tractable refinement checking for concurrent objects
play

Tractable Refinement Checking for Concurrent Objects Constantin - PowerPoint PPT Presentation

Feb 04, 2023 •183 likes •442 views

Tractable Refinement Checking for Concurrent Objects Constantin Enea LIAFA, CNRS & University Paris Diderot - Paris 7 joint work with Ahmed Bouajjani, Michael Emmi, Jad Hamza Concurrent objects Concurrent Object call (push, pop, )

  1. Tractable Refinement Checking for Concurrent Objects Constantin Enea LIAFA, CNRS & University Paris Diderot - Paris 7 joint work with Ahmed Bouajjani, Michael Emmi, Jad Hamza

  2. Concurrent objects Concurrent Object call (push, pop, …) return value … | | | | Thread 1 Thread 2 • Abstracting shared data: concurrent collections (queue, stack,…) 
 • Synchronization objects (mutex, semaphore,…)

  3. Atomic objects Ensure an atomic view of the method calls pop ⇒ 2 push(1) Thread 1 pop ⇒ 1 push(2) Thread 2 • Obvious solution: global locks • Performance requirements => optimistic concurrency (fine-grain locking, CAS, …) pop ⇒ 2 push(1) Thread 1 pop ⇒ 1 push(2) Thread 2

  4. Refinement Efficient implementation Reference implementation class TreiberStack { class AtomicStack { cell* top; cell* top; minimize Lock l; void push ( int v) { contention cell* t; void push ( int v) { cell* x = malloc( sizeof *x); l.lock(); x->data = v; top->next = malloc( sizeof *x); do { top = top->next; t = top; top->data = v; x->next = top; l.unlock(); } while (! CAS(&top,t,x) ); } } int pop () { int pop () { checking ... ... interference } } } } For every Client, Client x Impl included in Client x Spec

  5. Violating Refinement ) 1 ( ) h ( s p 3 u o p p n n r r l l u u l l t t Thread1 a a e e preemption c c r r Thread2 pop => 1 push(2) push(3) pop => EMPTY preemption PROBLEM 1, 2 , 3 pushed: 1, 3, EMPTY popped: not admitted by atomic stack

  6. Insidious Errors HARD TO REPRODUCE 
 • memory management 
 • specific thread interleaving HARD TO DIAGNOSE 
 program assertions don’t suffice DEMANDS AUTOMATION

  7. Automating Refinement Checking For every Client, Client x Impl included in Client x Spec CHALLENGES 
 • enumeration of programs 
 • enumeration of executions 
 • checking inclusion

  8. Linearizability [Herlihy & Wing 1990] pop ⇒ 0 push(0) push(1) push(1) push(0) pop ⇒ 0 Execution admitted by the specification • Find “linearization points” within execution time intervals • The order defined by the linearization points is admitted by the specification • Impl is linearizable w.r.t. Spec iff Impl refines Spec (when Spec is atomic) [Filipovic et al. 2009, Bouajjani et al. 2015]

  9. Enumeration Exponentially-many linearizations ∉ pop ⇒ 3 push(1) pop ⇒ EMPTY push(1) pop ⇒ 3 pop ⇒ 1 push(2) push(3) pop ⇒ EMPTY ∉ pop ⇒ 1 push(2) push(3) push(1) pop ⇒ 1 pop ⇒ 3 push(2) push(3) pop ⇒ EMPTY AtomicStack ? ∉ push(1) pop ⇒ 1 push(2) pop ⇒ 3 push(3) pop ⇒ EMPTY ∉ push(1) pop ⇒ 1 push(2) push(3) pop ⇒ 3 pop ⇒ EMPTY

  10. Complexity Reachability Linearizability Single trace NL-complete NP-complete a n threads PSPACE-complete EXPSPACE-complete b ∞ threads EXPSPACE-complete Undecidable c • Demands approximation analyses • In this talk: focus on bug-finding a Testing Shared Memory. Gibbons et al. 1996 b Linearizability is EXPSPACE-complete Hamza 2015 c Verifying Concurrent Programs Against Sequential Specifications Bouajjani et al. 2013

  11. Parametrized under- approximations [Bouajjani, Emmi, E, Hamza, POPL’15] Characterization of refinement using histories (partial orders) • reduce refinement to a history-set inclusion • Parametrized under-approximation to solve the inclusion • histories are interval orders • parametrized by length • efficient representation using counters • efficient reduction to reachability (dynamic/static analysis) • Experiments • Scalability: Efficient in practice • Coverage: Small length needed to catch violations •

