![Page 1: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/1.jpg)
PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS
Martin Vechev Eran Yahav Greta Yorsh
IBM T.J. Watson Research Center
![Page 2: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/2.jpg)
2
Plan
Motivation
Case Study: Concurrent Data Structures
Hoare’s CCR Finite State
Abstract Interpretation Based Synthesis
Memory Fences
(Optional)
![Page 3: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/3.jpg)
Concurrency is Important
![Page 4: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/4.jpg)
Concurrency is Hard
“…I develop Mozilla full time all day, and i get this lockup maybe once a day…”
![Page 5: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/5.jpg)
Concurrency is Hard
“…For nearly two weeks I thought the above solution was correct, until I started to try to prove its correctness...it turned out to be wrong…
So there I was. Fooled again.”
-- Edsger W. Dijkstra
![Page 6: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/6.jpg)
Problem
Manually Finding Correct and Efficient Synchronization
6
![Page 7: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/7.jpg)
Our Approach
Automatically InferCorrect and Efficient Synchronization
7
![Page 8: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/8.jpg)
Input
8
• Believable starting point– Intuitive to a programmer, e.g. sequential program
• Specification should be easy to write– Reusability: e.g. sequential consistency
• Some quantitative notion of efficiency– E.g. Fewer locks
![Page 9: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/9.jpg)
9
• Output should be a program– Synchronization implemented in the language
• Output program(s) should be correct– With respect to the specification (checked or verified)
• Output program(s) should be optimal– With respect to efficiency
Output
![Page 10: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/10.jpg)
10
Plan
Motivation
Case Study: Concurrent Data Structures
Hoare’s CCR Finite State
Abstract Interpretation Based Synthesis
Memory Fences
(Optional)
![Page 11: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/11.jpg)
Concurrent Data Structures
• Applications (typically) have to share data• Need to synchronize• Concurrent data structures are critical for performance
– Used in various language runtimes, kernels, etc
• Coarse Locks are often a bad idea– Single thread holding lock can stop global system progress– Coarse-grained locking leads to contention– Fine-grained locking tricky to get right (deadlocks)
11
![Page 12: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/12.jpg)
val popRight() { while (true) { rh = RightHat; lh = LeftHat; if (rh->R == rh) return "empty"; if (rh == lh) { if (DCAS(&RightHat, &LeftHat, rh, lh, Dummy, Dummy)) return rh->V; } else { rhL = rh->L; if (DCAS(&RightHat, &rh->L, rh, rhL, rhL, rh)) { result = rh->V; rh->R = Dummy; return result;}}}
“Even better DCAS-based concurrent deques”, DISC 2000
2 errors in < 20 lines of code !
Concurrent Data Structures
![Page 13: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/13.jpg)
Existing Approaches for Concurrent Object Construction
Performance
ManualEffort
Sequential
NaïveSTM
Fine-grained STM
Expert Design
This Work
Goal
13
![Page 14: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/14.jpg)
14
bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr
val=CAS(&pred->next,curr,0,entry,0) if (val) goto restart return true}
bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false <r,m> = curr->next
lval=CAS(&curr->next, r,m,r,1) if (lval) goto restart
pval=CAS(&pred->next,curr,0,r,0) if (pval) goto restart return true}
Sequential to Highly Concurrent Setsbool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry return true}
bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true}
![Page 15: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/15.jpg)
Generate - Verify
Generator Verifier
Schema Specification Abstraction
Program
Yes/No,Counterexample
Set Of Optimal Programs
![Page 16: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/16.jpg)
Generator: Domain Specific Search
lessatomic
moreatomic
![Page 17: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/17.jpg)
Generate-Verify
![Page 18: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/18.jpg)
Atomicity Reduction: Steps
Removing redundant atomicity
Reordering
statements
Optimistic concurrency
Add synchronization
meta-data18
s1s2
s3s4
s1s2
s3s4
If (validate) updateelse restart
read
s1s2
s3s4
s2s1
s3s4
s3s4
readupdate
s1s2
s1If (t > 0) s2
s3s4
![Page 19: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/19.jpg)
19
Concurrent Sets: Generate-Check
Schema
Correct Algorithm
DCAS
Sequential
DCAS CAS CASwith LOCKS
Priority Queue
Stack
CAS/DCAS
… …
Michael (PODC’02)
Heller et al.(OPODIS’05)
Trieber Stack
Existing Algorithm
New Algorithm
![Page 20: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/20.jpg)
locate(pred,curr,key)
20
Step 1: Optimistic Concurrency[Kung & Robinson’81]
bool remove(int key){ Entry *pred,*curr,*r atomic locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true }
bool remove(int key){ Entry *pred,*curr,*r restart:
Read atomic
if (validate) {
Update
} goto restart }
k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true
Update
Read
![Page 21: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/21.jpg)
Step 2: Generate-Check
21
Generate-Check
No correctcompletion found
Insufficient information to write a validation condition
bool remove(int key){ Entry *pred,*curr,*r locate(pred,curr,key)atomic if (validate) { k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true } goto restart}
truepred->next == currpred == curr
( (pred | curr) (->next)? == (pred | curr) (->next)? ) | true
![Page 22: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/22.jpg)
Step 2: Counterexample
22
- 1 5 9
head tail
pred curr r
pred curr
T1: remove(5) T2: add(7)||
![Page 23: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/23.jpg)
Step 2: Counterexample
23
- 1
5
9
head tail
pred
curr
T1: remove(5) T2: add(7)||
7
How to deal with removed nodes?
