Runtime Safety Analysis of Multithreaded Programs Koushik Sen
- Slides: 33
Runtime Safety Analysis of Multithreaded Programs Koushik Sen University of Illinois at Urbana-Champaign, USA Co-authors Grigore Rosu and Gul Agha
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Talk Overview § Motivation § Multi. Path. Explorer § Motivating example § Instrumentation based on vector clocks § Predict specification violations at runtime § System architecture § Further Applications § Conclusion and Future Work 2 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Increasing Software Reliability § Current solutions § Human review of code and testing l l § (Advanced) Static analysis l l § Most used in practice Usually ad-hoc, intensive human support Often scales up False positives and negatives, annotations (Traditional) Formal methods l l Model checking and theorem proving General, good confidence, do not always scale up 3 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Runtime Verification § Merge testing and temporal logic specification § § Run Specify safety properties in proper temporal logic. Monitor safety properties against a run of the program. § Examples: JPa. X (NASA Ames), Upenn's Java Ma. C analyzes the observed run. § Disadvantage: Lack of coverage. Naïve Observer 4 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Our Approach: Smart Observer § Ideas § § Run A single execution trace contains more information than appears at first sight Extract other possible runs from a single execution Analyze all these runs intelligently. A technique between model checking and testing. Smart Observer 5 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Talk Overview § Motivation § Multi. Path. Explorer § Motivating example § Instrumentation based on vector clocks § Predict specification violations at runtime § System architecture § Further Applications § Conclusion and Future Work 6 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Multi. Path. Explorer – JMPa. X (Java) § Based on smart observers § Smartness obtained by proper instrumentation: vector clocks § Possible global states generated dynamically form a lattice § Analysis is performed on a level-by-level basis in the lattice of global states 7 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Motivating Example “Safe Landing” Safe Landing Land the air/space craft only after approval from ground and only if, since then, the radio signal has not been lost § Three variables: § Landing indicating air/space craft is landing § Approved indicating landing has been approved § Radio indicating radio signal is live Landing Approved, Radio 8 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Code of a Landing Controller n Two threaded program to control landing int landing = 0, approved = 0, radio = 1; void thread 1() { ask. Landing. Approval(); if (approved == 1) { print("Landing approved"); landing=1; print("Landing started") } else { print("Landing not approved") } } void ask. Landing. Approval() { if (radio == 1) { approved = 1 } else { approved = 0} } void thread 2() { while (true) { check. Radio(); } } 9 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Landing Safety Violation § Suppose the plane has received approval for landing and just before it started landing the radio signal went off § the plane must abort landing! § A simple observer will most likely approved = 1 landing = 1 not detect the bug. § JMPa. X can construct a possible run in which radio goes off between approval and landing 10 radio = 0 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Talk Overview § Motivation § Multi. Path. Explorer § Motivating example § Instrumentation based on vector clocks § Predict specification violations at runtime § System architecture § Further Applications § Conclusion and Future Work 11 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Events in Multithreaded Programs § Given n threads p 1, p 2, . . . , pn, § A multithreaded execution is a sequence of events e 1 e 2 … er of type: § internal or, § read of a shared variable or, § write of a shared variable. § eij represents the jth event generated by thread pi since the start of its execution. 12 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Causality in Multithreaded Programs § Define the partial order Á on the set of events as follows: § § § eik Á eil if k < l; e Á e' if there is some x 2 S such that e <x e' and at least one of e, e‘ is a write. e Á e'' if e Á e' and e' Á e''. 13 i e ik Á e il e’ i x j e 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Vector Clocks and Relevant Events § Consider a subset R of relevant events. (typically those writing specification’s variables) § R-relevant causality is a relation C µ Á § C is a projection of Á on R £ R. § We provide a technique based on vector clocks that correctly implements the relevant causality relation. 14 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Vector Clock Algorithm § Let Vi be an n-dimensional vector of natural numbers for each thread pi. § Let Vxa and Vxw be vectors for each shared variable x. 1. if eik is relevant, i. e. , if eik 2 R, then § Vi[i] à Vi[i] + 1 2. if eik is a read of a variable x then § Vi à max{Vi, Vxw} § Vxa à max{Vxa, Vi} 3. if eik is a write of a variable x then § Vxw à Vxa à Vi à max{Vxa, Vi} 4. if eik is relevant then § send message h eik, i, Vi i to observer. 15 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Correspondence with Standard Vector Clocks Read i x(a) Write x(w) i 16 x(a) x(w) 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Implementing Causality by Vector Clocks § Theorem: If he, i, Vi and he', j, V' i are messages sent by our algorithm, then e C e' iff V[i] · V'[i] If i and j are not given, then e C e' iff 17 V < V‘ 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Example with Two Threads thread T 1 { thread T 2 { x++; z = x + 1; . . . y = x + 1; x++; } } (initially x = -1) e 1: hx =0, T 1, (1, 0) i e 3: hy =1, T 1, (2, 0) i T 1 T 2 e 2: hz =1, T 2, (1, 1) i 18 e 4: hx =1, T 2, (1, 2) i 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Relevant Global State § The program state after the events ek 11, ek 22, . . . , eknn is called a relevant global multithreaded state or simply a state. § A state k 1 k 2 … kn is called consistent if and only if it can be seen in some possible run of the system. 