computer-aided concurrent programming€¦ · overviewtrace setsexplicit synthesisimplicit...

Overview Trace Sets Explicit Synthesis Implicit Synthesis Conclusion

Computer-Aided Concurrent ProgrammingUsing Concurrent Trace Sets

Roopsha Samanta

IST Austria

Joint work with Pavol Cerný, Edmund M. Clarke, Ashutosh Gupta,Tom Henzinger, Arjun Radhakrishna, Leonid Ryzhyk and

Thorsten Tarrach

22 June, 2015

Roopsha Samanta Computer-Aided Concurrent Programming 1 / 32


Computer-aided Concurrent Programming



Basic Scheme

Synchronizationsynthesis engine

Incorrectconcurrent program C

Correctness criterion

Correctconcurrent program C′

Programmer:

Skips tricky synchronization

Ensures sequential correctness

Tool:

Inserts synchronization

Ensures correct-by-completion



CEGIS Scheme

init: C′ = C

C′ correct?

Insert synchronization,eliminate cex, obtain new C′

init: C′ = C

C′ correct?

Obtain new C′:Synthesize synchronization to

eliminate error trace

Yes

No

Incorrect program C

Correctness criterion Correct program C′



Accelerated CEGIS Scheme

init: C′ = C

C′ correct?

init: C′ = C

C′ correct?

Obtain new C′:Synthesize synchronization to

eliminate error trace set

Yes

No

Incorrect program C

Correctness criterion Correct program C′

Cerný, Henzinger, Radhakrishna, Ryzhyk and Tarrach.Efficient Synthesis of Concurrency by Semantics-Preserving Transformations. CAV13



Concurrent Trace Sets and their Representation

Gupta, Henzinger, Radhakrishna, Samanta and Tarrach.Succinct Representation of Concurrent Trace Sets. POPL15



Concurrent Trace

globals: int balance, initial, withdrawal, deposit, withdrawaldone, depositdone;init: initial = balance, withdrawaldone = 0, depositdone = 0;

thread_withdraw:locals: int temp;TW[1]: temp := balance;TW[2]: balance := temp - withdrawal;TW[3]: withdrawaldone := 1;

thread_deposit:localvars: int temp;TD[1]: temp := balance;TD[2]: balance := temp + deposit;TD[3]: depositdone := 1;

thread_checkresult:TC[1]: if (depositdone = 1 and withdrawaldone = 1)TC[2]: assert (balance = initial + deposit - withdrawal);



Concurrent Trace

globals: int b, i, w, d, wd, dd;init: i = b, wd = 0, dd = 0;

thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;

thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;

thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);



Concurrent Trace

globals: int b, i, w, d, wd, dd;init: i = b, wd = 0, dd = 0;thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Valuations:(b, i, w, d, wd, dd, temp)

Concurrent Execution:(100, 100, 10, 20, 0, 0, 0)TW[1] : temp := b;(100, 100, 10, 20, 0, 0, 100)TW[2] : b := temp− w;(90, 100, 10, 20, 0, 0, 100)TW[3] : wd := 1;(90, 100, 10, 20, 1, 0, 0)TD[1] : temp := b;(90, 100, 10, 20, 1, 0, 90)TD[2] : b := temp + d;(120, 100, 10, 20, 1, 0, 90)TD[3] : dd := 1;(120, 100, 10, 20, 1, 1, 0)TC[1] : assume(dd = 1 and wd = 1);(120, 100, 10, 20, 1, 1, 0)TC[2] : assert(b = i + d− w);(120, 100, 10, 20, 1, 1, 0)



Concurrent Trace


Concurrent Trace, τ :TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[1] : temp := b;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w);



Concurrent Trace Neighbourhood


Concurrent Trace Neighbourhood(τ ):{TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[1] : temp := b;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1andwd = 1);TC[2] : assert(b = i + d− w); ,

TW[1] : temp := b;TD[1] : temp := b;TW[2] : b := temp− w;TD[2] : b := temp + d;TW[3] : wd := 1;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

.