![Page 24: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/24.jpg)
Dealing with Removed Nodes?
Observability (Meta-Data)
Synchronization Time
24
![Page 25: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/25.jpg)
25
Step 3: Apply Transformation
key next key next marked
REMOVE = { R1: k = (curr->key ≠ key) R2: if (k) return false R3: curr->marked = true R4: mp = pred->marked R5: mc = curr->marked R6: val= (pred->next == curr) ( mp)? ( mc)? R7: if (val) goto restart R8: r = curr->next R9: pred->next = r}
OBJECT OBJECT
![Page 26: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/26.jpg)
Step 4: Run Generate-Verify
26
bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE return true}REMOVE = { R1: k = (curr->key ≠ key) R2: if (k) return false R3: curr->marked = true R4: mp = pred->marked R5: mc = curr->marked R6: val= (pred->next == curr) ? ( mp) ? ( mc) R7: if (val) goto restart R8: r = curr->next R9: pred->next = r}
bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE return true}
REMOVE = { k = (curr->key ≠ key) if (k) return false curr->marked = true r = curr->next atomic mp = pred->marked val=(pred->next==curr) mp if (val) goto restart pred->next = r }
Generate-Verify
![Page 27: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/27.jpg)
27
- 1 9
head tail
pred curr r
pred curr
T1: remove(5) T2: add(7)||
Fixed Previous Counterexample
add(7) observes pred “5” is marked and restarts
pred curr
5
![Page 28: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/28.jpg)
28
bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=CAS(&pred->next,
curr,0,entry,0) if (val) goto restart return true}
bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false <r,m> = curr->next lval=CAS(&curr->next, r,m,r,1) if (lval) goto restart pval=CAS(&pred->next, curr,0,r,0) if (pval) goto restart return true}
Final Result
bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false return true}
![Page 29: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/29.jpg)
Lessons• Generate-Verify Shortcomings
– Generate can produce programs that cannot be verified– Verifier doing redundant work
• Expressing insights as syntactic templates is cumbersome
• Concurrency inherently tied to Space
![Page 30: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/30.jpg)
– Enable automatic verification to do inference• Verification: no longer only a yes/no answer
– Input: A (possibly incorrect) concurrent program
– Output: A set of programs (possibly empty set)
Verification-Driven Synthesis
![Page 31: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/31.jpg)
31
Plan
Motivation
Case Study: Concurrent Data Structures
Hoare’s CCR Finite State
Abstract Interpretation Based Synthesis
Memory Fences
(Optional)
![Page 32: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/32.jpg)
High Level Setting
32
Process 1 Process 2 Process 3
![Page 33: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/33.jpg)
High Level Setting
33
Process 1 Process 2 Process 3
![Page 34: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/34.jpg)
High Level Setting
34
Process 1 Process 2 Process 3
![Page 35: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/35.jpg)
High Level Setting
35
Process 1 Process 2 Process 3
![Page 36: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/36.jpg)
Challenge
36
Process 1 Process 2 Process 3
How to synchronize processes in order to achieve correctness and good performance ?
![Page 37: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/37.jpg)
• Semaphores • Monitors • Conditional critical region (CCR)• Fine grained (e.g., CAS)• Atomics• ....
