Reduction A powerful technique for analyzing concurrent software
![What if a procedure body comprises multiple transactions? bool available[N]; mutex m[N]; Choose N](https://slidetodoc.com/presentation_image_h2/02c11d7bc2156b9ae5679369e20045c7/image-38.jpg "What if a procedure body comprises multiple transactions? bool available[N]; mutex m[N]; Choose N")
- Slides: 47
Reduction: A powerful technique for analyzing concurrent software Shaz Qadeer Microsoft Research Collaborators: • Cormac Flanagan, UC Santa Cruz • Stephen Freund, Williams College • Sriram Rajamani, Microsoft Research • Jakob Rehof, Microsoft Research
Concurrent programs • Operating systems, device drivers, databases, Java/C#, web services, … • Reliability is important
Reliable Concurrent Software? • Correctness Problem – does program behaves correctly for all inputs and all interleavings? – very hard to ensure with testing • Bugs due to concurrency are insidious – non-deterministic, timing dependent – data corruption, crashes – difficult to detect, reproduce, eliminate • Security attacks exploiting concurrency are the next frontier
Part 1: Atomicity analysis
Multithreaded Program Execution Thread 1 Thread 2 . . . int t 1 = hits; hits = t 1 + 1. . . t 1=hits hits=0 hits=t 1+1 t 2=hits . . . int t 2 = hits; hits = t 2 + 1. . . t 2=hits=t 1+1 hits=t 2+1 hits=2 hits=1 hits=t 1+1 hits=1
Race Conditions A race condition occurs if two threads access a shared variable at the same time, and at least one of the accesses is a write Thread 1. . . int t 1 = hits; hits = t 1 + 1. . . Thread 2. . . int t 2 = hits; hits = t 2 + 1. . .
Preventing Race Conditions Using Locks • Lock can be held by at most one thread • Race conditions are prevented using locks – associate a lock with each shared variable – acquire lock before accessing variable Thread 1 Thread 2 synchronized(lock) { int t 1 = hits; hits = t 1 + 1 } acq hits=0 t 1=hits hits=t 1+1 rel synchronized(lock) { int t 2 = hits; hits = t 2 + 1 } acq t 2=hits hits=t 2+2 rel hits=2
Race detection • Static: – Sterling 93, Aiken-Gay 98, Flanagan-Abadi 99, Flanagan-Freund 00, Boyapati-Rinard 01, von Praun-Gross 01, Boyapati-Lee-Rinard 02, Grossman 03 • Dynamic: – Savage et al. 97 (Eraser tool) – Cheng et al. 98 – Choi et al. 02
Race-free bank account int balance; void deposit (int n) { synchronized (this) { balance = balance + n; } }
Bank account int balance; void deposit (int n) { synchronized (this) { balance = balance + n; } } Thread 1 int read( ) { int r; synchronized (this) { r = balance; } return r; } balance = 10 deposit(10); void withdraw(int n) { int r = read( ); synchronized (this) { balance = r – n; } } Thread 2 withdraw(10); Race-freedom not sufficient!
Atomic bank account (I) int balance; void deposit (int n) { synchronized (this) { balance = balance + n; } } int read( ) { int r; synchronized (this) { r = balance; } return r; } void withdraw(int n) { synchronized (this) { balance = balance – n; } }
java. lang. String. Buffer (jdk 1. 4) “String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. ”
java. lang. String. Buffer is buggy! public final class String. Buffer { private int count; private char[ ] value; . . public synchronized String. Buffer append (String. Buffer sb) { if (sb == null) sb = NULL; int len = sb. length( ); int newcount = count + len; if (newcount > value. length) expand. Capacity(newcount); sb. get. Chars(0, len, value, count); //use of stale len !! count = newcount; return this; } public synchronized int length( ) { return count; } public synchronized void get. Chars(. . . ) {. . . } }
Atomic bank account (II) int balance; void deposit (int n) { synchronized (this) { balance = balance + n; } } int read( ) { return balance; } void withdraw(int n) { synchronized (this) { balance = balance – n; } } Race-freedom not necessary!
