verifying concurrent crash safe systems with perennial
play

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , - PowerPoint PPT Presentation

Jan 27, 2023 •373 likes •852 views

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

  1. Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College

  2. Many systems need concurrency and crash safety Examples: file systems, databases, and key-value stores Make strong guarantees about keeping your data safe Achieve high performance with concurrency 2

  3. Simple example: replicated disk replicated disk library disk 1 disk 2 3

  4. Simple example: replicated disk read/write replicated disk library disk 1 disk 2 3

  5. Simple example: replicated disk read/write replicated disk library disk 1 disk 2 3

  6. Replicated disk is subtle func write(a: addr, v: block) { lock_address(a) d1.write(a, v) d2.write(a, v) unlock_address(a) } 4

  7. Replicated disk is subtle func write(a: addr, v: block) { lock_address(a) d1.write(a, v) d2.write(a, v) what if system crashes here? unlock_address(a) what if disk 1 fails? } 4

  8. Replicated disk is subtle func write(a: addr, v: block) { lock_address(a) d1.write(a, v) d2.write(a, v) what if system crashes here? unlock_address(a) what if disk 1 fails? } // runs on reboot func recover() { for a in … { // copy from d1 to d2 } } 4

  9. Replicated disk is subtle func write(a: addr, v: block) { func read(a: addr): block { lock_address(a) lock_address(a) d1.write(a, v) v, ok := d1.read(a) d2.write(a, v) if !ok { what if system crashes here? unlock_address(a) v, _ = d2.read(a) what if disk 1 fails? } } unlock_address(a) return v } // runs on reboot func recover() { for a in … { // copy from d1 to d2 } } 4

  10. Goal: systematically reason about all executions with formal verification 5

  11. Existing verification frameworks do not support concurrency and crash safety verified crash safety verified concurrency FSCQ [SOSP ’15] CertiKOS [OSDI ’16] Yggdrasil [OSDI ’16] CSPEC [OSDI ’18] DFSCQ [SOSP ’17] AtomFS [SOSP ’19] … … no system can do both 6

  12. Combining verified crash safety and concurrency is challenging Crash and recovery can interrupt a critical section ➡ leases Crash wipes in-memory state ➡ memory versioning Recovery logically completes crashed threads’ operations ➡ recovery helping 7

  13. Perennial’s techniques address challenges integrating crash safety into concurrency reasoning Crash and recovery can interrupt a critical section ➡ leases Crash wipes in-memory state ➡ memory versioning Recovery logically completes crashed threads’ operations ➡ recovery helping 8

  14. Perennial’s techniques address challenges integrating crash safety into concurrency reasoning Crash and recovery can interrupt a critical section ➡ leases see paper Crash wipes in-memory state ➡ memory versioning Recovery logically completes crashed threads’ operations this talk ➡ recovery helping 8

  15. Contributions Perennial: framework for reasoning about crashes and concurrency Goose: reasoning about Go implementations see paper Evaluation: verified mail server written in Go with Perennial 9

  16. Specifying correctness: concurrent recovery refinement All operations are correct and atomic wrt concurrency and crashes Recovery repairs system after reboot 10

  17. Proving the replicated disk correct 11

  18. Background Proving refinement with forward simulation: relate code and spec states spec σ d 1 code d 2 12

  19. Background Proving refinement with forward simulation: prove every operation has a commit point tid: write(a, v) spec S 1 1. Write down abstraction relation between code and spec states code C 1 C 2 C 3 C 4 C 5 lock d1.write d2.write unlock 13

  20. Background Proving refinement with forward simulation: prove every operation has a commit point tid: tid: write(a, v) write(a, v) spec S 2 S 1 1. Write down abstraction relation between code and spec states 2. Prove every operation commits code C 1 C 2 C 3 C 4 C 5 lock d1.write d2.write unlock 13

  21. Background Proving refinement with forward simulation: prove every operation has a commit point tid: tid: write(a, v) write(a, v) spec S 2 S 1 1. Write down abstraction relation between code and spec states 2. Prove every operation commits 3. Prove abstraction relation is preserved code C 1 C 2 C 3 C 4 C 5 lock d1.write d2.write unlock 13

  22. Abstraction relation for the replicated disk σ abstraction relation: σ [ a ] = d 1 [ a ] ! locked ( a ) ⟹ ∧ σ [ a ] = d 2 [ a ] (if the disk has not failed) d 1 d 2 14

  23. Crashing breaks the abstraction relation func write(a: addr, v: block) { lock_address(a) d1.write(a, v) abstraction relation: lock reverts to being free, σ [ a ] = d 1 [ a ] ! locked ( a ) ⟹ but disks are not in-sync ∧ σ [ a ] = d 2 [ a ] 15

  24. So far: abstraction relation always holds spec abstraction relation R R R ? code crash 16

  25. Separate a crash invariant from the abstraction relation spec abstraction relation R crash invariant C C R R code crash 17

  26. Recovery proof uses the crash invariant to restore the abstraction relation crash spec abstraction relation R crash invariant C C R R R R code crash recover() 18

  27. Proving recovery correct: makes writes atomic func write(a: addr, v: block) { lock_address(a) d1.write(a, v) func recover() { for a in … { v, ok := d1.read(a) if !ok { … } d2.write(a, v) } } 19

  28. User sees an atomic write due to recovery pending crash spec operation tid: user’s view (spec) write(a, v) code execution 20

