verifying concurrent programs using contracts
play

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla - PowerPoint PPT Presentation

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)


  1. Extending Contracts with Parameters Motivation void replace(Object a, Object b) { if (array.contains(a)) { int idx=array.indexOf(a); array.set(idx,b); } } void erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  2. Extending Contracts with Parameters Motivation void atomic replace(Object a, Object b) { if (array.contains(a)) { int idx=array.indexOf(a); array.set(idx,b); } } void atomic erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  3. Extending Contracts with Parameters Motivation void atomic replace(Object a, Object b) { if (array.contains(a)) { int idx=array.indexOf(a); void f() { array.set(idx,b); Object x,y,z; } ... } replace(x,y); ... erase(z); } void atomic erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  4. Extending Contracts with Parameters Motivation void atomic replace(Object a, Object b) { if (array.contains(a)) { int idx=array.indexOf(a); void f() { array.set(idx,b); Object x,y,z; } ... } replace(x,y); ... erase(z); } void atomic erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  5. Extending Contracts with Parameters Motivation void atomic replace(Object a, Object b) { if (array.contains(a)) { x � array int idx=array.indexOf(a); void f() { array.set(idx,b); Object x,y,z; } ... } replace(x,y); ... erase(z); } void atomic erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  6. Extending Contracts with Parameters Motivation void atomic replace(Object a, Object b) { if (array.contains(a)) { x � array int idx=array.indexOf(a); void f() { array.set(idx,b); Object x,y,z; } ... } replace(x,y); ... erase(z); } void atomic erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  7. Extending Contracts with Parameters Motivation void atomic replace(Object a, Object b) { if (array.contains(a)) { x � array int idx=array.indexOf(a); void f() { array.set(idx,b); Object x,y,z; } ... } replace(x,y); ... Contract contains indexOf violated! erase(z); } void atomic erase(Object c) { int idx; while ((idx=array.indexOf(c)) > -1) { array.remove(idx); } } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  8. Extending Contracts with Parameters Allows one to express how the flow of data influences the dependencies between methods Contract specification extended by considering Method call parameters Return values Expressed as meta-variables Contract for the java.util.ArrayList class ( ̺ ′ 1 ) contains ( X ) indexOf ( X ) ( ̺ ′ 2 ) X = indexOf ( ) ( remove ( X ) | set ( X , ) | get ( X ) ) ( ̺ ′ 3 ) X = size () ( remove ( X ) | set ( X , ) | get ( X ) ) ( ̺ ′ 4 ) add ( X ) ( get ( X ) | indexOf ( X ) ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  9. Extending Contracts with Parameters Allows one to express how the flow of data influences the dependencies between methods Contract specification extended by considering Method call parameters Return values Expressed as meta-variables Contract for the java.util.ArrayList class ( ̺ ′ 1 ) contains ( X ) indexOf ( X ) ( ̺ ′ 2 ) X = indexOf ( ) ( remove ( X ) | set ( X , ) | get ( X ) ) ( ̺ ′ 3 ) X = size () ( remove ( X ) | set ( X , ) | get ( X ) ) ( ̺ ′ 4 ) add ( X ) ( get ( X ) | indexOf ( X ) ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 5 / 17