Synchronization Primitives
37
![Page 38: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/38.jpg)
Conditional Critical Regions
• Syntax of CCR
• Synchronization code – guard can observe the program state – guard does not modify program state
guard stmt
38
![Page 39: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/39.jpg)
High Level Setting
39
Process 1 Process 2 Process 3
![Page 40: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/40.jpg)
CCR Setting
40
Process 1 Process 2 Process 3
s1;s2; s5; s7;
s6; s3;s4;
Specification:
• Permissiveness
• Cost as a language of CCR guards
![Page 41: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/41.jpg)
• Given a language LG, specification S and program A, program B is maximally permissive, if:
– B satisfies S
– B is obtained from A by adding guards from LG
– Cannot obtain a program C that is correct and more permissive than B from A via LG:
41
Maximal Permissiveness
if B C then C does not satisfy S
![Page 42: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/42.jpg)
• Two Algorithms to infer CCR guards– Greedy– Exhaustive
• Guarantee maximal permissiveness– Greedy: under some conditions– Exhaustive: always
• Implementation in SPIN– prototype, examples
Contributions
![Page 43: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/43.jpg)
This Work
Safety, No Stuck States
Specification:
Language of Guards
Cost:
Automatic Inference of Guards
Process 1 Process 2 Process 3
s1;s2; s5; s7;
s6; s3;s4;
Process 1 Process 2 Process 3
g1 s1;s2; s5; g2s7;
s6; s3;s4; Correct and Maximally Permissive
![Page 44: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/44.jpg)
Inference Algorithm
• Construct transition system of input program and specification
• Remove a (minimal) set of transitions such that the result satisfies the specification
• Implement resulting transition system as program by strengthening guards of CCRs in the program
44
![Page 45: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/45.jpg)
GREEDY(P : Program) : Program {
R = ∅while (true) {
ts = < States , Transitions \ R, Init >
if valid(ts) return implement(P,R)
B = cut-transitions(ts)
if B = abort “cannot find valid synchronization”∅ select a transition t B∈ R = R ∪ equiv(t)
}
}
Inference Algorithm
45
![Page 46: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/46.jpg)
Example Language: Observability
• Obs: Variables that can be read by CCR guards
• LE(Obs): language of boolean combinations of equalities between variables in Obs and constants
• Example: Obs: {x, y, z} Guard Expression in LE(Obs): (x!=1 || y!=0 || z!=0)
46
![Page 47: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/47.jpg)
Example: Full Observability
• ! (y = 2 && z = 1)• No Stuck States
Specification:
LE( { x, y, z } )
Cost:
Automatic Inference of Guards
z=y+1;
Process 1
x=z+1; y=x+1;
Process 2 Process 3
![Page 48: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/48.jpg)
What is in a state
s,s,s0,0,0
X Y Z
PC1PC2
PC3
![Page 49: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/49.jpg)
Build Transition Systems,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
49
![Page 50: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/50.jpg)
Select Transitions to Removes,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
50
![Page 51: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/51.jpg)
s,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
51
e,s,e1,0,1
e,e,e1,2,1
y=x+1
z=y+1
Build Transition System
x!=1 || y!=0 || z!=0
x!=1 || y!=0 || z!=0
x!=1 || y!=0 || z!=0
x!=1 || y!=0 || z!=0
Correct and Maximally Permissive
![Page 52: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/52.jpg)
Example: Full Observability
• ! (y = 2 && z = 1)• No Stuck States
Specification:
LE( { x, y, z } )
Cost:
Automatic Inference of Guards
z=y+1;
Process 1
x=z+1; y=x+1;
Process 2 Process 3
(x!=1 || y!=0 || z!=0)z=y+1;
Process 1
x=z+1; y=x+1;
Process 2 Process 3
![Page 53: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/53.jpg)
Example: Limited Observability
• ! (y = 2 && z = 1)• No Stuck States
Specification:
LE( { x, , z } )
Cost:
Automatic Inference of Guards
z=y+1;
Process 1
x=z+1; y=x+1;
Process 2 Process 3
![Page 54: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/54.jpg)
s,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
54
Build Transition System
![Page 55: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/55.jpg)
Build Transition Systems,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
55
![Page 56: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/56.jpg)
Select transition to removes,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
56
![Page 57: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/57.jpg)
s,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
57
Select All Equivalent Transitions
• Implementability
![Page 58: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/58.jpg)
s,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
x=z+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
58• Stuck states
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
y=x+1z=y+1 z=y+1x!=1 || z!=0
x!=1 || z!=0 z=y+1
x!=1 || z!=0
x!=1 || z!=0
Build Transition System
![Page 59: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/59.jpg)
s,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
x=z+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
59
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
y=x+1z=y+1 z=y+1x!=1 || z!=0
x!=1 || z!=0 z=y+1
x!=1 || z!=0
x!=1 || z!=0