  29. User sees an atomic write due to recovery pending crash spec operation tid: user’s view (spec) write(a, v) code execution tid: w1(a,v) crash 20

  30. User sees an atomic write due to recovery pending crash spec operation tid: user’s view (spec) write(a, v) code execution r1(a) w2(a,v) tid: w1(a,v) return recover() crash 20

  31. User sees an atomic write due to recovery pending crash recovery helping spec operation tid: tid: user’s view (spec) write(a, v) write(a, v) code execution r1(a) w2(a,v) tid: w1(a,v) return recover() crash 20

  32. Recovery helping: recovery can commit writes from before the crash func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) func recover() { for a in … { v, ok := d1.read(a) if !ok { … } tid: d2.write(a, v) write(a, v) } } 21

  33. Crash invariant says “if disks disagree, some thread was writing the value on the first disk” func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) crash invariant: d 1 [ a ] ≠ d 2 [ a ] ⟹ func recover() { for a in … { ∃ tid. tid: v, ok := d1.read(a) write(a, ) d 1 [ a ] if !ok { … } tid: d2.write(a, v) write(a, v) } } 22

  34. Crash invariant says “if disks disagree, some thread was writing the value on the first disk” func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) crash invariant: d 1 [ a ] ≠ d 2 [ a ] ⟹ func recover() { for a in … { ∃ tid. tid: v, ok := d1.read(a) write(a, ) d 1 [ a ] if !ok { … } tid: d2.write(a, v) write(a, v) } } 22

  35. Key idea: crash invariant can refer to interrupted spec operations func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) crash invariant: d 1 [ a ] ≠ d 2 [ a ] ⟹ func recover() { for a in … { ∃ tid. tid: v, ok := d1.read(a) write(a, ) d 1 [ a ] if !ok { … } tid: d2.write(a, v) write(a, v) } } 23

  36. Recovery proof shows code restores the abstraction relation by completing all interrupted writes func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) func recover() { for a in … { v, ok := d1.read(a) if !ok { … } tid: d2.write(a, v) write(a, v) } abstraction relation: } crash σ [ a ] = d 1 [ a ] ! locked ( a ) ⟹ ∧ σ [ a ] = d 2 [ a ] 24

  37. Proving concurrent recovery refinement Recovery proof uses crash invariant to restore abstraction relation Proof can refer to interrupted operations, enabling recovery helping reasoning Users get correct behavior and atomicity 25

  38. Implementation Perennial (9k lines of Coq) - leases - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  39. Implementation Go source go build Perennial (9k lines of Coq) - leases exe - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  40. Implementation see paper Goose translator Go source Proof (2k lines of Go) go build Perennial (9k lines of Coq) - leases exe - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  41. Implementation see paper Goose translator Go source Proof (2k lines of Go) go build Perennial (9k lines of Coq) machine - leases checked by Coq exe - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  42. Evaluation This talk: • proof-e ff ort comparison See paper: • verified examples • TCB • bug discussion 27

  43. Methodology: 
 Verify the same mail server as previous work, CSPEC [OSDI ’18] Users can read, deliver, and delete mail Implemented on top of a file system Operations are atomic (and crash safe in Perennial) 28

Recommend

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek File systems should not lose data People use file systems to

1.17k views • 98 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11: Architectural support for a memory-safe C abstract machine David Chisnall , Colin Rothwell , Brooks Davis , Robert N.M. Watson ,

252 views • 22 slides
www.landinstitute.org FOSSI L FUEL I NTENSI VE ERA perennial sorghum annual sorghum Perennial

www.landinstitute.org FOSSI L FUEL I NTENSI VE ERA perennial sorghum annual sorghum Perennial

www.landinstitute.org FOSSI L FUEL I NTENSI VE ERA perennial sorghum annual sorghum Perennial Wheat Perennial Wheat September, 2005: Field trial of 1000 intermediate wheatgrass plants divided into 3 clonal replicates each X Helianthus

500 views • 35 slides
Chapter 3 Concurrent Execution DM519 Concurrent Programming 1 Repetition (Concepts, Models,

Chapter 3 Concurrent Execution DM519 Concurrent Programming 1 Repetition (Concepts, Models,

Chapter 3 Concurrent Execution DM519 Concurrent Programming 1 Repetition (Concepts, Models, and Practice) u Concepts: l We adopt a model-based approach for the design and construction of concurrent programs u Safe model => safe

919 views • 43 slides
Verifying Hybrid Systems with Interactive Theorem Provers Jonathan Juli an Huerta y Munive

Verifying Hybrid Systems with Interactive Theorem Provers Jonathan Juli an Huerta y Munive

Verifying Hybrid Systems with Interactive Theorem Provers Jonathan Juli an Huerta y Munive Georg Struth University of Sheffield, UK Algebras for Program Verification Kleene algebras modal Kleene algebras (MKAs) concurrent Kleene

701 views • 44 slides
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

458 views • 35 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled?

1.39k views • 83 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled? How are concurrent systems analyzed? What tools are available for modeling and

1.13k views • 85 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La

Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La

Perennial Real Estate Holdings Limited Perennial Enters into 55-45 Joint Venture with Shangri-La to Develop an over US$250 million Integrated Mixed-use Development in Accra, Ghana Disclaimer All statements contained in this presentation which

137 views • 12 slides

More recommend