1 / 38

M.S. Defense

Tool-support for Invariant-based Specification, Synthesis, and Verification of Synchronization in Concurrent Java Programs. M.S. Defense. William Deng. Department of Computing and Information Sciences Kansas State University. http://www.cis.ksu.edu/saves.

kaemon
Download Presentation

M.S. Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tool-support for Invariant-based Specification, Synthesis, and Verification of Synchronization in Concurrent Java Programs M.S. Defense William Deng Department of Computing and Information Sciences Kansas State University http://www.cis.ksu.edu/saves

  2. I.Provide high-level, modular specification of global synchronization aspects … powerful, yet easy to use … formal specification via global invariants … language of composable invariant patterns … integrated with UML/RUP II.Automatic derivation and weaving of synchronization code … multiple language and synchronization targets (Java, C++, monitors, semaphores, etc.) … weaving & optimization via abstract interpretation and program specialization techniques III. Automatic verification of critical safety and liveness properties of woven embedded code … built on previous DARPA work –Bandera environment … domain-specific model-checking engines Goals of the Project IV.Evaluation using Boeing BOLDSTROKE platform and military networking target vehicle electronics (CDA101)

  3. I.Provide high-level, modular specification of global synchronization aspects … Designed web pages to guide users in synchronization specification … Implemented formula & pattern-based specification language II.Automatic derivation and weaving of synchronization code … Designed and implemented translation from specifications to coarse-grain solution … Designed and implemented an approach for specific synchronization … Implemented translation to Java fine-grain solution … Implemented language-independent weaving process III. Automatic verification of critical safety and liveness properties of woven embedded code … Designed and implemented bounded counter version (coarse & fine grain) My Contributions

  4. Intermediate Representation Generator Fine-grain Java Representation Generator .java + guarded commands .java .java PVS .java .java + .java .java Core code Synchronization aspect SyncGen Tool Architecture Both coarse-grain and fine-grain solutions are synthesized automatically + Invariant

  5. UML Tools Functional Core Code Functional Core Code Templates Template Instantiation Solver/ Prover (Java, C++, …) (Java, C++, …) Traditional Development Environment Synchronization Aspect Specification Tool Intermediate Representation Generator Synchronization Aspect Back-end Fine-grain solution Course-grain solution Invariant & Region tags Bandera Analysis & Transformation Code Weaver Safety Properties Specialization Engine Liveness Properties Bandera Optimized Woven Code Finite State Models SyncGen Context

  6. Outline • Coarse-grain solution generation • Guards • Formula-based • Pattern-based • Notification • Formula/Pattern-based • Specific synchronization • Bounded Counter Version • Open Issues • Conclusion

  7. Resource(RG,1,RR ,1,0) Gyroscope Value Produce Consume Consume Produce Empty Buffer Slot Resource(RR,1,RG ,1,1) Exclusion(RG,RR) Gyroscope/Rudder Synchronization RG RR Buffer Rudder Controller Gyroscope Controller Invariant: Resource(RG,1,RR ,1,0) + Resource(RR,1,RG ,1,1) + Exclusion(RG,RR)

  8. Invariant: Resource(RG,1,RR,1,0) + Resource(RR,1,RG,1,1) + Exclusion(RG,RR) …consumer in …producer out Desugared Invariant: (R_in <= G_out) && (G_in <= R_out + 1) && ((G_in == G_out) || (R_in == R_out)) Coarse-grain Solution for Guards--- Formula-based Generation R_in <= G_out Resource(RG,1,RR,1,0) G_in <= R_out + 1 Resource(RR,1,RG,1,1) Exclusion(RG,RR) (G_in == G_out) || (R_in == R_out)

  9. <await B -> G_in++> Step 1: generate weakest-precondition(G_in++,I) Substitute G_in+1 for G_in Generating Coarse-grain Solution …invariantI holdshere G_in++ …want I to hold here Task: generate a condition B that ensures that I holds after counter increment. (R_in <= G_out) && (G_in <= R_out + 1) && ((G_in == G_out) || (R_in == R_out)) (R_in <= G_out) && (G_in+1 <= R_out + 1) && ((G_in+1 == G_out) || (R_in == R_out))

  10. Example: 1. (R_in <= G_out) && (G_in+1 <= R_out+1) && (G_in+1 == G_out) || (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out) 2. (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out) 3. (G_in+1 <= R_out+1) && (R_in == R_out) Generating Coarse-grain Solution Step 2: simplify using decision procedures Main point: fine a smaller B’ such that B’ && I && A <==>B && I && A. • Convert to disjunctive normal form • Eliminate disjuncts that are can never be satisfied using decision procedures • Minimize remaining conjuncts using decision procedures