  12. Parametrized under- approximations [Bouajjani, Emmi, E, Hamza, POPL’15] Characterization of refinement using histories (partial orders) • reduce refinement to a history-set inclusion • Parametrized under-approximation to solve the inclusion • histories are interval orders • parametrized by length • efficient representation using counters • efficient reduction to reachability (dynamic/static analysis) • Experiments • Scalability: Efficient in practice • Coverage: Small length needed to catch violations •

  13. Histories push(1) pop ⇒ 3 pop ⇒ 1 push(2) push(3) pop ⇒ EMPTY happens-before pop ⇒ 3 partial order push(1) pop ⇒ EMPTY pop ⇒ 1 push(2) push(3)

  14. History Inclusion Hist(L) = the histories of all executions of L (arbitrary calls with arbitrary many threads) THEOREM 
 L refines S ⇔ Hist( L ) ⊆ Hist( S ) • (=>) Given h in Hist( L ), construct a client P h that imposes all the happen-before constraints of h . • (<=) Clients cannot distinguish executions with the same history.

  15. Parametrized under- approximations [Bouajjani, Emmi, E, Hamza, POPL’15] Characterization of refinement using histories (partial orders) • reduce refinement to a history-set inclusion • Parametrized under-approximation to solve the inclusion • histories are interval orders • parametrized by length • efficient representation using counters • efficient reduction to reachability (dynamic/static analysis) • Experiments • Scalability: Efficient in practice • Coverage: Small length needed to catch violations •

  16. Approximating GOAL 
 parameterized approximation A k 
 • complete as k → ∞ 
 • tractable for fixed k 
 • violations with small k HYPOTHESIS 
 violations surface in histories 
 with low-complexity orderings

  17. Ordering complexity execution histories are interval orders pop ⇒ 3 pop ⇒ 3 push(1) pop ⇒ EMPTY push(1) push(2) pop ⇒ EMPTY pop ⇒ 1 push(3) 4 0 1 2 3 pop ⇒ 1 push(2) push(3) INTERVAL LENGTH 
 smallest maximum integral interval bound

  18. History Abstraction all concurrent pop ⇒ EMPTY pop ⇒ 3 push(1) pop ⇒ EMPTY pop ⇒ 3 push(1) weaker order pop ⇒ 1 push(2) push(3) pop ⇒ 1 push(2) push(3) LENGTH 4 LENGTH 1 STILL A VIOLATION LEMMA 
 Libraries closed under weakening

  19. Interval-Length Bounding A k (h) = history of length k (keeping last k intervals precise • and merge the remaining ones) pop ⇒ 3 pop ⇒ 3 push(1) push(2) pop ⇒ EMPTY push(1) push(2) pop ⇒ EMPTY pop ⇒ 1 push(3) pop ⇒ 1 push(3) 4 1 0 1 2 3 0 Checking A k (Hist (L)) ⊆ Hist k (S) instead of Hist(L) ⊆ Hist (S) • construct a formula Ψ S representing Hist k (S) • check A k (h) |= Ψ S for every h ∈ Hist(L) • Counter-based representations of histories

  20. Using counter-based representations #(push(1), 0,0) = 1 pop ⇒ 3 #(pop ⇒ 1,0,0) = 1 push(1) push(2) pop ⇒ EMPTY pop ⇒ 1 push(3) #(push(2),0,0) = 1 … 1 0 Checking A k (Hist (L)) ⊆ Hist k (S) Generating A k (Hist (L)) = instrumenting the most general • client of L with counter increments/decrements adding the assertion Ψ S representing Hist k (S) • obtained manually for common objects (stack, queue, …) • automatically for context-free specifications •

  21. Parametrized under- approximations [Bouajjani, Emmi, E, Hamza, POPL’15] Characterization of refinement using histories (partial orders) • reduce refinement to a history-set inclusion • Parametrized under-approximation to solve the inclusion • histories are interval orders • parametrized by length • efficient representation using counters • efficient reduction to reachability (dynamic/static analysis) • Experiments • Scalability: Efficient in practice • Coverage: Small length needed to catch violations •

  22. Empirically (dynamic analysis) execution sample vs. violations covered execution size vs. monitoring overhead 1000 100000 ~1000x Histoires Linearization missed violations 
 Violations Operation Counting Approximation k=2 Covered w/ k=4 Covered w/ k=3 due to small sample 10000 Covered w/ k=2 Covered w/ k=1 100 1000 100 ~2x 10 10 1 1 1x10 3 executions — 2.4x10 6 executions 2 operations — 20 operations small bounds suffice exponentially-lower as sample-size increases monitoring overhead