Atomicity • A method is atomic if it seems to execute “in one step” even in presence of concurrently executing threads • Common concept – “(strict) serializability” in databases – “linearizability” in concurrent objects – “thread-safe” multithreaded libraries • “String buffers are safe for use by multiple threads. …” • Fundamental semantic correctness property
Definition of Atomicity Serialized execution of deposit x y acq(this) r=bal bal=r+n rel(this) z Non-serialized executions of deposit acq(this) x x r=bal y y r=bal bal=r+n z z rel(this) • deposit is atomic if for every non-serialized execution, there is a serialized execution with the same behavior
Reduction (Lipton 75) S 0 acq(this) S 1 x x S 2 r=bal y S 3 T 3 y r=bal bal=r+n S 4 S 5 z z S 6 rel(this) S 7 blue thread holds lock x acq(this) y r=bal bal=r+n z rel(this) does S 0 red thread T 1 S 2 not hold T 3 lock S 4 S 5 S 6 S 7 operation y does not access balance x y commute acq(this) r=bal bal=r+n z rel(this) operations S 0 T 1 T 2 T 3 thread S 4 holds S S 6 acquire. S 7 5 after blue lock operation x does not modify lock x y acq(this) r=bal bal=r+n rel(this) z operations commute S 0 T 1 T 2 T 3 S 4 S 5 T 6 S 7
Four Atomicities S S 20 r=bal acq(this) • R: right commutes – lock acquire L: left commutes – lock release B: both right + left commutes SS 20 S 25 S S 31 yx zx y x SS 42 acq(this) r=bal SS 42 T 31 rel(this) r=bal S 36 S 47 – variable access holding lock N: atomic action, non-commuting – access unprotected variable S 25 S rel(this) r=bal T T 63 z x S 47 S
Sequential Composition Use atomicities to perform reduction Lipton: sequence (R+B)*; (N+ ); (L+B)* is atomic ; B R L N C B B R L N C LS R 0 L R NS 0 R L C N C C C N. N x N. C C C R* C. C C C x N . Y N . L* R; BL*; N; L. S 5 R ; N. YN S 5 R; N; L ; R; N; L N ; N C
Bank account int balance; /*# guarded_by this */ N /*# atomicity N */ void deposit (int x) { R acquire(this); B int r = balance; B balance = r + x; L release(this); } N /*# atomicity N */ void withdraw(int x) { int read( ) { int r; N int r = read( ); R acquire(this); B r = balance; N B balance = r – x; L release(this); } B return r; }
Bank account int balance; /*# guarded_by this */ N /*# atomicity N */ void deposit (int x) { R acquire(this); B int r = balance; B balance = r + x; L release(this); } N /*# atomicity N */ int read( ) { void withdraw(int x) { int r; R acquire(this); B int r = balance; B r = balance; N B balance = r – x; L release(this); } B return r; }
Soundness Theorem • Suppose a non-serialized execution of a welltyped program reaches state S in which no thread is executing an atomic method • Then there is a serialized execution of the program that also reaches S
Atomicity Checker for Java • Leverage Race Condition Checker to check that protecting lock is held when variables accessed • Found several atomicity violations – java. lang. String. Buffer – java. lang. String – java. net. URL
Experience with Atomicity Checker Class Inflater Deflater Print. Writer Vector URL String. Buffer String Total Size Annotations per KLOC (lines) total guard req. atomic array esc. 296 364 20 25 17 20 0 0 3 5 0 0 557 1029 1269 1272 2399 7366 36 14 33 19 22 24 5 3 10 2 0 8 0 1 1 4 0 1 25 4 10 5 1 8 0 3 0 7 19 4 5 3 13 1 1 3
“String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. ” “String buffers are atomic”
Part 2: Summarizing procedures
Summarization for sequential programs • Procedure summarization (Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95) is the key to efficiency int x; void incr_by_2() { x++; } void main() { … x = 0; incr_by_2(); … } • Bebop, ESP, Moped, MC, Prefix, …
Assertion checking for sequential programs • Boolean program with: – g = number of global vars – m = max. number of local vars in any scope – k = size of the CFG of the program O(g+m) • Complexity is O( k 2 ), linear in the size of CFG • Summarization enables termination in the presence of recursion
Assertion checking for concurrent programs Ramalingam 00: There is no algorithm for assertion checking of concurrent boolean programs, even with only two threads.
Our contribution • Precise semi-algorithm for verifying properties of concurrent programs – based on model checking – procedure summarization for efficiency • Termination for a large class of concurrent programs with recursion and shared variables • Generalization of precise interprocedural dataflow analysis for sequential programs
What is a summary in sequential programs? • Summary of a procedure P = Set of all (pre -state post-state) pairs obtained by invocations of P int x; void incr_by_2() { x++; } void main() { … x = 0; incr_by_2(); … x = 1; incr_by_2(); … } x x’ 0 1 2 3
What is a summary in concurrent programs? • Unarticulated so far • Naïve extension of summaries for sequential programs do not work Call P Return P
Attempt 1 s Call P Advantage: summary computable as in a sequential program Disadvantage: summary not usable for executions with interference from other threads Return P s’
