abstraction-guided synthesis of synchronization
DESCRIPTION
Martin Vechev. Eran Yahav. Greta Yorsh. Abstraction-Guided Synthesis of Synchronization. IBM Research. Challenge: Correct and Efficient Synchronization. T1(). T2(). T3(). { …………………………… ……………………. … }. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/1.jpg)
ABSTRACTION-GUIDED SYNTHESIS
OF SYNCHRONIZATIONGreta YorshEran YahavMartin Vechev
IBM Research
![Page 2: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/2.jpg)
{ ……………… …… …………………. …………………….…………………………}
T1()
Challenge: Correct and Efficient Synchronization
{ …………………………… ……………………. …}
T2()
atomic
atomic
{ ………………….. …… ……………………. ……………… ……………………}
T3()
atomic
Assist the programmer by automatically inferring correct and efficient synchronization
![Page 3: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/3.jpg)
Challenge: Correct and Efficient Synchronization
{ ……………… …… …………………. …………………….…………………………}
T1(){ …………………………… ……………………. …}
T2(){ ………………….. …… ……………………. ……………… ……………………}
T3()
Assist the programmer by automatically inferring correct and efficient synchronization
![Page 4: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/4.jpg)
Challenge
Find minimal synchronization that makes the program satisfy the specification Avoid all bad interleaving while permitting
as many good interleavings as possible
Handle infinite-state programs
![Page 5: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/5.jpg)
Change the abstraction to match the program
A Standard Approach: Abstraction Refinement
program
specification
Abstractcounterexample
abstraction
Verify
Refine
![Page 6: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/6.jpg)
synchronized program
A Standard Approach: Abstraction Refinement
concurrent program
safety specificati
on
Abstractcounterexample
state abstractio
n
Verify
Restrict
Refine
Change the program to match the abstraction
![Page 7: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/7.jpg)
Our Approach
Synthesis of synchronization via abstract interpretation Compute over-approximation of all possible program
executions Add minimal atomics to avoid (over-approximation
of) bad interleavings
Interplay between abstraction and synchronization Finer abstraction may enable finer synchronization Coarse synchronization may enable coarser
abstraction
![Page 8: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/8.jpg)
AGS Algorithm – High Level
= true
while(true) {
Traces = { | (P ) and S }
if (Traces is empty) return implement(P,)
select Traces
if (?) {
’ = avoid()
if (’ is false) abort else = ’
} else {
’ = refine(, ) if ( = ‘) abort else = ‘
}
}
Input: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under
![Page 9: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/9.jpg)
Avoiding an interleaving
By adding atomicity constraints Atomicity predicate [l1,l2] – no context switch
allowed between execution of statements at l1 and l2
avoid() A disjunction of all possible atomicity
predicates that would prevent Example
= A1 B1 A2 B2 avoid() = [A1,A2] [B1,B2]
(abuse of notation)
![Page 10: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/10.jpg)
Example
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5}
![Page 11: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/11.jpg)
Example: Parity Abstraction
0 2 3
12345
4
6
y2
y1
1
Concrete values0 2 3
12345
4
6
y2
y1
1
Parity abstraction (even/odd)
![Page 12: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/12.jpg)
Example: Avoiding Bad Interleavings
avoid(1) = [z++,z++]
= [z++,z++] = true
= true while(true) {
Traces={|(P ) and S }
if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
![Page 13: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/13.jpg)
Example: Avoiding Bad Interleavings
avoid(2) =[x+=z,x+=z]
= [z++,z++] = [z++,z++][x+=z,x+=z]
= true while(true) {
Traces={|(P ) and S }
if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
![Page 14: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/14.jpg)
Example: Avoiding Bad Interleavings
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
= [z++,z++][x+=z,x+=z]
= true while(true) {
Traces={|(P ) and S }
if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
![Page 15: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/15.jpg)
0 2 3
12345
4
6
y2
y1
1
parity
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6 parity parity
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
Example: Avoiding Bad Interleavings
But we can also refine the abstraction…
![Page 16: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/16.jpg)
0 2 3
12345
4
6
y2
y1
1
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
parity
interval
octagon
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
(a) (b) (c)
(d) (e)
(f) (g)
parity parity
interval
octagon
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;y1=f(x)y2=xassert y1!= y2
T1
T2
T3
![Page 17: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/17.jpg)
Quantitative Synthesis
Performance: smallest atomic sections
Interval abstraction for our example produces the atomicity constraint:
([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++])
Minimal satisfying assignments 1 = [z++,z++] 2 = [x+=z,x+=z]
![Page 18: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/18.jpg)
Choosing between abstraction refinement and program restriction- not always possible to refine/avoid- may try and backtrack
AGS Algorithm – More DetailsInput: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under
Forward Abstract Interpretation, taking
into account for pruning infeasible
interleavings = true while(true) {
Traces = { | (P ) and S } if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
Backward exploration of invalid Interleavings using to prune infeasible interleavings.
Order of selection matters
Up to this point did not commit to a
synchronization mechanism
![Page 19: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/19.jpg)
Implementability
No program transformations (e.g., loop unrolling) Memoryless strategy
T1
1: while(*) { 2: x++ 3: x++ 4: }
T2
1: assert (x != 1)
Separation between schedule constraints and how they are realized Can realize in program: atomic sections,
locks,… Can realize in scheduler: benevolent
scheduler
![Page 20: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/20.jpg)
0,00,0
0,10,2 2,0
0,0
1,10,2 2,1
0,2
2,21,22,1
1,2
3,22,2
y=2
if (y==0)
x++
x+=1
if (y==0)
y=2
x+=1
T1
0: if (y==0) goto L1: x++2: L:
T2
0: y=21: x+=12: assert x !=y
Choosing a trace to avoid
![Page 21: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/21.jpg)
Examples Intuition
If we can show disjoint access we can avoid synchronization
Requires abstractions rich enough to capture access pattern to shared data
Parity
Intervals
![Page 22: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/22.jpg)
Examples
Program Refine Steps Avoid Steps
Double buffering
1 2
Defragmentation
1 8
3D array update
2 23
Array Removal 1 17Array Init 1 56
![Page 23: Abstraction-Guided Synthesis of Synchronization](https://reader036.vdocuments.mx/reader036/viewer/2022062520/568161c9550346895dd1aefc/html5/thumbnails/23.jpg)
Summary
An algorithm for Abstraction-Guided Synthesis Synthesize efficient and correct synchronization Handles infinite-state systems based on abstract
interpretation Refine the abstraction and/or restrict program
behavior Interplay between abstraction and synchronization
Quantitative Synthesis Separate characterization of solution from choosing
optimal solutions (e.g., smallest atomic sections)