  23. Empirically (static analysis) Static analysis for finding refinement violations • Reduction to existing tools • CSeq, with CBMC backend (bounded model checking) • Library P k Time Unrolling Rounds Michael-Scott Queue (Head) 2 , 2 2 2 24.76s 1 Michael-Scott Queue (Tail) 3 , 1 2 3 45.44s 1 Treiber Stack (ABA) 3 , 4 1 2 52.59s 1 Treiber Stack ( push ) 2 , 2 1 2 24.46s 1 Treiber Stack ( pop ) 2 , 2 1 2 15.16s 1 Elimination Stack 4 , 1 1 4 317.79s 0 Elimination Stack 3 , 1 1 1 4 222.04s Elimination Stack 3 , 4 1 2 434.84s 0 Lock-coupling Set 1 , 2 0 2 2 11.27s LFDS Queue 2 , 2 1 2 77.00s 1

  24. Conclusion equivalence between refinement and history inclusion • parametrized under-approximation schema to solve Hist(L) ⊆ • Hist(S) abstracting histories with low-complexity partial orders • (bounded interval length) Future work: Complete verification: Leverage insights on violations? • Compiler optimizations: Refinement checking without fixed • reference impls? Weaker abstractions : e.g., causal consistency in place of • atomicity?

  25. THE END

Recommend

Checking Consistency Properties: Tractable Reductions to Reachability Constantin Enea IRIF ,

Checking Consistency Properties: Tractable Reductions to Reachability Constantin Enea IRIF ,

Checking Consistency Properties: Tractable Reductions to Reachability Constantin Enea IRIF , University Paris Diderot Concurrent/Distributed Objects Modern computer software is increasingly concurrent performance improvements often

522 views • 29 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu

THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu

THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu 1,2 , Andrs Vrs 1,2 , Zoltn Micskei 1 , Istvn Majzik 1 1 Budapest University of Technology and Economics Department of Measurement and

786 views • 12 slides
Software Model Checking and Counter-example Guided Abstraction Refinement Claire Le Goues 1

Software Model Checking and Counter-example Guided Abstraction Refinement Claire Le Goues 1

Software Model Checking and Counter-example Guided Abstraction Refinement Claire Le Goues 1 Motivation: How should we analyze this? * means something we cant analyze (user input, random value) Line 5: the lock is held if and only

886 views • 63 slides
Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming

Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming

Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming Andersen Intel IAG FMCAD 2009 1 Introduction Standard approach to FV of HW protocols Develop high level model (HLM) in guarded-command-

473 views • 25 slides
Concurrent Programming Threads of execution: Thread objects running in parallel

Concurrent Programming Threads of execution: Thread objects running in parallel

T RANSPARENT P ROXIES FOR J AVA F UTURES Polyvios Pratikakis Jaime Spacco Michael Hicks University of Maryland, College Park Transparent Proxies for Java Futures p. 1/51 Concurrent Programming Threads of execution: Thread objects

718 views • 53 slides
Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara

Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara

Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara MOVEP 2012, Marseille Interaction of Unboundedly Many Processes n m o 1 2 3 p 4 Ahmet Kara Model Checking Concurrent Systems with

852 views • 59 slides
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast

Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast

Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich

400 views • 14 slides
Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com

Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com

Introduction Transactions Dynamic Experiments Conclusion Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com Henning G unther , Ana Sokolova and Georg Weissenbacher Formal Methods in Systems

905 views • 51 slides
Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de Sistemas Informticos y Computacin Universidad Complutense de Madrid gorka.suarez@ucm.es Table of Contents 1. Introduction 2. The Maude

512 views • 22 slides
Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Why formal verification? Therac-25 radiotherapy Ariane-5 launch Mars climate orbiter accidents (1985-1987) failure

1.16k views • 115 slides
Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 30 Module 4: Modeling concurrent systems 2 / 30 Concurrent systems Independent Shared variables Shared actions 3 / 30

844 views • 67 slides
Erlang-style Error Recovery for Concurrent Objects with Cooperative Scheduling ori 1 Georg G

Erlang-style Error Recovery for Concurrent Objects with Cooperative Scheduling ori 1 Georg G

Erlang-style Error Recovery for Concurrent Objects with Cooperative Scheduling ori 1 Georg G Einar Broch Johnsen 2 Rudolf Schlatte 2 Volker Stolz 2 , 3 University of Technology, Graz, Austria goeri@student.tugraz.at University of Oslo, Norway