  11. Generating Coarse-grain Solution Step 2.1: convert to disjunctive normal form (R_in <= G_out) && (G_in+1 <= R_out + 1) && ((G_in+1 == G_out) || (R_in == R_out)) (R_in <= G_out) && (G_in+1 <= R_out+1) && (G_in+1 == G_out) || (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out)

  12. Generating Coarse-grain Solution Step 2.2: eliminate unsatisfiable disjuncts Intuition: before entrance to region, we know I holds and we know that A holds where A represents some basic properties on counters A = R_in >= 0 && R_out >= 0 && R_in >= R_out && G_in >= 0 && G_out >= 0 && G_in >= G_out For each disjunct D_k, ask theorem prover to check not(I && A && D_k). If return is truethen D_k can be eliminated. (R_in <= G_out) && (G_in+1 <= R_out+1) && (G_in+1 == G_out) || (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out) (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out)

  13. Generating Coarse-grain Solution Step 2.3: minimize remaining disjuncts Some of conjuncts in the remaining disjuncts are redundant. For each C_k in D_j, if (I && A && (D_j – C_k) => C_k) then C_k can be removed. (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out) (G_in+1 <= R_out+1) && (R_in == R_out)

  14. Generating Coarse-grain Solution Pattern Based Approach Apply the process for each pattern: For pattern P(R_1,R_2,…,R_n)

  15. Generating Coarse-grain Solution Bound Apply the process for Bound pattern: Bound(R,n): I =In – Out <= n

  16. Generating Coarse-grain Solution Exclusion Apply the process for Exclusion pattern: Exclusion(R_1,R_2,…,R_n): I = ÇC 2 Comb(n, n-1) (Æi 2 C (In_i - Out_i == 0))

  17. Generating Coarse-grain Solution Resource Apply the process for Resource pattern: Resource(R_p,N_p,R_c,N_c,n):I = In_c*N_c – Out_p*N_p <= n

  18. Invariant: P_1(……) + P_2(……) + ... + P_n(……) Generating Coarse-grain Solution--- Building Guards From Relevant Patterns Each pattern instance contributes a portion of the guard Intuitively, if R does not appear in P_i, then B_i is true Counter++ <await B_1 && B_2 && … && B_n -> Counter++> R wp(S,I_1 &&…&&I_n) = wp(S,I_1) && … wp(S,I_n) Why this is correct?

  19. Compared with result generated by formula Example: the entry of gyroscope region B_1 = true B_2 = G_in-R_out <=0 B_3 = R_in == R_out Generating Coarse-grain Solution Pattern Based Approach <await B -> G_in++> G_in++ Resource(RG,1,RR ,1,1,0) Resource(RR,1,RG ,1,1) Exclusion(RG,RR) B = B_1 && B_2 && B_3 = G_in – R_out <= 0 && R_in == R_out B’ = (G_in+1 <= R_out+1) && (R_in == R_out)

  20. Assessment • In essence, we have performed the formula-based calculation statically to create guard schemas which are then instantiated when a pattern is used • Efficientno need to call DP, convert to DNF, etc. • Easy to optimizefor example: for Bound(R,1), the guard of the entry of R should be in +1 <= out +1 generated by formula; in == out by pattern.

  21. Notification Information If a counter C_1 increment can cause an await statement A transition from false to true, then there should be a notify/notifyall issue to A. A: <await B_2 -> C_2++> B: {P}C_1++{Q} Observation: we can calculate Q as the strong postcondition: sp(C_1++,P); P can be I&&G (G is the guard of B). Thus if Q implies B_2, we should issue notify/notifyall.

  22. Notification Information Example: Readers/Writers Problem Reader Entry <await In_w - Out_w == 0 -> In_r ++> Reader Exit { In_w - Out_w == 0 && In_r - Out_r >= 1 } <Out_r++> { In_w - Out_w == 0 && In_r - Out_r >= 0 } Notify reader entry? Notify writer entry Writer Entry <await In_w - Out_w == 0 && In_r - Out_r == 0 -> In_w ++> Writer Exit { In_w - Out_w == 1 && In_r - Out_r == 0 } <Out_w++> { In_w - Out_w == 0 && In_r - Out_r == 0 } Notify writer entry Notifyall reader enter

  23. Notification Information We want to decide the notification information from S_2 to S_1 P_1 P_2 Not (P_2 implies P_1) If Q_2 implies P_1 Then S_2 needs to notify S_1 S_2 S_1 Q_2 = sp(S_2, P_2) Generalize sp to spn(S_2,P_2) Q_1 Q_2 If exists n s.t. spn(S_2,P_2) implies P_1 Then S_2 should notify/notifyall S_1.