.

.}



The Good and the Bad


Good Neighbourhood(τ ):{TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[1] : temp := b;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

TD[1] : temp := b;TD[2] : b := temp + d;TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

.

.

.}



The Good and the Bad


Bad Neighbourhood(τ ):{TD[1] : temp := b;TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

TW[1] : temp := b;TD[1] : temp := b;TW[2] : b := temp− w;TD[2] : b := temp + d;TW[3] : wd := 1;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

.

.

.}



Trace Neighbourhoods as HB-formulas

Boolean combinations of happens-beforeordering constraints (hb) between events




globals: int i, w, d, b, dd, wd;init: i = b, dd = 0, wd = 0;thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Bad Neighbourhood:φB = hb(TW[1],TD[2]) ∧ hb(TD[1],TW[2])

Good Neighbourhood:φG = hb(TD[2],TW[1]) ∨ hb(TW[2],TD[1])




Can express arbitrary concurrent trace setsIntuitively appealingCan drive diverse concurrency applicationsSuccinct



HB-formula Generation by TARA

Iterations Total time Size of φBName #P/#I #π/#Disj. Alg.1 Alg.2 Alg.1 Alg.2 Alg.1 Alg.2reorder_2 2/3 2/2.0 1 1 18ms 28ms 1/2.0 1/2.0define_use 2/4 2/2.0 1 1 15ms 22ms 1/2.0 1/1.0em28xx 2/8 4/2.0 1 1 16ms 25ms 1/2.0 1/1.02stage 2/8 5/1.4 8 1 26ms 32ms 8/3.8 1/2.0drbd_receiver 2/9 5/1.6 40 1 42ms 28ms 40/3.9 1/1.0locks 3/8 10/1.6 12 2 27ms 37ms 12/5.5 2/4.0md 3/11 4/1.8 40 1 76ms 33ms 40/6.1 1/1.0lazy01 3/12 6/3.7 2 2 31ms 57ms 2/3.0 2/2.0locks_hb 4/13 10/2.2 >29.0k 7 TO 119ms TO 6/3.0lc_rc 4/14 8/2.0 4.6k 1 21.4s 37ms 4.6k/16.7 1/1.0barrier_locks 3/18 17/2.6 10.6k 6 1.4min 521ms 10.6k/10.0 4/1.5stateful01 3/19 10/3.4 2.3k 2 10.5s 84ms 2.3k/9.4 2/1.0loop 2/38 14/2.7 2 1 38ms 72ms 2/3.0 1/2.0i2c_hid 2/42 26/4.5 >23.4k 3 TO 615ms TO 3/1.3read_write_lock 4/22 16/3.4 9.2k 4 1.6min 319ms 9.2k/16.1 4/3.0fib_bench 3/39 24/3.6 >20.5k 2 TO 2.3s TO 2/10.0rtl8169-1 7/71 22/2.7 >20.4k 1 TO 111ms TO 1/2.0rtl8169-2 7/116 41/2.3 >7.3k 1 TO 463ms TO 1/1.0rtl8169-5 7/134 48/3.1 >5.5k 1 TO 1.5s TO 1/1.0rtl8169-4 7/142 48/3.0 >8.4k 9 TO 3.8s TO 2/1.0rtl8169-6 7/144 52/2.9 >8.1k 1 TO 887ms TO 1/1.0usb_serial-1 7/151 87/3.7 >5.5k 1 TO 1.9s TO 1/1.0usb_serial-2 7/163 93/3.6 >4.4k 3 TO 4.4s TO 1/1.0usb_serial-3 7/178 100/3.7 >4.3k 1 TO 2.1s TO 1/1.0rtl8169-3 8/174 61/3.6 >4.2k 2 TO 2.7s TO 1/1.0



Synchronization SynthesisExplicit Specifications (Assertions)

Gupta, Henzinger, Radhakrishna, Samanta and Tarrach.Succinct Representation of Concurrent Trace Sets. POPL15



Goal

init: C′ = C

C′ correct?

init: C′ = C

C′ correct?

