 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Two views of Duality: Lagrangians and Geometric 1 Linear Programs. Recall last time, we

Two views of Duality: Lagrangians and Geometric 1 Linear Programs. Recall last time, we

U.C. Berkeley CS270: Algorithms Two views of Duality: Lagrangians and Geometric Professor Vazirani and Professor Rao Lecturer: Satish Rao Last revised February 25, 2013 Two views of Duality: Lagrangians and Geometric 1 Linear Programs.

414 views • 4 slides
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

458 views • 35 slides
Verifying Distributed Programs via Canonical Sequentialization Klaus von Gleissenthall Joint

Verifying Distributed Programs via Canonical Sequentialization Klaus von Gleissenthall Joint

Verifying Distributed Programs via Canonical Sequentialization Klaus von Gleissenthall Joint work with Alexander Bakst, Ranjit Jhala and Rami Gkhan Kc 1 Writing distributed programs A bug appears Issue: random hangs / deadlock in

808 views • 79 slides
Duality Geoff Gordon & Ryan Tibshirani Optimization 10-725 / 36-725 1 Duality in linear

Duality Geoff Gordon & Ryan Tibshirani Optimization 10-725 / 36-725 1 Duality in linear

Duality Geoff Gordon & Ryan Tibshirani Optimization 10-725 / 36-725 1 Duality in linear programs Suppose we want to find lower bound on the optimal value in our convex problem, B min x C f ( x ) E.g., consider the following simple

1.12k views • 32 slides
Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft

Verifying functional correctness of message-passing programs in Coq Robbert Krebbers, TU Delft Joint work with Jonas Kastberg Hinrichsen, ITU Jesper Bengtson, ITU 4 June 2020 @ VEST Workshop, Online 1 Type checking message-passing programs

601 views • 25 slides
Computational Logic Concurrent (Constraint) Logic Programming 1 Concurrent Logic Programs

Computational Logic Concurrent (Constraint) Logic Programming 1 Concurrent Logic Programs

Computational Logic Concurrent (Constraint) Logic Programming 1 Concurrent Logic Programs Predicate: Set of clauses Clause: Head :- Guard | Body. Head is an atom Guard and Body are conjunctions of atoms Resolvent: Set of goals

623 views • 28 slides
Java Concurrency 1 Shell CSCE 314 TAMU The World is Concurrent Concurrent programs: more than

Java Concurrency 1 Shell CSCE 314 TAMU The World is Concurrent Concurrent programs: more than

Shell CSCE 314 TAMU CSCE 314: Programming Languages Dr. Dylan Shell Java Concurrency 1 Shell CSCE 314 TAMU The World is Concurrent Concurrent programs: more than one activities execute simultaneously (concurrently) no interference

518 views • 35 slides
On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order

On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order

On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order Communication Masaki Murakami Okayama University JAPAN A Formal Model of Concurrent Systems the model presented here is a translation of asynchronous

847 views • 31 slides

More recommend