Select transitions to remove
![Page 60: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/60.jpg)
s,s,s0,0,0
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
e,e,31,2,0
e,2,e1,0,1
e,e,31,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
x!=1 || z!=0
x!=1 || z!=0
x!=1 || z!=0
x!=1 || z!=0
x!=0 || z!=0
x!=0 || z!=0
x!=0 || z!=0
x!=0 || z!=0
x!=1 || z!=0
x!=0|| z!=0
60
Build Transition System
Correct and Maximally Permissive
![Page 61: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/61.jpg)
Example: Limited Observability
Automatic Inference of Guards
(x!=1 || z!=0)z=y+1;
Process 1
(x!=0 || z!=0)x=z+1; y=x+1;
Process 2 Process 3
z=y+1;
Process 1
x=z+1; y=x+1;
Process 2 Process 3
• ! (y = 2 && z = 1)• No Stuck States
Specification:
LE( { x, , z } )
Cost:
![Page 62: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/62.jpg)
Inference Algorithms
• Greedy algorithm– Resulting program satisfies the specification– No side-effects guarantees maximal permissiveness– Experience: maximally permissive with side-effects– Polynomial
• Exhaustive algorithm– Resulting program satisfies the specification– Maximally permissive – Exponential
62
![Page 63: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/63.jpg)
Implementation• Prototype
– Greedy algorithm– Using SPIN
• Examples – Dining philosophers – Asynchronous counters– Race correction
63
![Page 64: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/64.jpg)
Summary• Algorithms for CCR guard inference
– Greedy (polynomial) and Exhaustive (exponential)
– Produce maximally permissive programs
– Parametric on User-specified Cost
– Deals with side effects and implementability
64
![Page 65: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/65.jpg)
Future Work
• Conditions for maximal permissiveness of greedy
• Infer other synchronization mechanisms– meta-data, atomic sections, non-blocking
• Abstraction for stuck states
65
![Page 66: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/66.jpg)
66
Plan
Motivation
Case Study: Concurrent Data Structures
Hoare’s CCR Finite State
Abstract Interpretation Based Synthesis
Memory Fences
(Optional)
![Page 67: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/67.jpg)
Crash Course on Abstract Interpretation
• Verify that property holds on all executions
• Challenge: programs with unbounded state
bad news: problem is undecidablegood news: can use over-approximation
– Consider a superset of possible executions– sound: a yes is a yes!– incomplete: a no is a maybe …
67
![Page 68: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/68.jpg)
Verification Challenge
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
Determine what states can arise during any execution
Challenge: set of states is unbounded
68
![Page 69: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/69.jpg)
Abstract Interpretation
Recipe1) Abstraction2) Transformers3) Exploration
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
Challenge: set of states is unbounded
Solution: compute a bounded representation of (a superset) of program states
Determine what states can arise during any execution
69
![Page 70: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/70.jpg)
1) Abstraction
• concrete state
• abstract state
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
: Var Z
#: Var{+, 0, -, ?}
x y i
3 1 7 x y i
+ + +
3 2 6
x y i
… 70
![Page 71: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/71.jpg)
2) Transformers
• concrete transformer
• abstract transformer
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
x y i
+ + 0
x y i
3 1 0y = y + 1
x y i
3 2 0
x y i
+ + 0
y = y + 1
+ - 0 + ? 0
+ 0 0 + + 0
+ ? 0 + ? 071
![Page 72: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/72.jpg)
3) Exploration
+ + ? + + ?
x y i
main(int i) { int x=3,y=1;
do { y = y + 1; } while(--i > 0) assert 0 < x + y}
+ + ?
+ + ?
? ? ?
x y i
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
72
![Page 73: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/73.jpg)
Incompleteness
main(int i) { int x=3,y=1;
do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y}
+ ? ?
+ ? ?
x y i
+ ? ?
+ + ?
? ? ?
x y i
+ ? ?
+ ? ?
+ ? ?
73
![Page 74: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/74.jpg)
ConcurrentProgram
Specification Abstraction
Abstract Interpreter
Refine
Counter Example
Change the abstraction to match the program
Automatic Verification with Abstraction
![Page 75: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/75.jpg)
ConcurrentProgram
Specification Abstraction
Abstract Interpreter
Refine
Counter Example
Restrict the program to match the abstraction
Avoid
Counter Example
Program
Automatic Construction with Abstraction
![Page 76: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/76.jpg)
AGS Algorithm – High Level
= true while(true) { Traces = { | (P ) and S} if (Traces is empty) return implement(P,) select Traces if (?) { = avoid() } else { = refine(, ) } }
Input: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under
![Page 77: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/77.jpg)
Trace Avoidance: avoid()
:
Thread A A1 A2
Thread B B1 B2
• Atomicity predicate [ st1 , st2 ] disables a context switch
• avoid() – disjunction of all possible atomicity predicates that would prevent
A1
A2
B1
B2
avoid() = [A1,A2] [B1,B2]
![Page 78: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/78.jpg)
Example
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5}
How to place synchronization to achieve correctness and performance?