  24. Formalize notifyall (from S_2 to S_1): Notifyall vs. Notify Three cases for Notifyall: Three cases for Notify: • Resource(R_p,3,R_c,1,0):one enables three. • Resource(R_p,3,R_c,2,0):two enables three. • Exclusion(R_1,…,R_n):when (In_i – Out_i == 0)… Writer exit to writer entry in Readers/writers:one enables one. Resource(R_p,1,R_c,3,0):three enables one. Group(R1,1,…,Rn,Nn):Ni enables one for R1… Cases 1 and 2 are normal: Case 3 is sort of burst:

  25. Notification Information Generation for Bound Exit Entry P_1 = In_B–Out_B<=n-1 P_2 = In_B–Out_B<=n Out_B++ Not (P_2 implies P_1) In_B++ Q_2 implies P_1 Q_1 = In_B–Out_B<=n Q_2 = In_B–Out_B<=n-1 …belongs to the case 1 of notify (one out let one enter). Thus a notify from the exit to the entry.

  26. Notification Information for Exclusion Pattern Exclusion(R_1,R_2,…,R_n):

  27. Notification Information for Resource Pattern For pattern Resource(R_p,N_p,R_c,N_c,n):

  28. Notification Information for Other Patterns-- Summary • Exclusion(R1,R2,..,Rn) Notifyall case 3: from the exit of Ri to the entry of Rj (i != j) • Resource(R_p,N_p,R_c,N_c,N) Notifyall case 1: N_p/N_c >= 2; case 2: if 2>N_p/N_c>1. The exit of R_p to the entry of R_c. Notify case 1: if N_p/N_c =1; case 2, if N_p/N_c < 1. • Barrier(R1,R2)Notify case 1, the entry of R1 notify the exit of R2. Same for R2. • Relay(R1,R2)Notify case 1, the entry R1 notify the exit of R2. • Group(R1,N1,..,Rn,Nn)Notifyall case 3: if Nj>1, the entry of Ri notifyall the exit of Rj. Notify case 3, if Nj=1.

  29. The exit of R_G notify theentry of R_R The exit of R_R notify theentry of R_G The exit of R_R notifyall theentry of R_G; The exit of R_Gnotifyall the entry of R_R. The exit of R_R notify theentry of R_G; The exit of R_Gnotify the entry of R_R. Notification Information for Gyroscope/Rudder Resource(RG,1,RR ,1,1,0) Resource(RR,1,RG ,1,1) Exclusion(RG,RR) Overall effect

  30. R_C1 R_B2 Specific Synchronization Customer Thread Barber Thread C1 C2 B1 B2 Specific groups:0: B1 and C1;1: B2 and C2. fetch R_B1 R_C2 R_C3 inform R_C4 Problem: monitor can not differentiate B1 and B2. R_B3 leave R_C5 Relation: threads -> specific group • Strength monitor to keep track of the relation? • Use object (multiple copies) instead of static method(one copy) to keep the relation. Solution:

  31. SynManager Main (init) call Proposed approach: use a central controller, SynManager Component Threads Component Threads Cluster Classes Cluster Objects initializes initializes calls call Implementation of Specific Synchronization Current Implementation:

  32. Specific group -> cluster instances B2 C2 B1 C1 Fetch Cluster Instances Anonymous Dissolving Forming Specific Inform leave 0 1 Threads -> specific group index User has to provide in main • builds an array of cluster names; • specifies synchronization (anonymous, forming, specific, or dissolving) for each cluster; • defines actors (the types of threads); • specifies specific group; • provides the maximum number of specific groups. Implementation of Specific Synchronization Cont. Cluster synchronization transition: code

  33. Bounded Counter Version Problem: unbounded In/Out counters…partial state space check Bounded counter solution to check state space exhaustively.

  34. Example: Readers/Writers Problem CLUSTER: RW STATE SPACE VARIABLES: E1_0, E1_1, B1; LOCAL VARIABLES: ; REGION: Reader ENTER: <AWAIT E1_1 == 0 --> E1_0++;> NOTIFY: ; NOTIFYALL: ; EXIT: <E1_0--;> NOTIFY: ; NOTIFYALL: Writer_in; REGION: Writer ENTER: <AWAIT E1_0 == 0 && B1 == 0 --> E1_1++;B1++;> NOTIFY: ; NOTIFYALL: ; EXIT: <E1_1--;B1--;> NOTIFY: Writer_in; NOTIFYALL: Reader_in;

  35. Open Issues • Exception handling • Deadlock checking of SyncGen outputProblem: nested or overlapping regions. Suggested solution: for nested or overlapping regions check B_1 && B_2… && B_n != false. • Scheduling issues: priorities • Responses: balking and timeout • …

  36. Conclusion • Successfully implemented Mizuno’s approach • Developed the bounded counter version solution for model checking • Proposed an implementation for specific synchronization

  37. To Do List • Web-pages, manual, and tutorial • Tutorial lecture for CIS720 • Clean up code for release

  38. Questions? Comments?

More Related