Obtain new C′:Insert synchronization toeliminate error trace set

Yes

No

Incorrect program C

Assertions Correct program C′



Solution Sketch

Identify HB-formula patterns for synch. primitivesFormulate rewrite rulesRepeatedly rewrite patterns in φG into synch. primitives



TARA Scheme

init: C′ = C

C′ correct?

Generalize cex into HB-formula

Rewrite HB-formula into synch.primitives using patterns

Apply fixes to obtain new C′

init: C′ = C

C′ correct?

Generalize cex into HB-formula

Rewrite HB-formula into synch.primitives using patterns

Apply fixes to obtain new C′

Yes

No

Incorrect program C

Assertions Correct program C′



Example


Good neighbourhood:hb(TD[2],TW[1]) ∨ hb(TW[2],TD[1])



Example

globals: int b, i, w, d, wd, dd,;init: i = b, wd = 0, dd = 0;thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Good neighbourhood:

hb(TD[2],TW[1]) ∨ hb(TW[2],TD[1])

Lk(TD[1 : 2],TW[1 : 2]

)



Rewrite Rules

LocksWait-notifyShared exclusive locksMultithreaded locksBarriersMultithreaded barriersMerging locks (to avoid deadlocks)



Synchronization SynthesisImplicit Specifications

Cerný, Clarke, Henzinger, Radhakrishna, Ryzhyk, Samanta and Tarrach.From Non-preemptive to Preemptive Scheduling using Synchronization Synthesis.

CAV15



Friendly and Aggressive Schedulers

Friendly ≈ Non-preemptiveThread descheduled only if it yields controle.g., blocking operations

Aggressive ≈ PreemptiveThread can be descheduled at any point

Programmer ensures correctness under friendly scheduler



Target Scenario

Module with interfaces

Observations: calls to interfaces

Implicit specification:Observation sequences underfriendly scheduler, [[C]]F

C :

globals: int open := 0;

void open_dev()if (open==0)

power_up();open := open+1;yield;

void close_dev()if (open>0)

open := open-1;if (open==0)

power_down();yield;



Implicit Specification

[[C]]F :

power_up()power_down()power_up()power_down()

...

open = 0

init: open := 0;

T1:void open_dev()

−→ if (open==0)power_up();

open := open+1;yield;

void close_dev()if (open>0)open := open-1;if (open==0)

power_down();yield;

T2:void open_dev()




power_down();yield;




[[C]]F :

power_up()

power_down()power_up()power_down()

...

open = 0

init: open := 0;

T1:void open_dev()if (open==0)

−→ power_up();open := open+1;yield;


power_down();yield;

T2:void open_dev()




power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;

T1:void open_dev()if (open==0)power_up();

−→ open := open+1;yield;


power_down();yield;

T2:void open_dev()




power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;


open := open+1;−→ yield;


power_down();yield;

T2:void open_dev()




power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;



void close_dev()−→ if (open>0)


power_down();yield;

T2:void open_dev()




power_down();yield;




[[C]]F :

power_up()


...

open = 2

init: open := 0;





power_down();yield;




power_down();yield;




[[C]]F :

power_up()


...

open = 2

init: open := 0;





power_down();yield;





power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;




−→ open := open-1;if (open==0)

power_down();yield;





power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;



void close_dev()if (open>0)open := open-1;

−→ if (open==0)power_down();

yield;





power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;




power_down();−→ yield;





power_down();yield;




[[C]]F :

power_up()


...

open = 1

init: open := 0;

T1:void open_dev()




power_down();yield;





power_down();yield;




[[C]]F :

power_up()


...