  10. Extending Contracts with Spoilers Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  11. Extending Contracts with Spoilers Motivation Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  12. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class ( ̺ 1 ) contains indexOf ( ̺ 2 ) indexOf ( set | remove | get ) ( ̺ 3 ) size ( remove | set | get ) ( ̺ 4 ) add ( get | indexOf ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  13. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class ( ̺ 1 ) contains indexOf ( ̺ 2 ) indexOf ( set | remove | get ) ( ̺ 3 ) size ( remove | set | get ) ( ̺ 4 ) add ( get | indexOf ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  14. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class ( ̺ 1 ) contains indexOf ( ̺ 2 ) indexOf ( set | remove | get ) ( ̺ 3 ) size ( remove | set | get ) ( ̺ 4 ) add ( get | indexOf ) Thread 1 Thread 2 Thread 3 Thread 4 Thread 5 Thread 6 Thread 7 Thread 8 contains contains indexOf set remove get size add indexOf Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  15. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class ( ̺ 1 ) contains indexOf ( ̺ 2 ) indexOf ( set | remove | get ) ( ̺ 3 ) size ( remove | set | get ) ( ̺ 4 ) add ( get | indexOf ) Thread 1 Thread 2 Thread 3 Thread 4 Thread 5 Thread 6 Thread 7 Thread 8 contains contains indexOf set remove get size add 7 contract violations indexOf Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  16. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class Σ M (methods) ( ̺ 1 ) contains indexOf contains ( ̺ 2 ) indexOf ( set | remove | get ) indexOf ( ̺ 3 ) size ( remove | set | get ) set ( ̺ 4 ) add ( get | indexOf ) remove get Thread 1 Thread 2 Thread 3 Thread 4 Thread 5 Thread 6 Thread 7 Thread 8 size add contains contains indexOf set remove get size add 7 contract violations indexOf Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  17. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class Σ M (methods) ( ̺ 1 ) contains indexOf contains ( ̺ 2 ) indexOf ( set | remove | get ) indexOf ( ̺ 3 ) size ( remove | set | get ) set ( ̺ 4 ) add ( get | indexOf ) remove get Thread 1 Thread 2 Thread 3 Thread 4 Thread 5 Thread 6 Thread 7 Thread 8 size add contains contains indexOf set remove get size add 7 contract violations indexOf Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  18. Extending Contracts with Spoilers Motivation Contract for the java.util.ArrayList class Σ M (methods) ( ̺ 1 ) contains indexOf contains ( ̺ 2 ) indexOf ( set | remove | get ) indexOf ( ̺ 3 ) size ( remove | set | get ) set ( ̺ 4 ) add ( get | indexOf ) remove get Thread 1 Thread 2 Thread 3 Thread 4 Thread 5 Thread 6 Thread 7 Thread 8 size add contains contains indexOf set remove get size add 1 contract violation and 6 false alarms! indexOf Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  19. Extending Contracts with Spoilers Allows one to express in which context the contract clauses shall be enforced Definition Let R be the set of target clauses where each target ̺ ∈ R is a regular expression over Σ M . Let S be the set of spoilers where each spoiler σ ∈ S is a regular expression over Σ M . A contract is then a relation C ⊆ R × S which defines for each target the spoilers that may cause atomicity violations. Contract for the java.util.ArrayList class ( ̺ ′′ 1 ) contains indexOf � remove ( ̺ ′′ 2 ) indexOf ( remove | set | get ) � remove | add | set ( ̺ ′′ 3 ) size ( remove | set | get ) � remove ( ̺ ′′ 4 ) add indexOf � remove | set Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  20. Extending Contracts with Spoilers Allows one to express in which context the contract clauses shall be enforced Definition Let R be the set of target clauses where each target ̺ ∈ R is a regular expression over Σ M . Let S be the set of spoilers where each spoiler σ ∈ S is a regular expression over Σ M . A contract is then a relation C ⊆ R × S which defines for each target the spoilers that may cause atomicity violations. Contract for the java.util.ArrayList class ( ̺ ′′ 1 ) contains indexOf � remove ( ̺ ′′ 2 ) indexOf ( remove | set | get ) � remove | add | set ( ̺ ′′ 3 ) size ( remove | set | get ) � remove ( ̺ ′′ 4 ) add indexOf � remove | set Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  21. Extending Contracts with Spoilers Allows one to express in which context the contract clauses shall be enforced Definition Let R be the set of target clauses where each target ̺ ∈ R is a regular expression over Σ M . Let S be the set of spoilers where each spoiler σ ∈ S is a regular expression over Σ M . A contract is then a relation C ⊆ R × S which defines for each target the spoilers that may cause atomicity violations. Contract for the java.util.ArrayList class ( ̺ ′′ 1 ) contains indexOf � remove ( ̺ ′′ 2 ) indexOf ( remove | set | get ) � remove | add | set ( ̺ ′′ 3 ) size ( remove | set | get ) � remove ( ̺ ′′ 4 ) add indexOf � remove | set Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 6 / 17

  22. Static Validation Based on grammars and parsing trees Supports contracts with parameters only Analyses all executions of a program May report false positives Uses points-to information to handle multiple instances of a module Class Scope Mode Allows the analysis to handle large programs Checks each class individually Calls to other classes are ignored Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 7 / 17

