Computer-Aided Concurrent Programming€¦ · OverviewTrace SetsExplicit SynthesisImplicit...

Overview Trace Sets Explicit Synthesis Implicit Synthesis Conclusion

Computer-Aided Concurrent ProgrammingUsing Concurrent Trace Sets

Roopsha Samanta

IST Austria

Joint work with Pavol Cerný, Edmund M. Clarke, Ashutosh Gupta,Tom Henzinger, Arjun Radhakrishna, Leonid Ryzhyk and

Thorsten Tarrach

22 June, 2015

Roopsha Samanta Computer-Aided Concurrent Programming 1 / 32

Computer-aided Concurrent Programming

Basic Scheme

Synchronizationsynthesis engine

Incorrectconcurrent program C

Correctness criterion

Correctconcurrent program C′

Programmer:

Skips tricky synchronization

Ensures sequential correctness

Inserts synchronization

Ensures correct-by-completion

CEGIS Scheme

init: C′ = C

C′ correct?

Insert synchronization,eliminate cex, obtain new C′

init: C′ = C

C′ correct?

Obtain new C′:Synthesize synchronization to

eliminate error trace

Incorrect program C

Correctness criterion Correct program C′

Accelerated CEGIS Scheme

init: C′ = C

C′ correct?

init: C′ = C

C′ correct?

Obtain new C′:Synthesize synchronization to

eliminate error trace set

Incorrect program C

Correctness criterion Correct program C′

Cerný, Henzinger, Radhakrishna, Ryzhyk and Tarrach.Efficient Synthesis of Concurrency by Semantics-Preserving Transformations. CAV13

Concurrent Trace Sets and their Representation

Gupta, Henzinger, Radhakrishna, Samanta and Tarrach.Succinct Representation of Concurrent Trace Sets. POPL15

Concurrent Trace

globals: int balance, initial, withdrawal, deposit, withdrawaldone, depositdone;init: initial = balance, withdrawaldone = 0, depositdone = 0;

thread_withdraw:locals: int temp;TW[1]: temp := balance;TW[2]: balance := temp - withdrawal;TW[3]: withdrawaldone := 1;

thread_deposit:localvars: int temp;TD[1]: temp := balance;TD[2]: balance := temp + deposit;TD[3]: depositdone := 1;

thread_checkresult:TC[1]: if (depositdone = 1 and withdrawaldone = 1)TC[2]: assert (balance = initial + deposit - withdrawal);

Concurrent Trace

globals: int b, i, w, d, wd, dd;init: i = b, wd = 0, dd = 0;

thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;

thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;

thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Concurrent Trace

globals: int b, i, w, d, wd, dd;init: i = b, wd = 0, dd = 0;thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Valuations:(b, i, w, d, wd, dd, temp)

Concurrent Execution:(100, 100, 10, 20, 0, 0, 0)TW[1] : temp := b;(100, 100, 10, 20, 0, 0, 100)TW[2] : b := temp− w;(90, 100, 10, 20, 0, 0, 100)TW[3] : wd := 1;(90, 100, 10, 20, 1, 0, 0)TD[1] : temp := b;(90, 100, 10, 20, 1, 0, 90)TD[2] : b := temp + d;(120, 100, 10, 20, 1, 0, 90)TD[3] : dd := 1;(120, 100, 10, 20, 1, 1, 0)TC[1] : assume(dd = 1 and wd = 1);(120, 100, 10, 20, 1, 1, 0)TC[2] : assert(b = i + d− w);(120, 100, 10, 20, 1, 1, 0)

Concurrent Trace

Concurrent Trace, τ :TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[1] : temp := b;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w);

Concurrent Trace Neighbourhood

Concurrent Trace Neighbourhood(τ ):{TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[1] : temp := b;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1andwd = 1);TC[2] : assert(b = i + d− w); ,

TW[1] : temp := b;TD[1] : temp := b;TW[2] : b := temp− w;TD[2] : b := temp + d;TW[3] : wd := 1;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

The Good and the Bad

Good Neighbourhood(τ ):{TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[1] : temp := b;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

TD[1] : temp := b;TD[2] : b := temp + d;TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

The Good and the Bad

Bad Neighbourhood(τ ):{TD[1] : temp := b;TW[1] : temp := b;TW[2] : b := temp− w;TW[3] : wd := 1;TD[2] : b := temp + d;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