19 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Multi. Threaded Run § e 1 e 2 … e|R| is a multithreaded run iff it generates a sequence of global states K 0 K 1 … K|R| such that § each Kr is consistent and § Kr after event er becomes Kr+1. (consecutive states) 20 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Computation Lattice À ' when there is some run in which and ' are consecutive states § We say § Consistent global states together with the transitive closure of À form a lattice § Multithreaded runs are paths in the lattice 21 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Example Revisited thread T 1 { thread T 2 { x++; z = x + 1; . . . y = x + 1; x++; } } 22 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Monitoring Safety Formula 0, 0 x = -1, y = 0, z = 0 e 1 : h x=0, T 1, (1, 0) i 1, 0 e 2 : h z=1, T 2, (1, 1) i x = 0, y = 0, z = 0 e 3 : h y=1, T 1, (2, 0) i 1, 1 2, 0 x = 0, y = 0, z = 1 x = 0, y = 1, z = 0 e 3 : h y=1, T 1, (2, 0) i e 4 : h x=1, T 2, (1, 2) i e 2 : h z=1, T 2, (1, 1) i 2, 1 1, 2 x = 0, y = 1, z = 1 x = 1, y = 0, z = 1 e 3 : h y=1, T 1, (2, 0) i 2, 2 e 4 : h x=1, T 2, (1, 2) i x = 1, y = 1, z = 1 (x > 0) ! [(y = 0), (y > z))s 23 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Safety Violation in a Possible Run 0, 0 x = -1, y = 0, z = 0 e 1 : h x=0, T 1, (1, 0) i 1, 0 e 2 : h z=1, T 2, (1, 1) i x = 0, y = 0, z = 0 e 3 : h y=1, T 1, (2, 0) i 1, 1 2, 0 x = 0, y = 0, z = 1 x = 0, y = 1, z = 0 e 3 : h y=1, T 1, (2, 0) i e 4 : h x=1, T 2, (1, 2) i e 2 : h z=1, T 2, (1, 1) i 2, 1 1, 2 x = 0, y = 1, z = 1 x = 1, y = 0, z = 1 e 3 : h y=1, T 1, (2, 0) i 2, 2 e 4 : h x=1, T 2, (1, 2) i x = 1, y = 1, z = 1 (x > 0) ! [(y = 0), (y > z))s 24 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Talk Overview § Motivation § Multi. Path. Explorer § Motivating example § Instrumentation based on vector clocks § Predict specification violations at runtime § System architecture § Further Applications § Conclusion and Future Work 25 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Safety Against All Runs § Number of possible runs can be exponential § Traverse the state lattice level by level § Avoids analyzing an exponential number of runs § Maintain a queue of events § Enqueue an event as soon as it arrives § Construct a new level from the set of states in the previous level and the events in the queue § Monitor safety formula against all states in a level using dynamic programming and intelligent merging. 26 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Algorithm Pseudocode for each (e 2 Q) { if exists s 2 Current. Level s. t. is. Next. State(s, e) then Next. Level à add. To. Set(Next. Level, create. State(s, e)); if is. Unnecessary(s) then remove(s, Current. Level); if is. Empty(Current. Level) then { monitor. All(Next. Level); Current. Level à Next. Level; Next. Level à {}; Q à remove. Unnecessary. Events(Current. Level, Q); } } 27 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Complexity § Time complexity is O(w. 2 m. n) § w – width of the lattice § m – size of the formula § n – length of the run § Memory used is O(w. 2 m’) § w – width of the lattice § m’ – number of temporal operators in the formula § Further optimizations § Consider bounded width w of queue Q 28 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Reason for Efficiency s 00 s 11 s 00 s 12 s 11 s 21 s 31 s 32 s 41 s 00 s 11 s 12 s 21 s 32 s 41 29 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ JMPa. X Architecture Specification Java multithreaded program Bytecode Translator Instrumented code JVM Specification. Impl Events 30 LTL monitor 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Further Applications § Security policies as safety requirements communicate(A, B, K) (send. Key(S, (A, B), K) request. Key(S, A, B)) § Predict safety violations efficiently! 31 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Contributions § Introduce vector clock algorithm in multithreaded systems to capture relevant causality. § Efficiently Predict safety errors from successful runs. § A modular implementation of the above ideas in a analysis tool, JMPa. X. § http: //fsl. cs. uiuc. edu/jmpax/ for JMPa. X prototype. 32 12/16/2021
JMPa. X: http: //fsl. cs. uiuc. edu/jmpax/ Future Work § Evaluate JMPa. X on real, large applications § Develop predictive algorithms for other requirements specification logics § Consider a superset of partial order to gain efficiency § Find more scalable techniques that can fill the gap between model checking and testing § Integrate with NASA Ames’ Java Path. Explorer Tool (JPa. X). 33 12/16/2021
Seno de 90
Grafico cos^2
Num vão entre duas paredes deve-se construir uma rampa
Bayram özünü bildi bileni anda buldu
Jumlah level dalam gambar ini adalah . . . .
Thread dalam java
Multithreaded games
Multithreaded algorithms
Apt multithreaded
Collection of programs written to service other programs.
Koushik subramanian
Geetha vaidyanathan unc
Koushik roy purdue
Dr koushik chakraborty
Online dormitory reservation system
Sub division of run time memory
What is system program
Scadabr openplc
Compile time polymorphism java
Kinect for windows speech recognition language pack
What is constructor in java
Heapify runtime
Matrix multiplication time complexity
Runtime error index out of bounds
Dynamic class loading java
Calling sequence in compiler design
Ford fulkerson runtime
Prims algorithm runtime
Basic runtime checks
Run-time error example
Clr c#
Heapify runtime
Defence against control hijacking
Umdf reflector