  23. Static Validation Algorithm 1 Require: P: client’s program, R : module contract; 2 for t ∈ threads ( P ) do G t ← build grammar ( t ) ; 3 G ′ t ← subword grammar ( G t ) ; 4 for ̺ ∈ R do 5 T ← parse ( G ′ t , ̺ ) ; 6 for τ ∈ T do 7 N ← lowest common ancestor ( τ, ̺ ) ; 8 if ¬ run atomically ( N ) then return ERROR; 9 10 return OK; Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 8 / 17

  24. Illustration of the Static Validation Approach void run() { if (cond) f(); else { m.indexOf(); g(); } } void atomic f() { m.indexOf(); g(); } void atomic g() { m.remove(); } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 9 / 17

  25. Illustration of the Static Validation Approach void run() { entry R if (cond) cond f(); else { f() m.indexOf() m.indexOf(); g(); g() } return } void atomic f() { entry entry G F m.indexOf(); g(); m.indexOf() m.remove() } g() return void atomic g() { m.remove(); return } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 9 / 17

  26. Illustration of the Static Validation Approach R → a G F → a G void run() { entry R R → F G → b if (cond) cond f(); else { f() m.indexOf() m.indexOf(); g(); g() } return } void atomic f() { entry entry G F m.indexOf(); g(); m.indexOf() m.remove() } g() return void atomic g() { m.remove(); return } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 9 / 17

  27. Illustration of the Static Validation Approach R → a G F → a G void run() { entry R R → F G → b if (cond) cond f(); else { f() m.indexOf() R → a G F → a G m.indexOf(); R → F G → b g(); g() a → a b → b } return a → ǫ b → ǫ } void atomic f() { entry entry G F m.indexOf(); g(); m.indexOf() m.remove() } g() return void atomic g() { m.remove(); return } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 9 / 17

  28. Illustration of the Static Validation Approach R → a G F → a G void run() { entry R R → F G → b if (cond) cond f(); else { f() m.indexOf() R → a G F → a G m.indexOf(); R → F G → b g(); g() a → a b → b } return a → ǫ b → ǫ } void atomic f() { entry entry G F m.indexOf(); R g(); m.indexOf() m.remove() } F R g() return void atomic g() { G G m.remove(); return } a b a b Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 9 / 17

  29. Experimental Results Benchmark Clauses Contract False Potential Real SLOC Time (s) Violations Positives AV AV Allocate Vector 1 1 0 0 1 183 0.120 Coord03 4 1 0 0 1 151 0.093 Coord04 2 1 0 0 1 35 0.039 Jigsaw 1 1 0 0 1 100 0.044 Local 2 1 0 0 1 24 0.033 Knight 1 1 0 0 1 135 0.219 NASA 1 1 0 0 1 89 0.035 Store 1 1 0 0 1 621 0.090 StringBuffer 1 1 0 0 1 27 0.032 UnderReporting 1 1 0 0 1 20 0.029 VectorFail 2 1 0 0 1 70 0.048 Account 4 2 0 0 2 42 0.041 Arithmetic DB 2 2 0 0 2 243 0.272 Connection 2 2 0 0 2 74 0.058 Elevator 2 2 0 0 2 268 0.333 OpenJMS 0.7 6 54 10 28 4 163K 148 Tomcat 6.0 9 157 16 47 3 239K 3070 Cassandra 2.0 1 60 24 15 2 192K 246 Derby 10.10 1 19 5 7 1 793K 522 Lucene 4.6 3 136 21 76 0 478K 151 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 10 / 17

  30. Dynamic Validation Based on happens-before relation and vector clocks Supports both contracts with spoilers and parameters Analyses a concrete execution of a program If a contract is violated in the execution, it will be detected Extrapolation based on the happens-before relation Noise injection to force rare interleavings (executions) On-the-fly validation Uses a partial trace (trace window) Does not require a trace to be available Each thread needs to remember Last instance of each spoiler 1 Last instance of each target 2 Up to | T | additional instances of each target 3 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 11 / 17