TW[1] : temp := b;TD[1] : temp := b;TW[2] : b := temp− w;TD[2] : b := temp + d;TW[3] : wd := 1;TD[3] : dd := 1;TC[1] : assume(dd = 1 and wd = 1);TC[2] : assert(b = i + d− w); ,

Trace Neighbourhoods as HB-formulas

Boolean combinations of happens-beforeordering constraints (hb) between events

globals: int i, w, d, b, dd, wd;init: i = b, dd = 0, wd = 0;thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Bad Neighbourhood:φB = hb(TW[1],TD[2]) ∧ hb(TD[1],TW[2])

Good Neighbourhood:φG = hb(TD[2],TW[1]) ∨ hb(TW[2],TD[1])

Can express arbitrary concurrent trace setsIntuitively appealingCan drive diverse concurrency applicationsSuccinct

HB-formula Generation by TARA

Iterations Total time Size of φBName #P/#I #π/#Disj. Alg.1 Alg.2 Alg.1 Alg.2 Alg.1 Alg.2reorder_2 2/3 2/2.0 1 1 18ms 28ms 1/2.0 1/2.0define_use 2/4 2/2.0 1 1 15ms 22ms 1/2.0 1/1.0em28xx 2/8 4/2.0 1 1 16ms 25ms 1/2.0 1/1.02stage 2/8 5/1.4 8 1 26ms 32ms 8/3.8 1/2.0drbd_receiver 2/9 5/1.6 40 1 42ms 28ms 40/3.9 1/1.0locks 3/8 10/1.6 12 2 27ms 37ms 12/5.5 2/4.0md 3/11 4/1.8 40 1 76ms 33ms 40/6.1 1/1.0lazy01 3/12 6/3.7 2 2 31ms 57ms 2/3.0 2/2.0locks_hb 4/13 10/2.2 >29.0k 7 TO 119ms TO 6/3.0lc_rc 4/14 8/2.0 4.6k 1 21.4s 37ms 4.6k/16.7 1/1.0barrier_locks 3/18 17/2.6 10.6k 6 1.4min 521ms 10.6k/10.0 4/1.5stateful01 3/19 10/3.4 2.3k 2 10.5s 84ms 2.3k/9.4 2/1.0loop 2/38 14/2.7 2 1 38ms 72ms 2/3.0 1/2.0i2c_hid 2/42 26/4.5 >23.4k 3 TO 615ms TO 3/1.3read_write_lock 4/22 16/3.4 9.2k 4 1.6min 319ms 9.2k/16.1 4/3.0fib_bench 3/39 24/3.6 >20.5k 2 TO 2.3s TO 2/10.0rtl8169-1 7/71 22/2.7 >20.4k 1 TO 111ms TO 1/2.0rtl8169-2 7/116 41/2.3 >7.3k 1 TO 463ms TO 1/1.0rtl8169-5 7/134 48/3.1 >5.5k 1 TO 1.5s TO 1/1.0rtl8169-4 7/142 48/3.0 >8.4k 9 TO 3.8s TO 2/1.0rtl8169-6 7/144 52/2.9 >8.1k 1 TO 887ms TO 1/1.0usb_serial-1 7/151 87/3.7 >5.5k 1 TO 1.9s TO 1/1.0usb_serial-2 7/163 93/3.6 >4.4k 3 TO 4.4s TO 1/1.0usb_serial-3 7/178 100/3.7 >4.3k 1 TO 2.1s TO 1/1.0rtl8169-3 8/174 61/3.6 >4.2k 2 TO 2.7s TO 1/1.0

Synchronization SynthesisExplicit Specifications (Assertions)

Gupta, Henzinger, Radhakrishna, Samanta and Tarrach.Succinct Representation of Concurrent Trace Sets. POPL15

init: C′ = C

C′ correct?

init: C′ = C

C′ correct?

Obtain new C′:Insert synchronization toeliminate error trace set

Incorrect program C

Assertions Correct program C′

Solution Sketch

Identify HB-formula patterns for synch. primitivesFormulate rewrite rulesRepeatedly rewrite patterns in φG into synch. primitives

TARA Scheme

init: C′ = C

C′ correct?

Generalize cex into HB-formula

Rewrite HB-formula into synch.primitives using patterns

Apply fixes to obtain new C′

init: C′ = C

C′ correct?

