Automatic Derivation Integration and Verification of Synchronization Aspects
- Slides: 28
Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods Principal Investigators Matt Dwyer John Hatcliff Masaaki Mizuno Mitch Nielsen Gurdip Singh Department of Computing and Information Sciences Kansas State University http: //www. cis. ksu. edu/santos
Collaborative Research at K-State l SANTOS Group – Programming Languages/Semantics – Software Specifications – Software Model Checking (Bandera) l Systems Group – Distributed/Operating Systems, Networking, Synchronization – Object Orientation – Embedded Systems (CAN systems)
Problem Statement : Card Reader Insert Card : Display : Key Pad : Client Manager : Cash Counter : Trans Manager Card inserted (ID) Ask for PIN code Show request Specify PIN code PIN Code (PIN) Ask for amount to withdraw Request PIN validation Show request Rational Unified Process (RUP) in the Unified Modeling Language (UML) is the de facto standard for OO development process. …an effective way to develop a set of sequential codes which are executed by threads. l …DOES NOT provide a standard methodology to develop synchronization among such threads. l
Our Theme …Focus on building core functional code (minus synchronization) …Give formal high-level spec of synchronization behavior …Correct synchronization code is synthesized and linked in automatically
Goals of the Project I. Provide high-level, modular specification of global synchronization aspects … powerful, yet easy to use … formal specification via global invariants … language of composable invariant … integrated with UML/RUP patterns II. Automatic derivation and weaving of synchronization code … multiple language and … weaving & optimization via synchronization targets (Java, abstract interpretation and C++, monitors, semaphores, etc. ) program specialization techniques III. Automatic verification of critical safety and liveness properties of woven embedded code … domain-specific model-checking … built on previous DARPA work – Bandera environment engines IV. Evaluation using military networking target vehicle electronics (CDA 101)
Global Invariant Approach Implicit Readers Writer R_in++ R_out++ Implicit W_in++ Buffer W_out++ Invariant: (R_in – R_out == 0 || W_in – W_out == 0)&& (W_in – W_out <= 1) Step 1 l Identify intended critical regions • Assume each region has associated implicit in and out counters that are incremented as regions are entered and exited l State a global invariant constraining occupancy of the regions
Global Invariant Approach <await W_in–W_out == 0 -> R_in++> Readers <R_out++> Writer Buffer <await R_in–R_out == 0 && W_in-W_out == 0 -> W_in++> <W_out++> Invariant: (R_in – R_out == 0 || W_in – W_out == 0)&& (W_in – W_out <= 1) Step 2 l Use invariant to guide formulation of guards for region enter/exit <await B -> C> <C> l …wait until B then execute C atomically …execute C atomically Called the “coarse-grain” solution
Global Invariant Approach Readers Writer Call R_Enter; Call W_Enter; Buffer Call R_Exit; Step 3 l Monitor Proc R_Enter() Proc R_Exit() Proc W_Enter() Proc W_Exit() Call W_Exit; … … Monitor Translate await and atomic statements to chosen synchronization mechanism …monitors, rendezvous, semaphores, etc… l …; …; Called the “fine-grain” solution
Advantages of Our Global Invariant Approach l “Aspect-oriented” – Synchronization aspect is cleanly factored out l Formal approach – Enables rigorous reasoning about synchronization aspects l Synchronization coding lies at a high level – Namely, the specification of invariants l Global invariants are independent of platform, language and synchronization primitive
Our Approach --- Invariant Patterns Users never write formulas but instead build invariants using a collection of global invariant patterns… l Bound(R, n) … at most n threads can be in region R l Exclusion(R 1, R 2) … occupancy of region R 1 and R 2 should be mutually exclusive l Resource(R 1, R 2, n) … region R 1 is a producer, region R 2 is a consumer of some resource with n initial resource values. l Barrier(R 1, R 2) … the kth thread to enter R 1 and the kth thread to enter R 2 meet and leave their respective regions together Barrier with information interchange… l Complex Barrier… l
Our Approach --- Invariant Patterns Users never write formulas but instead build invariants using a collection of global invariant patterns… Bound(R, n) …at most n threads can be in region R l Exclusion(R 1, R 2) … occupancy of region R 1 and R 2 should be mutually exclusive l Example: Readers/Writers Exclusion(R, W) + Bound(W, 1)
Our Approach --- Automatic Synthesis Both coarse-grain and fine-grain solutions are synthesized automatically . java Intermediate Representation Generator. java PVS. java + guarded commands Fine-grain Java Representation Generator . java + + Invariant. java Core code Synchronization aspect
Tool Architecture UML Tools Functional Core Code Templates (Java, C++, …) Synchronization Aspect Specification Tool Invariant & Region tags Intermediate Representation Generator Solver/ Prover Functional Core Code Template Instantiation (Java, C++, …) Traditional Development Environment Course-grain solution Synchronization Fine-grain Aspect solution Back-end Bandera Analysis & Transformation Safety Properties Liveness Properties Bandera Finite State Models Code Weaver Specialization Engine Optimized Woven Code
Example: Vessel Control Sensors Actuators Engine Controller Rudder Sensor Rudder Pump Rudder Controller Throttle Controller CAN Bus Fiber/TP Hub GPS …from Navy SEABORNE target vehicle documentation Other Sensors and Actuators
Gyroscope/Rudder Sub-system Buffer Gyroscope Controller Rudder Controller Gyroscope produces position values which are placed in a single entry buffer l Rudder controller reads position values from buffer and uses them to actuate the rudder l