open = 0

init: open := 0;

T1:void open_dev()




power_down();yield;




−→ open := open-1;if (open==0)

power_down();yield;




[[C]]F :

power_up()


...

open = 0

init: open := 0;

T1:void open_dev()




power_down();yield;



void close_dev()if (open>0)open := open-1;

−→ if (open==0)power_down();

yield;




[[C]]F :

power_up()power_down()


...

open = 0

init: open := 0;

T1:void open_dev()




power_down();yield;




−→ power_down();yield;




[[C]]F :



...

open = 0

init: open := 0;

T1:void open_dev()




power_down();yield;




power_down();−→ yield;




[[C]]F :

power_up()power_down()power_up()

power_down()...

init: open := 0;




power_down();yield;




power_down();yield;




[[C]]F :

power_up()power_down()power_up()power_down()

...

init: open := 0;




power_down();yield;




power_down();yield;



Correctness Criterion: Preemption-safety

Given C and C′ obtained by inserting synchronization to C,C′ is preemption-safe w.r.t. C if: [[C′]]A ⊆ [[C]]F .



Back to our Example

[[C]]A :

power_up()power_up()

...

6∈ [[C]]F

C is not preemption-safe

open = 0

init: open := 0;

T1:void open_dev()




power_down();yield;

T2:void open_dev()




power_down();yield;



Back to our Example

[[C]]A :


...

6∈ [[C]]F


open = 0

init: open := 0;




power_down();yield;

T2:void open_dev()




power_down();yield;



Back to our Example

[[C]]A :

power_up()

power_up()...

6∈ [[C]]F


open = 0

init: open := 0;




power_down();yield;




power_down();yield;



Back to our Example

[[C]]A :

power_up()

power_up()...

6∈ [[C]]F


open = 1

init: open := 0;




power_down();yield;




power_down();yield;



Back to our Example

[[C]]A :


...

6∈ [[C]]F


open = 1

init: open := 0;





power_down();yield;




power_down();yield;



Back to our Example

[[C]]A :


...

6∈ [[C]]F


open = 2

init: open := 0;





power_down();yield;




power_down();yield;



Back to our Example

[[C]]A :


...

6∈ [[C]]F


init: open := 0;





power_down();yield;





power_down();yield;



Abstraction for Efficiency

globals: int open := 0;

void open_dev()[1]: if (open==0)[2]: power_up();[3]: open := open+1;[4]: yield;

void close_dev()[5]: if (open>0)[6]: open := open-1;[7]: if (open==0)[8]: power_down();[9]: yield;

void open_dev_abs()[1]: (A) r open;

if (*)[2]: (B) w dev;[3]: (C) r open;

(D) w open;[4]: yield;

void close_dev_abs()[5]: (E) r open;

if (*)[6]: (F) r open;

(G) w open;[7]: (H) r open;

if (*)[8]: (I) w dev;[9]: yield;



Correctness Criterion under Abstraction

Observations:Type of access to memory locations and branching choices

Classical independence relation I:Accesses to different locations are independentRead accesses to the same location are independent

Observational equivalence of abstract traces:Equality modulo I

Correctness criterion: Preemption-safety



Soundness of Abstraction

Preemption-safety under abstraction⇒ Preemption safety



Precision of Abstraction?

[[C]]AABS :

(T1.A) r open(T2.A) r open(T1.B) w dev(T1.C) r open(T1.D) w open(T2.B) w dev(T2.C) r open(T2.D) w open

...