Generalize cex into HB-formula

Rewrite HB-formula into synch.primitives using patterns

Apply fixes to obtain new C′

Incorrect program C

Assertions Correct program C′

Example

Good neighbourhood:hb(TD[2],TW[1]) ∨ hb(TW[2],TD[1])

Example

globals: int b, i, w, d, wd, dd,;init: i = b, wd = 0, dd = 0;thread_withdraw:locals: int temp;TW[1]: temp := b;TW[2]: b := temp - w;TW[3]: wd := 1;thread_deposit:localvars: int temp;TD[1]: temp := b;TD[2]: b := temp + d;TD[3]: dd := 1;thread_checkresult:TC[1]: if (dd = 1 and wd = 1)TC[2]: assert (b = i + d - w);

Good neighbourhood:

hb(TD[2],TW[1]) ∨ hb(TW[2],TD[1])

Lk(TD[1 : 2],TW[1 : 2]

Rewrite Rules

LocksWait-notifyShared exclusive locksMultithreaded locksBarriersMultithreaded barriersMerging locks (to avoid deadlocks)

Synchronization SynthesisImplicit Specifications

Cerný, Clarke, Henzinger, Radhakrishna, Ryzhyk, Samanta and Tarrach.From Non-preemptive to Preemptive Scheduling using Synchronization Synthesis.

Friendly and Aggressive Schedulers

Friendly ≈ Non-preemptiveThread descheduled only if it yields controle.g., blocking operations

Aggressive ≈ PreemptiveThread can be descheduled at any point

Programmer ensures correctness under friendly scheduler

Target Scenario

Module with interfaces

Observations: calls to interfaces

Implicit specification:Observation sequences underfriendly scheduler, [[C]]F

globals: int open := 0;

void open_dev()if (open==0)

power_up();open := open+1;yield;

void close_dev()if (open>0)

open := open-1;if (open==0)

power_down();yield;

Implicit Specification

[[C]]F :

power_up()power_down()power_up()power_down()

open = 0

init: open := 0;

T1:void open_dev()

−→ if (open==0)power_up();

open := open+1;yield;

void close_dev()if (open>0)open := open-1;if (open==0)

power_down();yield;

T2:void open_dev()

power_down();yield;

[[C]]F :

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

T2:void open_dev()

power_down();yield;

[[C]]F :

power_up()

power_down()power_up()power_down()

open = 0

init: open := 0;

T1:void open_dev()if (open==0)

−→ power_up();open := open+1;yield;

power_down();yield;

T2:void open_dev()

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

T1:void open_dev()if (open==0)power_up();

−→ open := open+1;yield;

power_down();yield;

T2:void open_dev()

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

open := open+1;−→ yield;

power_down();yield;

T2:void open_dev()

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

void close_dev()−→ if (open>0)

power_down();yield;

T2:void open_dev()

power_down();yield;

[[C]]F :

power_up()

open = 2

init: open := 0;

power_down();yield;

[[C]]F :

power_up()

open = 2

init: open := 0;

power_down();yield;

[[C]]F :

power_up()

open = 2

init: open := 0;

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

−→ open := open-1;if (open==0)

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

void close_dev()if (open>0)open := open-1;

−→ if (open==0)power_down();

yield;

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

power_down();−→ yield;

power_down();yield;

[[C]]F :

power_up()

open = 1

init: open := 0;

T1:void open_dev()

power_down();yield;

[[C]]F :

power_up()

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

−→ open := open-1;if (open==0)

power_down();yield;

[[C]]F :

power_up()

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

void close_dev()if (open>0)open := open-1;

−→ if (open==0)power_down();

yield;

[[C]]F :

power_up()power_down()

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

−→ power_down();yield;

[[C]]F :

power_up()power_down()

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

power_down();−→ yield;

[[C]]F :

power_up()power_down()power_up()

power_down()...

init: open := 0;

power_down();yield;

[[C]]F :

init: open := 0;

power_down();yield;

[[C]]F :

init: open := 0;

power_down();yield;

Correctness Criterion: Preemption-safety

Given C and C′ obtained by inserting synchronization to C,C′ is preemption-safe w.r.t. C if: [[C′]]A ⊆ [[C]]F .

