verifying concurrent software using movers in cspec
play

Verifying concurrent software using movers in CSPEC Tej Chajed , - PowerPoint PPT Presentation

Sep 18, 2022 •459 likes •1.2k views

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

  1. Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft

  2. Concurrent software is difficult to get right Programmer cannot reason about code in sequence… � 2

  3. Concurrent software is difficult to get right Programmer cannot reason about code in sequence… instead, must consider many executions: � 3

  4. Concurrent software is difficult to get right Programmer cannot reason about code in sequence… instead, must consider many executions: … � 3

  5. Goal: verify concurrent software � 4

  6. Challenge for formal verification • Proofs must also cover every execution • Many approaches to managing this complexity • movers [Lipton, 1975] • rely-guarantee [1983] • RGSep [CONCUR 2007] • FCSL [PLDI 2015] • Iris [POPL 2017, LICS 2018, others] • many others � 5

  7. Challenge for formal verification • Proofs must also cover every execution • Many approaches to managing this complexity • movers [Lipton, 1975] • rely-guarantee [1983] • RGSep [CONCUR 2007] • FCSL [PLDI 2015] • Iris [POPL 2017, LICS 2018, others] • many others • This work: our experience using movers � 5

  8. Movers: reduce concurrent executions to sequential ones time 1 2 3 blue thread 1 A 2 3 B green thread A B � 6

  9. Movers: reduce concurrent executions to sequential ones 1 2 3 blue thread 1 A 2 3 B green thread A B movers has the same e ff ect as 1 2 3 A B � 6

  10. Movers: reduce concurrent executions to sequential ones 1 2 3 blue thread 1 A 2 3 B green thread A B movers has the same e ff ect as 1 2 3 A B sequential reasoning 2 1 3 A B � 6

  11. Prior systems with mover reasoning CIVL [CAV ’15, CAV ’18] framework relies pen & paper proofs IronFleet [SOSP ’15] only move network send/receive � 7

  12. Contribution: CSPEC • Framework for verifying concurrency in systems software • general-purpose movers • patterns to support mover reasoning • machine checked in Coq to support extensibility � 8

  13. Contribution: CSPEC • Framework for verifying concurrency in systems software • general-purpose movers • patterns to support mover reasoning • machine checked in Coq to support extensibility • Case studies using CSPEC • Lock-free file-system concurrency • Spinlock on top of x86-TSO (see paper) � 8

  14. Case study: mail server using file-system concurrency file system spool mbox � 9

  15. Mail servers exploit file-system concurrency # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 10

  16. Mail servers exploit file-system concurrency msg # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 11

  17. Spooling avoids reading partially-written messages $TID =10 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 12

  18. Spooling avoids reading partially-written messages $TID =10 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 10 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 12

  19. Threads use unique IDs to avoid conflicts msg $TID =10 $TID =11 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 13

  20. Threads use unique IDs to avoid conflicts $TID =10 $TID =11 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 14

  21. Threads use unique IDs to avoid conflicts $TID =10 $TID =11 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 14

  22. Timestamps help generate unique message names # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 4 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): link(/spool/11, /mbox/4) break # cleanup unlink (“/spool/$TID”) � 15

  23. Timestamps help generate unique message names # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 4 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): link(/spool/10, /mbox/4) break # cleanup EEXISTS ✗ unlink (“/spool/$TID”) � 16

  24. Timestamps help generate unique message names # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 4 5 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): link(/spool/10, /mbox/5) break # cleanup unlink (“/spool/$TID”) � 17

  25. Delivery concurrency does not use locks # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 while True: 1 2 3 4 5 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 18

  26. Delivery concurrency does not use locks # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 4 5 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 19

  27. Proving delivery correct in CSPEC delivery specification implementation and proof file-system spec CSPEC provides supporting definitions CSPEC and theorems � 20

  28. Proof engineer reasons about file-system operations def deliver(msg): create (“/spool/$TID”, msg) while True: t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break unlink (“/spool/$TID”) create( link( link( unlink( /sp/$TID, /sp/$TID, /sp/$TID, /sp/$TID) msg) /mbox/$t) /mbox/$t) ✓ ✓ ✓ EEXISTS ✗ � 21