927 views • 53 slides
CSC2/458 Parallel and Distributed Systems Parallel Data Structures - I Sreepathi Pai January 18,

CSC2/458 Parallel and Distributed Systems Parallel Data Structures - I Sreepathi Pai January 18,

CSC2/458 Parallel and Distributed Systems Parallel Data Structures - I Sreepathi Pai January 18, 2018 URCS Outline Concurrent Objects Correctness/Safety Outline Concurrent Objects Correctness/Safety Concurrent Objects/Data Structures

602 views • 26 slides
Advanced concurrent programming in Java Shared objects Mehmet Ali Arslan 21.10.13 1 Visibility

Advanced concurrent programming in Java Shared objects Mehmet Ali Arslan 21.10.13 1 Visibility

Advanced concurrent programming in Java Shared objects Mehmet Ali Arslan 21.10.13 1 Visibility To see(m) or not to see(m)... There is more to synchronization than just atomicity or critical sessions. Memory visibility... Updates by one

496 views • 21 slides
Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology

Model Checking Lower Bounds for Simple Graphs Michael Lampis KTH Royal Institute of Technology July 8th, 2013 Algorithmic Meta-Theorems Positive results Negative results Problem X is tractable. Problem X is hard. Model Checking Lower

912 views • 62 slides
Creol as formal model for distributed, concurrent objects Martin Steffen IfI UiO Flacos, Malta

Creol as formal model for distributed, concurrent objects Martin Steffen IfI UiO Flacos, Malta

Creol as formal model for distributed, concurrent objects Martin Steffen IfI UiO Flacos, Malta 27. November 2008 Structure [0] Creol Distributed Communication in Creol Basic Language Constructs Open semantics and observable interface

615 views • 32 slides
Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as

Chapter 7 Arrays Chapter Scope Array declaration and use Bounds checking Arrays as objects Arrays of objects Command-line arguments Variable-length parameter lists Multidimensional arrays Java Foundations, 3rd Edition,

628 views • 59 slides
Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Action-based temporal logics Introduction Modal logics Branching-time logics Regular logics Fixed point logics VTSA'08

1.7k views • 148 slides
Shared Objects &amp; Mutual Exclusion DM519 Concurrent Programming 1 1 Repetition (Finite

Shared Objects &amp; Mutual Exclusion DM519 Concurrent Programming 1 1 Repetition (Finite

Chapter 4 Shared Objects &amp; Mutual Exclusion DM519 Concurrent Programming 1 1 Repetition (Finite State Processes; FSP) Finite State Processes (FSP) can be defined using: P = x -&gt; Q // action Q // other process variable

1.49k views • 123 slides
Chapter 4 ICS-275 Fall 2010 Fall 2010 ICS 275 - Constraint Networks 1 Tractable Tractable

Chapter 4 ICS-275 Fall 2010 Fall 2010 ICS 275 - Constraint Networks 1 Tractable Tractable

Directional consistency Chapter 4 ICS-275 Fall 2010 Fall 2010 ICS 275 - Constraint Networks 1 Tractable Tractable classes classes Fall 2010 2 Backtrack-free search: or What level of consistency will guarantee global- consistency

418 views • 41 slides
CONCURRENT COLLECTIONS 2 5/24/11 Concurrent Collec9ons

CONCURRENT COLLECTIONS 2 5/24/11 Concurrent Collec9ons

1 5/24/11 Concurrent Collec9ons CONCURRENT COLLECTIONS 2 5/24/11 Concurrent Collec9ons Acknowledgements Slides and material from Kathleen Knobe (Intel)

865 views • 20 slides
Concurrent Enrollment A Guide for Parents and Students What is Concurrent Enrollment? Concurrent

Concurrent Enrollment A Guide for Parents and Students What is Concurrent Enrollment? Concurrent

Concurrent Enrollment A Guide for Parents and Students What is Concurrent Enrollment? Concurrent enrollment allows high school students to enroll in college courses and receive college credit. The College and Career Access Pathways (CCAP) program

555 views • 21 slides
Crystallographic refinement Roberto A. Steiner roberto.steiner@kcl.ac.uk with many slides

Crystallographic refinement Roberto A. Steiner roberto.steiner@kcl.ac.uk with many slides

Crystallographic refinement Roberto A. Steiner roberto.steiner@kcl.ac.uk with many slides contributed by Pavel Afonine Crystallography workshop - Trieste 23-27 April 2012 Key aspects of refinement Crystallographic refinement is the process by

1.55k views • 124 slides

More recommend