Use Cases and Critical Regions Gyroscope Controller Rudder Controller Critical Region: RR Read a value from the gyroscope Wait until the buffer becomes empty Write a new value in the buffer Wait until gyroscope value is in buffer Read value from buffer Actuate rudder based on value Critical Region: RG Identify segments (a) that must wait for some even to occur (b) segments that cause events waited for in (a)
Gyroscope/Rudder Synchronization Resource(RG, RR , 0) Gyroscope Value Produce Consume RG RR Consume Gyroscope Controller Buffer Produce Empty Buffer Slot Resource(RR, RG , 1) Rudder Controller Exclusion(RG, RR) Invariant: Resource(RG, RR , 0) + Resource(RR, RG , 1) + Exclusion(RG, RR)
Generating Coarse-grain Solution Invariant: Resource(RG, RR , 0) + Resource(RR, RG , 1) + Exclusion(RG, RR) …consumer in …producer out Resource(RG, RR , 0) R_in <= G_out Resource(RR, RG , 1) G_in <= R_out + 1 Exclusion(RG, RR) (G_in == G_out) || (R_in == R_out) Desugared Invariant: (R_in <= G_out) && (G_in <= R_out + 1) && ((G_in == G_out) || (R_in == R_out))
Generating Coarse-grain Solution …invariant I holds here G_in++ …want I to hold here <await B -> G_in++> Task: generate a condition B that ensures that I holds after counter increment. Step 1: generate weakest-precondition(G_in++, I) (R_in <= G_out) && (G_in <= R_out + 1) && ((G_in == G_out) || (R_in == R_out)) Substitute G_in+1 for G_in (R_in <= G_out) && (G_in+1 <= R_out + 1) && ((G_in+1 == G_out) || (R_in == R_out))
Generating Coarse-grain Solution Step 2: simplify using decision procedures 1. 2. 3. Convert to disjunctive normal form Eliminate disjuncts that are can never be satisfied using decision procedures Minimize remaining conjuncts using decision procedures Example: 1. 2. 3. (R_in <= G_out) && (G_in+1 <= R_out+1) && (G_in+1 == G_out) || (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out)
Coarse-Grain Solution (skeleton) Gyroscope controller critical region: <await (G_in+1 <= R_out+1) && (R_in == R_out) -> G_in++> /* insert gyroscope value into buffer */ <G_out++> Rudder controller critical region: <await (R_in < G_out) && (G_in == G_out) -> R_in++> /* insert gyroscope value into buffer */ <R_out++>
Generating Fine-Grain Solution Traditional Monitor Solution <await B 1 -> C 1++> <await B 2 -> C 2++> int C 1, C 2, …, Cn; int cv 1, cv 2, …, cvn; …counter variables …condition variables with an associated queue for each await <await B 3 -> C 3++> Procedure Await 1 () … <await B 4 -> C 4++> Procedure Await 2 () … …… Procedure Awaitn () … <await Bn -> Cn++> …procedure to implement each await
Generating Fine-grain Solution l Use a single lock to protect access to counters l Use a pattern called “specification notification” to implement await’s – One lock for each await statement – Ensures that separate waiting queues are maintained for each await
Compilation of <await B -> S> public static void <aname>() { …grab lock for this await synchronized (condition$<name>) { while (!check$<aname>()) { …if guard B is false try { …go to sleep condition$<aname>. wait(); } catch (Interrupted. Exception e) {} } /* add relevant notify calls */ …notify awaits whose conditions } may become true because of } the current counter increment public static boolean check$<aname>() { synchronized (cluster. Counter. Lock) { if (<B>) { <S> return true; } else return false; } } …grab lock protecting counters …if guard is true …do increment …return true …else return false
Summarizing… UML Tools Functional Core Code Templates (Java, C++, …) Synchronization Aspect Specification Tool Invariant & Region tags Intermediate Representation Generator Solver/ Prover Functional Core Code Template Instantiation (Java, C++, …) Traditional Development Environment Course-grain solution Synchronization Fine-grain Aspect solution Back-end Bandera Analysis & Transformation Safety Properties Liveness Properties Bandera Finite State Models Code Weaver Specialization Engine Optimized Woven Code
Short-term goals (3 -4 months) l l l Add GUI to current prototype Generate solutions to a large collection of standard synchronization problems Hook in Bandera to check safety/liveness properties Examine SEABORNE target code to assess how much of synchronization can be expressed in terms of our patterns Generate CAN-based message passing finegrain solutions (C with CAN library)
Medium-term goals (6 -12 months) l Extend global invariant approach to include real-time properties l Integrate UML tools into front-end l Use specialization to compress verification models
Long-term goals (1 -2 years) l Generate fine-grain solutions for other languages (C++, Aspect. J, etc. ) l Consider other synchronization related aspects (distribution, coordinated errorhandling, debugging) l Extensions to the language of global invariants
Leftmost derivation and rightmost derivation
Forward integration and backward integration
Forward backward integration
Simultaneous integration examples
Synchronization algorithms and concurrent programming
Fast clock to slow clock synchronization
Is a high level synchronization construct
Process synchronization in os
Data synchronization in tally
Multiprocessor synchronization
Lean synchronization
Bgp states
Lock free synchronization
Classical synchronization problems
Synchronization tool in os
The bounded buffer problem in operating system
Basic synchronization principles
Windchill workspace
Cuda global synchronization
Process synchronization definition
Laser synchronization
Pthread synchronization
Shared memory in unix
Synchronization primitives c#
Process synchronization definition
Linux kernel synchronization
Linux synchronization primitives
Clock synchronization in distributed system
Wait free synchronization