![Page 79: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/79.jpg)
Example: Parity Abstraction
0 2 3
12345
4
6
y2
y1
1
Concrete values
0 2 3
12345
4
6
y2
y1
1
Parity abstraction (even/odd)
![Page 80: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/80.jpg)
avoid(1) = [z++,z++]
= [z++,z++] = true
= true while(true) {
Traces={|(P ) and S }
if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
Example: Avoiding Bad Traces
![Page 81: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/81.jpg)
avoid(2) =[x+=z,x+=z]
= [z++,z++] = [z++,z++][x+=z,x+=z]
= true while(true) {
Traces={|(P ) and S }
if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
Example: Avoiding Bad Traces
![Page 82: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/82.jpg)
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
= [z++,z++][x+=z,x+=z]
= true while(true) {
Traces={|(P ) and S }
if (Traces is empty) return implement(P,)
select Traces if (?) { = avoid() } else { = refine(, ) } }
Example: Avoiding Bad Traces
![Page 83: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/83.jpg)
0 2 3
12345
4
6
y2
y1
1
parity
0 1 2 3
12345
4
6 parity
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
0 1 2 3
12345
4
6 parity
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
But we can also refine the abstraction…
Example: Avoiding Bad Traces
![Page 84: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/84.jpg)
0 2 3
12345
4
6
y2
y1
1
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
parity
interval
octagon
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
(a) (b) (c)
(d) (e)
(f) (g)
parity parity
interval
octagon
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
![Page 85: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/85.jpg)
Choosing a solution
• Interval abstraction for our example:
([x+=z,x+=z] [z++,z++])∨ ([y1=f(x),y2=x] [x+=z,x+=z] [z++,z++])∧ ∨ ∨
• Minimal satisfying assignments– 1 = [z++, z++]– 2 = [x+=z, x+=z]
• Different Quantitative Notions:– Example: preference to solutions with fewer write
operations inside atomic sections
![Page 86: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/86.jpg)
Separation between scheduling constraints in
and how they are realized
Can realize in program via atomic sections
Can realize in scheduler via benevolent scheduler
Implementation
![Page 87: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/87.jpg)
Examples
Program Refine Steps Avoid Steps
Double buffering 1 2
Defragmentation 1 8
3D array update 2 23
Array Removal 1 17
Array Init 1 56
• Simplified versions of – Double buffering– Defragmentation – …
![Page 88: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/88.jpg)
Future Work
• Add more powerful abstractions– E.g. Heap, Polyhedra
• Synthesize more complex synchronization– Infer practical concurrent algorithms
![Page 89: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/89.jpg)
89
Plan
Motivation
Case Study: Concurrent Data Structures
Hoare’s CCR Finite State
Abstract Interpretation Based Synthesis
Memory Fences
(Optional)
![Page 90: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/90.jpg)
Results• Partial-Coherence Abstractions for Weak Memory Models
Kuperstein M., Vechev M., Yahav E.Submitted
• Automatic Inference of Memory Fences Kuperstein M., Vechev M., Yahav E.Submitted
• Verifying Linearizability with HindsightO'Hearn P., Rinetzky N., Vechev M., Yahav E., Yorsh G.PODC '10: Symposium on Principles of Distributed Computing
• Abstraction-Guided SynthesisVechev M., Yahav E., Yorsh G.POPL '10: 37th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages
• Experience with Model Checking LinearizabilityVechev M., Yahav E., Yorsh G. SPIN '09: 16th International SPIN Workshop on Model Checking of Software
• Inferring Synchronization Under Limited ObservabilityVechev M., Yahav E., Yorsh G. TACAS '09: 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
• Deriving Linearizable Fine-Grained Concurrent ObjectsVechev M., Yahav EPLDI '08: ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation.
• CGCExplorer: A Semi-Automated Search Procedure for Provably Correct Concurrent CollectorsVechev M., Yahav E., Bacon D.F., and Rinetzky N. PLDI '07: ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation.
• Correctness-Preserving Derivation of Concurrent Garbage Collection AlgorithmsVechev M., Yahav E., and Bacon D.F. PLDI '06: ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation.
90
http://www.research.ibm.com/paraglide/
![Page 91: PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center](https://reader036.vdocuments.mx/reader036/viewer/2022062321/56649f145503460f94c2943e/html5/thumbnails/91.jpg)
Thanks