1 / 15

Thread-Modular Verification

Thread-Modular Verification. Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund . Calvin project. Check properties of systems code operating systems kernel, file systems, ... Apply to multithreaded programs deadlocks, data races, ... manifest in variety of ways

fritzi
Download Presentation

Thread-Modular Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund

  2. Calvin project • Check properties of systems code • operating systems kernel, file systems, ... • Apply to multithreaded programs • deadlocks, data races, ... • manifest in variety of ways • hard to recognize, locate, fix • For all inputs and all interleavings, program behaves “correctly” • no deadlocks, no races, invariants hold

  3. Thread-modular verification • Modular • each thread verified separately • leverage techniques for reasoning about sequential programs • Expressive • handles variety of synchronization mechanisms • Low annotation overhead • many fewer annotations than the Owicki-Gries-Lamport method

  4. SimpleLock program • Mutex lock • Verify that the assert never fails

  5. Owicki-Gries-Lamport method • Sequential correctness • Non-interference Y = Y = Y = X = {pre(X)} X {post(X)} {pre(Y) and pre(X)} Y {pre(X)}

  6. 1-abstraction * * * * * acq(mx); A1; A1; A1; A1; A1; A1; A1; A1; A1; A1; * * * * * acq(mx); acq(mx); A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 x := x * x; x := x * x; x := x * x; x := x + 2; x := x + 2; x := x + 2; assert x > 1; assert x > 1; assert x > 1; rel(mx); rel(mx); rel(mx); Why is Thread1 correct? Ai (mx = i  mx’ = i  x’ = x) Thread1 view: 1-abstraction

  7. A2; A2; A2; * * * Why is Thread2 correct? Ai (mx = i  mx’ = i  x’ = x) Thread2 view: 2-abstraction acq(mx); acq(mx); A1 x := 0; x := 0; A1 rel(mx); A1 rel(mx);

  8. Assume-guarantee reasoning • Environment assumption (At) • expectation on every step taken by other threads • Guarantee (Gt) • conjunction of assumptions of other threads • Translate thread t into sequential t-abstraction • assume At satisfied by steps of other threads • prove Gt satisfied by each step of thread t • check using sequential techniques • Parallel program correct, if all sequential t-abstractions are correct • circularity resolved by induction over time

  9. Summary of method Thread1 yes 1-abs ESC/Java Thread2 yes 2-abs ESC/Java ... ... ... yes n-abs ESC/Java Threadn

  10. Thread-modular verification theorem • If each t-abstraction of P is correct, then P is correct. • Generalize to invariant checking • want to show validity of data invariants • if no t-abstraction violates invariant I, then P does not violate invariant I

  11. Thread-modular verification in practice • Assumptions parameterized by thread id • Assumptions reflexive and transitive • Scales with complexity of synchronization patterns, not size of program Ai (mx = i  mx’ = i  x’ = x)

  12. Frangipani [Thekkath-Mann-Lee] • block is not allocated to inode • block allocated to inode inode block m_inode m_busy block = null busy = false data = 0 inode block m_inode m_busy block busy = true data = 52

  13. Frangipani • Assumption for thread i:

  14. Current status • Theory understood • Built prototype for Java [with Seshia] • applied to Mercator (Heydon-Najork) • verified Mercator’s readers-writer lock class • checked the code of worker threads and checkpointing thread • Thread-modular verification with method calls across abstraction boundaries [with Flanagan and Seshia]

  15. Related work • Owicki-Gries axiomatic semantics • replace control predicates with environment assumption • Assume-guarantee decomposition • [Abadi-Lamport 95, Jones 83, ...] • designed proof system to leverage automated verification tools like ESC/Java • RCC/Java, Warlock [Sterling], ESC/Java • explicate simple locking strategy • can not easily express other idioms • data invariants

More Related