  29. Proof engineer reasons about file-system operations collapsed to def deliver(msg): one operation create (“/spool/$TID”) create (“/spool/$TID”, msg) write (“/spool/$TID”, msg) while True: t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break unlink (“/spool/$TID”) create( link( link( unlink( /sp/$TID, /sp/$TID, /sp/$TID, /sp/$TID) msg) /mbox/$t) /mbox/$t) ✓ ✓ ✓ EEXISTS ✗ � 21

  30. Proof engineer reasons about interleaving of file- system operations def deliver(msg): create (“/spool/$TID”, msg) while True: t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break unlink (“/spool/$TID”) create( link( link( unlink( /sp/$TID, /sp/$TID, /sp/$TID, /sp/$TID) create link unlink msg) /mbox/$t) /mbox/$t) ✓ ✓ ✓ ✓ EEXISTS ✗ We assume file-system operations are atomic � 22

  31. Proving atomicity of delivery atomicity : concurrent deliveries appear create create link link link unlink unlink to execute all at once (in some order) ✓ ✓ ✗ deliver deliver create link unlink create link link unlink ✓ ✓ ✗ � 23

  32. Proving atomicity of delivery atomicity : concurrent deliveries appear create create link link link unlink unlink to execute all at once (in some order) ✓ ✓ ✗ Step 1: developer identifies commit point deliver deliver create link unlink create link link unlink ✓ ✓ ✗ � 23

  33. Proving atomicity of delivery atomicity : concurrent deliveries appear create create link link link unlink unlink to execute all at once (in some order) ✓ ✓ ✗ Step 1: developer identifies commit point Step 2: prove operation occurs logically at commit point deliver deliver create link unlink create link link unlink ✓ ✓ ✗ � 23

  34. Example of movers for this execution create create link link link unlink unlink ✓ ✓ ✗ � 24

  35. Example of movers for this execution create create link link link unlink unlink ✓ ✓ ✗ create link create link link unlink unlink ✓ ✓ ✗ � 24

  36. Example of movers for this execution create create link link link unlink unlink ✓ ✓ ✗ create link create link link unlink unlink ✓ ✓ ✗ create link unlink create link link unlink ✓ ✓ ✗ � 24

  37. Right mover can be reordered after any green thread operation A A r r � 25

Recommend

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

458 views • 35 slides
International Network of Movers Contacts International Network of Movers Italian Van Lines Head

International Network of Movers Contacts International Network of Movers Italian Van Lines Head

International Network of Movers Contacts International Network of Movers Italian Van Lines Head Office is in Bari and Operation Office is in Rome. Our network covers the whole Italian territory and our HUBs are located at crucial geographic

485 views • 21 slides
1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
First*Movers* Research September*18,*2018 First&Mover&Organizations

First*Movers* Research September*18,*2018 First&Mover&Organizations

Presentation*to*the*Boston*Green*Ribbon*Commission First*Movers* Research September*18,*2018 First&Mover&Organizations First&Movers:& Large2scale&property&owners&in&Boston&that&have&

433 views • 17 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Concurrent Programming Is Easy Bertrand Meyer ETH Zurich & Eiffel Software Future Of Software

Concurrent Programming Is Easy Bertrand Meyer ETH Zurich & Eiffel Software Future Of Software

Chair of Software Engineering Concurrent Programming Is Easy Bertrand Meyer ETH Zurich & Eiffel Software Future Of Software Engineering ETH Zurich Symposium, November 2010 Two topics 1. Concurrent Programming Is Easy 2. Developments at

884 views • 51 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers,

1.06k views • 59 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI & Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides
Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM 08 (Note: E-version distributed at CAV is the preliminary, not final version) Context

455 views • 44 slides
Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov Ivannikov Institute For System Programming of RAS ilja.zakharov@ispras.ru Klever Verification Framework Intended for finding bugs in large software

546 views • 32 slides

More recommend