  31. Dynamic Validation Algorithm Data: trace window υ , event e ∈ E generated by thread t ∈ T 1 if ∃ ̺ ∈ R , r ∈ [ ̺ ] υ t : e = end ( r ) then for σ ∈ C ( ̺ ) , u ∈ T : u � t do 2 if ∃ s ∈ [ σ ] υ u : start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) then r is violated by s ; 3 if ∃ s ∈ [ σ ] τ u : start ( s ) ∈ υ ∧ end ( s ) � υ then 4 if start ( s ) ≺ hb start ( r ) then 5 if ∃ r ′ ∈ [ ̺ ] υ t : r ′ � r ∧ start ( s ) ⊀ hb start ( r ′ ) then PV ̺,σ ( u ) = VC end ( r ′ ) ( t ) ; 6 t if ∃ r ′ ∈ [ ̺ ] υ t : r ′ � r then υ → r ′ ; 7 8 if σ ∈ S , s ∈ [ σ ] υ t : end ( s ) = e then if ∃ s ′ ∈ [ σ ] υ t : s ′ � s then υ → s ′ ; 9 for ̺ ∈ C ( σ ) , u ∈ T : u � t do 10 if ∃ r ∈ [ ̺ ] υ u : start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) then r is violated by s ; 11 if PV ̺,σ ( t ) � 0 ∧ PV ̺,σ ( t ) ≤ VC end ( s ) ( u ) then 12 u u an instance of ̺ is violated by s ; 13 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 12 / 17