6∈ [[C]]FABS

C is not preemption-safeunder abstraction

T1:void open_dev_abs()(A) r open;

if (*)(B) w dev;

(C) r open;(D) w open;yield;

void close_dev_abs()(E) r open;

if (*)(F) r open;(G) w open;(H) r open;if (*)

(I) w dev;yield;

T2:void open_dev_abs()(A) r open;

if (*)(B) w dev;

(C) r open;(D) w open;yield;

void close_dev_abs()(E) r open;

if (*)(F) r open;(G) w open;(H) r open;if (*)

(I) w dev;yield;



Brief note on the rest

Abstract semantics to automata

Preemption-safety to language inclusion modulo IKnown to be undecidable

We define k -bounded language inclusion modulo IAnd develop decision procedure




Abstract semantics to automataPreemption-safety to language inclusion modulo I

Known to be undecidable

We define k -bounded language inclusion modulo IAnd develop decision procedure




Abstract semantics to automataPreemption-safety to language inclusion modulo I

Known to be undecidableWe define k -bounded language inclusion modulo I

And develop decision procedure



LISS Scheme

init: C′ = C

k = 1

k -boundedlang. inclusion?

Cex spurious?

Obtain new C′ ([POPL15]) k = k + 1

init: C′ = C

k = 1

k -boundedlang. inclusion?

Cex spurious?

Obtain new C′ ([POPL15]) k = k + 1

Yes

No

No Yes

Incorrect C

Preemption-safety Correct C′



LISS

Evaluated on device driver benchmarks

LISS detected and eliminated all but two known racesIncluding one that we previously missed (missing assertion)

Our abstraction turned out highly efficientOur abstraction turned out very precise



LISS

Evaluated on device driver benchmarksLISS detected and eliminated all but two known races

Including one that we previously missed (missing assertion)




LISS



Our abstraction turned out highly efficient

Our abstraction turned out very precise



LISS






Experiments

Name LOC Th It MB BF(s) Syn(s) Ver(s) CR(s)ex1.c 18 2 1 1 <1s <1s <1s <1sex2.c 23 2 1 1 <1s <1s <1s <1sex3.c 37 2 1 1 <1s <1s <1s <1sex5.c 42 2 3 1 <1s <1s 2s <1slc-rc.c 35 4 0 1 - - <1s 9sdv1394.c 37 2 1 1 <1s <1s <1s 17sem28xx.c 20 2 1 1 <1s <1s <1s <1sf_acm.c 80 3 1 1 <1s <1s <1s 1871.99si915_irq.c 17 2 1 1 <1s <1s <1s 2.6sipath.c 23 2 1 1 <1s <1s <1s 12siwl3945.c 26 3 1 1 <1s <1s <1s 5smd.c 35 2 1 1 <1s <1s <1s 1.5smyri10ge.c 60 4 2 1 - - <1s 1.5susb-serial.bug1.c 357 7 2 1 0.4s 3.1s 3.4susb-serial.bug2.c 355 7 1 3 0.7s 2.1s 12.9s 3563susb-serial.bug3.c 352 7 1 4 3.8s 1.3s 111.1susb-serial.bug4.c 351 7 1 4 93.9s 2.4s 123.1susb-serial.c 357 7 1 4 - - 103.2s 1200s



Experiments

Name LOC Th It MB BF(s) Syn(s) Ver(s) CR(s)cpmac.bug1.c 1275 5 1 1 1.3s 113.4s 21.9s -cpmac.bug2.c 1275 5 1 1 3.3s 68.4s 27.8s -cpmac.bug3.c 1270 5 1 1 5.4s 111.3s 8.7s -cpmac.bug4.c 1276 5 2 1 2.4s 124.8s 31.5s -cpmac.bug5.c 1275 5 1 1 2.8s 112.0s 58.0s -cpmac.c 545 5 1 1 - - 17.4s -



Conclusion

A method and a tool TARA for succinct representations oftrace neighbourhoods.

Synchronization synthesis (explicit specifications)Bug summarizationCEGAR acceleration

A method and a tool LISS for synchronization synthesisfrom implicit specificationsOngoing work: Quality of synthesized solution

Deadlock-freedomValid locksPeformance


computer-aided concurrent programming€¦ · overviewtrace setsexplicit synthesisimplicit...

Documents