Thread-Modular Verification - PowerPoint PPT Presentation

Loading...

PPT – Thread-Modular Verification PowerPoint presentation | free to download - id: 16196a-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Thread-Modular Verification

Description:

For all inputs and all interleavings, program behaves 'correctly' ... applied to Mercator (Heydon-Najork) verified Mercator's readers-writer lock class ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 16
Provided by: cadg2
Learn more at: http://research.microsoft.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Thread-Modular Verification


1
Thread-Modular Verification
  • Shaz Qadeer
  • Joint work with
  • Cormac Flanagan
  • Stephen Freund

2
Calvin project
  • Check properties of systems code
  • operating systems kernel, file systems, ...
  • Apply to multithreaded programs
  • deadlocks, data races, ...
  • manifest in variety of ways
  • hard to recognize, locate, fix
  • For all inputs and all interleavings, program
    behaves correctly
  • no deadlocks, no races, invariants hold

3
Thread-modular verification
  • Modular
  • each thread verified separately
  • leverage techniques for reasoning about
    sequential programs
  • Expressive
  • handles variety of synchronization mechanisms
  • Low annotation overhead
  • many fewer annotations than the
    Owicki-Gries-Lamport method

4
SimpleLock program
  • Mutex lock
  • Verify that the assert never fails

5
Owicki-Gries-Lamport method
  • Sequential correctness
  • Non-interference

Y
Y
Y
X
pre(X) X post(X)
pre(Y) and pre(X) Y pre(X)
6
Why is Thread1 correct?
Ai ? (mx i ? mx i ? x x)
Thread1 view
1-abstraction
7
Why is Thread2 correct?
Ai ? (mx i ? mx i ? x x)
Thread2 view
2-abstraction
acq(mx)
acq(mx)
A1
x 0
x 0
A1
rel(mx)
A1
rel(mx)
8
Assume-guarantee reasoning
  • Environment assumption (At)
  • expectation on every step taken by other threads
  • Guarantee (Gt)
  • conjunction of assumptions of other threads
  • Translate thread t into sequential t-abstraction
  • assume At satisfied by steps of other threads
  • prove Gt satisfied by each step of thread t
  • check using sequential techniques
  • Parallel program correct, if all sequential
    t-abstractions are correct
  • circularity resolved by induction over time

9
Summary of method
Thread1
yes
1-abs
ESC/Java
Thread2
yes
2-abs
ESC/Java
...
...
...
yes
n-abs
ESC/Java
Threadn
10
Thread-modular verification theorem
  • If each t-abstraction of P is correct, then P is
    correct.
  • Generalize to invariant checking
  • want to show validity of data invariants
  • if no t-abstraction violates invariant I, then P
    does not violate invariant I

11
Thread-modular verification in practice
Ai ? (mx i ? mx i ? x x)
  • Assumptions parameterized by thread id
  • Assumptions reflexive and transitive
  • Scales with complexity of synchronization
    patterns, not size of program

12
Frangipani Thekkath-Mann-Lee
  • block is not allocated to inode
  • block allocated to inode

inode
block
m_inode
m_busy
block null
busy false
data 0
inode
block
m_inode
m_busy
block
busy true
data 52
13
Frangipani
  • Assumption for thread i

14
Current status
  • Theory understood
  • Built prototype for Java with Seshia
  • applied to Mercator (Heydon-Najork)
  • verified Mercators readers-writer lock class
  • checked the code of worker threads and
    checkpointing thread
  • Thread-modular verification with method calls
    across abstraction boundaries with Flanagan and
    Seshia

15
Related work
  • Owicki-Gries axiomatic semantics
  • replace control predicates with environment
    assumption
  • Assume-guarantee decomposition
  • Abadi-Lamport 95, Jones 83, ...
  • designed proof system to leverage automated
    verification tools like ESC/Java
  • RCC/Java, Warlock Sterling, ESC/Java
  • explicate simple locking strategy
  • can not easily express other idioms
  • data invariants
About PowerShow.com