Back to our Example

[[C]]A :

power_up()power_up()

6∈ [[C]]F

C is not preemption-safe

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

T2:void open_dev()

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

open = 0

init: open := 0;

T1:void open_dev()

power_down();yield;

T2:void open_dev()

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

open = 0

init: open := 0;

power_down();yield;

T2:void open_dev()

power_down();yield;

Back to our Example

[[C]]A :

power_up()

power_up()...

6∈ [[C]]F

open = 0

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

power_up()

power_up()...

6∈ [[C]]F

open = 1

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

power_up()

power_up()...

6∈ [[C]]F

open = 1

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

open = 1

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

open = 2

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

open = 2

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

init: open := 0;

power_down();yield;

Back to our Example

[[C]]A :

6∈ [[C]]F

init: open := 0;

power_down();yield;

Abstraction for Efficiency

globals: int open := 0;

void open_dev()[1]: if (open==0)[2]: power_up();[3]: open := open+1;[4]: yield;

void close_dev()[5]: if (open>0)[6]: open := open-1;[7]: if (open==0)[8]: power_down();[9]: yield;

void open_dev_abs()[1]: (A) r open;

if (*)[2]: (B) w dev;[3]: (C) r open;

(D) w open;[4]: yield;

void close_dev_abs()[5]: (E) r open;

if (*)[6]: (F) r open;

(G) w open;[7]: (H) r open;

if (*)[8]: (I) w dev;[9]: yield;

Correctness Criterion under Abstraction

Observations:Type of access to memory locations and branching choices

Classical independence relation I:Accesses to different locations are independentRead accesses to the same location are independent

Observational equivalence of abstract traces:Equality modulo I

Correctness criterion: Preemption-safety

Soundness of Abstraction

Preemption-safety under abstraction⇒ Preemption safety

Precision of Abstraction?

[[C]]AABS :

(T1.A) r open(T2.A) r open(T1.B) w dev(T1.C) r open(T1.D) w open(T2.B) w dev(T2.C) r open(T2.D) w open

6∈ [[C]]FABS

C is not preemption-safeunder abstraction

T1:void open_dev_abs()(A) r open;

if (*)(B) w dev;

(C) r open;(D) w open;yield;

void close_dev_abs()(E) r open;

if (*)(F) r open;(G) w open;(H) r open;if (*)

(I) w dev;yield;

T2:void open_dev_abs()(A) r open;

if (*)(B) w dev;

(C) r open;(D) w open;yield;

void close_dev_abs()(E) r open;

if (*)(F) r open;(G) w open;(H) r open;if (*)

(I) w dev;yield;

Brief note on the rest

Abstract semantics to automata

Preemption-safety to language inclusion modulo IKnown to be undecidable

We define k -bounded language inclusion modulo IAnd develop decision procedure

Abstract semantics to automataPreemption-safety to language inclusion modulo I

Known to be undecidable

We define k -bounded language inclusion modulo IAnd develop decision procedure

Abstract semantics to automataPreemption-safety to language inclusion modulo I

Known to be undecidableWe define k -bounded language inclusion modulo I

And develop decision procedure

LISS Scheme

init: C′ = C

k -boundedlang. inclusion?

Cex spurious?

Obtain new C′ ([POPL15]) k = k + 1

init: C′ = C

k -boundedlang. inclusion?

Cex spurious?

Obtain new C′ ([POPL15]) k = k + 1

No Yes

Incorrect C

Preemption-safety Correct C′

Evaluated on device driver benchmarks

LISS detected and eliminated all but two known racesIncluding one that we previously missed (missing assertion)

Our abstraction turned out highly efficientOur abstraction turned out very precise

Evaluated on device driver benchmarksLISS detected and eliminated all but two known races

Including one that we previously missed (missing assertion)