Attempt 2 s Advantage: Captures all executions Call P Disadvantage: s and s’ must comprise full program state • summaries are complicated • do not offer much reuse Return P s’
Transaction Lipton: any sequence (R+B)*; (N+ ) ; (L+B)* is a transaction S 0 R* . x . N . Y . L* S 5 S 0 x . R* . N . L* . Y S 5 Other threads need not be scheduled in the middle of a transaction Transactions may be summarized
If a procedure body is a single transaction, summarize as in a sequential program bool available[N]; mutex m; int get. Resource() { int i = 0; L 0: acquire(m); L 1: while (i < N) { L 2: if (available[i]) { L 3: available[i] = false; L 4: release(m); L 5: return i; } L 6: i++; } L 7: release(m); L 8: return i; } Choose N = 2 Summaries: m, (a[0], a[1]) 0, (0, 0) 0, (0, 1) 0, (1, 0) 0, (1, 1) i’, m’, (a[0]’, a[1]’) 2, 0, (0, 0) 1, 0, (0, 0) 0, 0, (0, 1)
Transactional procedures • In the Atomizer benchmarks (Flanagan. Freund 04), a majority of procedures are transactional
What if a procedure body comprises multiple transactions? bool available[N]; mutex m[N]; Choose N = 2 Summaries: int get. Resource() { pc, i, (m[0], m[1]), (a[0], a[1]) pc’, i’, (m[0]’, m[1]’), (a[0]’, a[1]’) int i = 0; L 0: while (i < N) { L 0, 0, (0, *) L 1, 1, (0, *) L 1: acquire(m[i]); L 2: if (available[i]) { L 0, 0, (0, *), (1, *) L 5, 0, (0, *) L 3: available[i] = false; L 4: release(m[i]); L 1, 1, (*, 0) L 8, 2, (*, 0) L 5: return i; } else { L 1, 1, (*, 0), (*, 1) L 5, 1, (*, 0) L 6: release(m[i]); } L 7: i++; } L 8: return i; }
What if a transaction 1. starts in caller and ends in callee? 2. starts in callee and ends in caller? int x; mutex m; void foo() { acquire(m); x++; void bar() { 1 release(m); bar(); x--; release(m); } acquire(m); 2 }
What if a transaction 1. starts in caller and ends in callee? 2. starts in callee and ends in caller? int x; mutex m; void foo() { acquire(m); x++; void bar() { 1 release(m); bar(); x--; release(m); acquire(m); 2 } } Solution: 1. Split the summary into pieces 2. Annotate each piece to indicate whether 3. transaction continues past it
Two-level model checking • Top level performs state exploration • Bottom level performs summarization • Top level uses summaries to explore reduced set of interleavings – Maintains a stack for each thread – Pushes a stack frame if annotated summary edge ends in a call – Pops a stack frame if annotated summary edge ends in a return
Termination • Theorem: – If all recursive functions are transactional, then our algorithm terminates. – The algorithm reports an error iff there is an error in the program.
Concurrency + recursion int g = 0; mutex m; void foo(int r) { L 0: if (r == 0) { L 1: foo(r); } else { L 2: acquire(m); L 3: g++; L 4: release(m); } L 5: return; } void main() { int q = choose({0, 1}); M 0: foo(q); M 1: acquire(m) M 2: assert(g >= 1); M 3: release(m); M 4: return; } Prog = main() || main() Summaries for foo: pc, r, m, g pc’, r’, m’, g’ L 0, 1, 0, 0 L 5, 1, 0, 1 L 0, 1, 0, 1 L 5, 1, 0, 2
Summary (!) • Transactions enable summarization • Identify transactions using theory of movers • Transaction boundaries may not coincide with procedure boundaries – Two level model checking algorithm – Top level maintains a stacks for each thread – Bottom level maintains summaries
Sequential programs • For a sequential program, the whole execution is a transaction • Algorithm behaves exactly like classic interprocedural dataflow analysis
Related work • Summarizing sequential programs – Sharir-Pnueli 81, Reps-Horwitz-Sagiv 95, Ball. Rajamani 00, Esparza-Schwoon 01 • Concurrency+Procedures – Duesterwald-Soffa 91, Dwyer-Clarke 94, Alur-Grosu 00, Esparza-Podelski 00, Bouajjani-Esparza-Touili 02 • Reduction – Lipton 75, Freund-Qadeer 03, Flanagan-Qadeer 03, Stoller-Cohen 03, Hatcliff et al. 03
• Model checker for concurrent software • Joint work with Tony Andrews • http: //www. research. microsoft. com/zing
Summarizing is a powerful reading strategy it increase
What is concurrent model in software engineering
Translate
Algori
Formuö
Typiska drag för en novell
Nationell inriktning för artificiell intelligens
Returpilarna
Varför kallas perioden 1918-1939 för mellankrigstiden?
En lathund för arbete med kontinuitetshantering
Kassaregister ideell förening
Tidböcker
Sura för anatom
Vad är densitet
Datorkunskap för nybörjare
Stig kerman
Mall debattartikel
Autokratiskt ledarskap
Nyckelkompetenser för livslångt lärande
Påbyggnader för flakfordon
Arkimedes princip formel
Publik sektor
Urban torhamn
Presentera för publik crossboss
Vad är ett minoritetsspråk
Vem räknas som jude
Treserva lathund
Mjälthilus
Bästa kameran för astrofoto
Cks
Byggprocessen steg för steg
Mat för idrottare
Verktyg för automatisering av utbetalningar
Rutin för avvikelsehantering
Smärtskolan kunskap för livet
Ministerstyre för och nackdelar
Tack för att ni har lyssnat
Referat mall
Redogör för vad psykologi är
Matematisk modellering eksempel
Tack för att ni har lyssnat
Borra hål för knoppar
Orubbliga rättigheter
Stickprovsvariansen
Tack för att ni har lyssnat
Rita perspektiv
Verksamhetsanalys exempel
Tobinskatten för och nackdelar