  32. Illustration of the Dynamic Validation Approach void tmain() { thread_create(worker,input); queue_init(); result = queue_receive(); } void worker( void * data) { do_work(); queue_send(result); } Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  33. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  34. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init Atomicity Violation? queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  35. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init Atomicity Violation? No queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  36. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init Atomicity Violation? No Data Race? queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  37. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); lock(q) queue send queue send } unlock(q) lock(q) queue init queue init Atomicity Violation? No unlock(q) Data Race? queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  38. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); lock(q) queue send queue send } unlock(q) lock(q) queue init queue init Atomicity Violation? No unlock(q) Data Race? No queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  39. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); lock(q) queue send queue send } unlock(q) lock(q) queue init queue init Atomicity Violation? No unlock(q) Data Race? No queue receive Order Violation! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  40. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); lock(q) queue send queue send } unlock(q) lock(q) queue init queue init Atomicity Violation? No unlock(q) Data Race? No queue receive Order Violation! Can we detect it using contracts? Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  41. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); thread start queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  42. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 (tmain) (worker) thread_create(worker,input); thread start queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init Contract: thread start queue init ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  43. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); thread start queue_init(); result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init Contract: thread start queue init ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  44. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); thread start queue_init(); [1,0] result = queue_receive(); thread create } void worker( void * data) { thread start do_work(); do work queue_send(result); queue send } queue init Contract: thread start queue init ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  45. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); queue send } queue init Contract: thread start queue init ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  46. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] queue send } [1,1] queue init Contract: thread start queue init ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  47. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] queue send } [1,1] queue init Contract: thread start queue init [2,0] ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  48. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] queue send } [1,1] [1,1] queue init Contract: thread start queue init [2,0] ← { queue send, queue receive } queue receive Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  49. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] s queue send } [1,1] [1,1] r queue init Contract: thread start queue init [2,0] ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  50. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] s queue send } [1,1] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [1,1] r queue init Contract: thread start queue init [2,0] ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  51. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1, 0 ] [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] s queue send } [1, 1 ] [1,1] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [1,1] r queue init Contract: thread start queue init [2,0] ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  52. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] [1, 0 ] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] s queue send } [1,1] [1, 1 ] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [ 1 ,1] [1,1] r queue init Contract: thread start queue init [ 2 ,0] [2,0] ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) ¬ ( 2 ≤ 1 ) ∧ Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  53. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] [1, 0 ] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] do work queue_send(result); [1,1] s queue send } [1,1] [1, 1 ] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [ 1 ,1] [1,1] r queue init Contract: thread start queue init [2,0] [ 2 ,0] ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) ¬ ( 2 ≤ 1 ) ∧ Contract violated! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  54. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start r queue init do_work(); [1,1] [2,0] do work queue_send(result); [1,1] s queue send } [1,1] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [1,1] Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  55. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] [1, 0 ] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start r queue init do_work(); [1,1] [ 2 ,0] [2,0] do work queue_send(result); [1,1] s queue send } [1,1] [1, 1 ] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [1,1] [ 1 ,1] Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) ¬ ( 2 ≤ 1 ) ∧ Contract violated! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  56. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] [1, 0 ] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start r queue init do_work(); [1,1] [ 2 ,0] [2,0] do work queue_send(result); [1,1] s queue send } [1,1] [1, 1 ] e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [ 1 ,1] [1,1] r Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) ¬ ( 2 ≤ 1 ) ∧ Extrapolation! Contract violated! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  57. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { lock(q) thread start r queue init queue init do_work(); [1,1] unlock(q) [1,1] do work queue_send(result); lock(q) s queue send queue send } unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  58. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { [2,0] lock(q) thread start r [2,0] queue init queue init do_work(); [1,1] [3,0] unlock(q) [1,1] do work queue_send(result); lock(q) [2,1] s queue send queue send [2,1] } [2,2] unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  59. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { [2,0] lock(q) thread start r [2,0] queue init queue init do_work(); [1,1] [3,0] unlock(q) [1,1] do work queue_send(result); lock(q) [2,1] s queue send queue send [2,1][2,1] } [2,2] unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  60. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1, 0 ] [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { [2,0] lock(q) thread start r [ 2 ,0] [2,0] queue init queue init do_work(); [1,1] [3,0] unlock(q) [1,1] do work queue_send(result); lock(q) [2,1] s [2, 1 ] [ 2 ,1] queue send queue send [2,1][2,1] } [2,2] unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) Contract: thread start queue init ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) ¬ ( 2 ≤ 2 ) ∧ No violation Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  61. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] Noise [1,1] do work queue_send(result); lock(q) s queue send queue send } unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) lock(q) r queue init queue init Contract: thread start queue init unlock(q) ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Noise injection! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  62. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] Noise [1,1] do work queue_send(result); lock(q) [1,1] s queue send queue send [1,1] } [1,2] unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [2,1] lock(q) r [2,1] queue init queue init Contract: thread start queue init [3,1] unlock(q) ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Noise injection! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  63. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] Noise [1,1] do work queue_send(result); lock(q) [1,1] [1,1] s queue send queue send [1,1][1,1] [1,1] } [1,2] [1,2] unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [2,1] [2,1] lock(q) r [2,1] [2,1] queue init queue init Contract: thread start queue init [3,1] [3,1] unlock(q) ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) Noise injection! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  64. Illustration of the Dynamic Validation Approach void tmain() { Thread 1 Thread 2 [1,0] [0,1] (tmain) (worker) thread_create(worker,input); r thread start queue_init(); [1, 0 ] [1,0] result = queue_receive(); thread create } [2,0] void worker( void * data) { thread start do_work(); [1,1] Noise [1,1] do work queue_send(result); lock(q) [1,1] [1,1] s [1, 1 ] [ 1 ,1] queue send queue send [1,1] [1,1][1,1] } [1,2] [1,2] unlock(q) e t ≺ hb e u ∼ VC e t ( t ) ≤ VC e u ( t ) [2,1] [2,1] lock(q) r [2,1] [ 2 ,1] [2,1] queue init queue init Contract: thread start queue init [3,1] [3,1] unlock(q) ← { queue send, queue receive } queue receive start ( s ) ⊀ hb start ( r ) ∧ end ( r ) ⊀ hb end ( s ) ¬ ( 1 ≤ 0 ) ¬ ( 2 ≤ 1 ) ∧ Noise injection! Contract violated! Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 13 / 17

  65. Discarding Spoilers Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  66. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  67. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  68. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  69. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  70. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  71. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  72. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 a 3 b 3 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  73. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 a 3 b 3 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  74. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 a 3 b 3 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  75. Discarding Spoilers Thread 1 Thread 2 Thread 3 Thread 4 a 1 x 1 x 3 y 1 y 3 b 1 x 4 x 2 y 4 a 2 y 2 a 3 b 3 Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 14 / 17

  76. Discarding Targets Jan Fiedor (BUT) Verifying Programs using Contracts ICST, March 15, 2017 15 / 17

Recommend


More recommend