Our abstraction turned out highly efficient

Our abstraction turned out very precise

Experiments

Name LOC Th It MB BF(s) Syn(s) Ver(s) CR(s)ex1.c 18 2 1 1 <1s <1s <1s <1sex2.c 23 2 1 1 <1s <1s <1s <1sex3.c 37 2 1 1 <1s <1s <1s <1sex5.c 42 2 3 1 <1s <1s 2s <1slc-rc.c 35 4 0 1 - - <1s 9sdv1394.c 37 2 1 1 <1s <1s <1s 17sem28xx.c 20 2 1 1 <1s <1s <1s <1sf_acm.c 80 3 1 1 <1s <1s <1s 1871.99si915_irq.c 17 2 1 1 <1s <1s <1s 2.6sipath.c 23 2 1 1 <1s <1s <1s 12siwl3945.c 26 3 1 1 <1s <1s <1s 5smd.c 35 2 1 1 <1s <1s <1s 1.5smyri10ge.c 60 4 2 1 - - <1s 1.5susb-serial.bug1.c 357 7 2 1 0.4s 3.1s 3.4susb-serial.bug2.c 355 7 1 3 0.7s 2.1s 12.9s 3563susb-serial.bug3.c 352 7 1 4 3.8s 1.3s 111.1susb-serial.bug4.c 351 7 1 4 93.9s 2.4s 123.1susb-serial.c 357 7 1 4 - - 103.2s 1200s

Experiments

Name LOC Th It MB BF(s) Syn(s) Ver(s) CR(s)cpmac.bug1.c 1275 5 1 1 1.3s 113.4s 21.9s -cpmac.bug2.c 1275 5 1 1 3.3s 68.4s 27.8s -cpmac.bug3.c 1270 5 1 1 5.4s 111.3s 8.7s -cpmac.bug4.c 1276 5 2 1 2.4s 124.8s 31.5s -cpmac.bug5.c 1275 5 1 1 2.8s 112.0s 58.0s -cpmac.c 545 5 1 1 - - 17.4s -

Conclusion

A method and a tool TARA for succinct representations oftrace neighbourhoods.

Synchronization synthesis (explicit specifications)Bug summarizationCEGAR acceleration

A method and a tool LISS for synchronization synthesisfrom implicit specificationsOngoing work: Quality of synthesized solution

Deadlock-freedomValid locksPeformance

Computer-Aided Concurrent Programming€¦ · OverviewTrace SetsExplicit SynthesisImplicit...

Documents

Computer-Aided Design / Computer-Aided …...MEE430,KIM,ME,NIU Computer-Aided Design and Computer-Aided Manufacturing and Applications with Pro/E, 4th Edition, Meung J. Kim., 2013,

Computer Aided Design & Computer Aided Manufacturing Lab

CAD/CAM/CAE Computer Aided Design/Computer …CAD/CAM/CAE Computer Aided Design/Computer Aided Manufacturing/Computer Aided Manufacturing Part-9 CNC Fundamentals CNC Fundamentals All

ME6501 COMPUTER AIDED DESIGN L T P C 3 0 0 3 OBJECTIVES ... · Product cycle- Design process- sequential and concurrent engineering- Computer aided design – CAD system architecture-

Computer Aided Instruction

Unified Interdisciplinary Methodology for Concurrent and ... › items › d2daf4b6-3e2... · Foundations of Computer-aided Process Design, reprinted in Computer-Aided Chemical Engineering,

IE433 CAD/CAM Computer Aided Design and Computer Aided ...libvolume8.xyz/textile/btech/semester8/cadandcamintextiles/algorit…IE433 CAD/CAM Computer Aided Design and Computer Aided

Computer aided design computer aided manufacture (cad-cam)

Computer Aided

Introduction to Computer-Aided Designgn.dronacharya.info/MIEDept/Downloads/Questionpapers/VIISem/CA… · Computer-Aided Design UNIT 1 & 2 . Computer-Aided Design (CAD) Use of computer

Ken Youssefi Mechanical Engineering department 1 Introduction to Concurrent Engineering Computer Aided Design (CAD) Computer Aided Manufacturing (CAM)

Computer Aided Ppt

COMPUTER AIDED DRAFTING & DESIGN - Autry …autrytech.edu/.../2017/03/Computer-Aided-Drafting-Design_16_17_6.… · COMPUTER AIDED DRAFTING & DESIGN ... toys, toasters, industrial

Computer Aided Manufacturing

Computer Aided Draughting

Technology - Quia · Web viewcomputer-aided design computer-aided dimensioning computer-aided drawing computer-aided decision making A short word which, when entered, causes the computer

Introduction to Computer Aided Process Planning. Computer Integrated Manufacturing (CIM) Computer Aided Design (CAD) –2D –3D –Concurrent Engineering Computer

Integrating Computer Aided Design and Computer Aided Process

Computer aided engineering

Digital Value Chain. Computer Aided Applications CAD – Computer Aided Drafting CAD – Computer Aided Design CAID – Computer Aided Industrial Design CAE