local verification of global invariants in concurrent
play

Local Verification of Global Invariants in Concurrent Programs Ernie - PowerPoint PPT Presentation

Oct 29, 2023 •457 likes •746 views

Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 , Wolfram Schulte 2 , Stephan Tobies 1 1 European Microsoft Innovation Center, Aachen 2 Microsoft Research, Redmond Presentation: Florian Besser

  1. Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 , Wolfram Schulte 2 , Stephan Tobies 1 1 European Microsoft Innovation Center, Aachen 2 Microsoft Research, Redmond Presentation: Florian Besser 5/13/13 Local Verification of Global Invariants in 1

  2. Overview ● Motivation ● Requirements ● Promises ● Definitions, Lemmas and Theorems ● Recursive Invariants / Ghost State ● Verify Procedure / Claims ● Conclusion 5/13/13 Local Verification of Global Invariants in Concurrent Programs 2

  3. Motivation ● Invariant checking can be problematic in concurrent programs. ● Two extreme cases: ● High concurrency / efficiency needed. ● Invariants spanning multiple objects. ● Locking all involved objects an inefficient way, especially at run-time. ● When proving (partial) correctness, proving an invariant that only spans the current class is simpler. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 3

  4. Motivation – existing “Solutions” ● Spec# ● Every object is either valid or mutable. ● Uses expose block to make object mutable. ● Checks invariants after the expose block. ● To accommodate invariants spanning multiple objects, an expose (this) must also recursively expose all owners of this . Later, all invariants of the exposed objects have to be re-checked. ● Separation logic / Rely-Guarantee ● High complexity, not as far developed as conventional ways. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 4

  5. Motivation – the LCI Solution ● A system so that locally checking invariants is enough to satisfy global invariants. ● Then prove the invariants. ● Uses actions which can update any number of objects. ● After each action , invariants must hold. ● Think of actions as feature applications in Eiffel. ● (Eiffel checks invariants at run-time, while LCI does so without running the code.) 5/13/13 Local Verification of Global Invariants in Concurrent Programs 5

  6. LCI Requirements ● Definition of an action: A pair of states, representing a transmission from pre- to post-state, denoted < h 0 , h > ● Actions are safe iff they satisfy every invariant of every object. ● Actions are legal iff they satisfy every invariant of every updated object. ● A state is safe iff < h, h > is safe . ● Must start in a safe state (later dropped). 5/13/13 Local Verification of Global Invariants in Concurrent Programs 6

  7. LCI Requirements ● Invariants must be reflexive : If < h 0 , h > satisfies the invariant, so must < h, h > ● Invariants must be stable : They can't be broken by legal actions. ● Invariants that are both stable and reflexive are called admissible . 5/13/13 Local Verification of Global Invariants in Concurrent Programs 7

  8. LCI Promises ● If all invariants are admissible then every legal action (from a safe pre-state) is safe and has a safe post-state. ● In short: The program is partially correct (it might not terminate) ● How is that promise achieved: ● Prove admissibility of every invariant. ● Prove that every action produced by the program is legal. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 8

  9. A simple Example type Counter { int n; inv (n = old (n) ∨ n = old (n) + 2) } type Low { type High { Counter cnt; Counter cnt; int floor; int ceiling; inv (floor ≤ cnt.n) inv (cnt.n ≤ ceiling) } } ● Invariant of High is not admissible ! ● A legal action on Counter cnt can break the invariant of High . 5/13/13 Local Verification of Global Invariants in Concurrent Programs 9

  10. Definitions A condensed recap of the last few slides: Heaps H map integers (i.e., addresses) to objects, which are maps from field names to integers. The invariant function inv(h 0 , h, p) returns true iff the action changing the state from h 0 to h satisfies the invariant of (the object referenced by) p. For simplicity, the type of an object at a given address (given by the type function) is fixed. The inv function is constructed from type-specific invariants (inv τ ). 5/13/13 Local Verification of Global Invariants in Concurrent Programs 10

  11. Lemmas and Theorems A condensed recap of the last few slides: 5/13/13 Local Verification of Global Invariants in Concurrent Programs 11

  12. LCI extended – recursive Invariants type Counter2 { type High2 { int n; Counter2 cnt; Object b; int ceiling; inv (n = old (n) ∨ inv (cnt.n ≤ ceiling) n = old (n) + 2 inv (b = old (b)) inv (n = old (n) ∨ inv (b)) } } ● Invariant of High2 is now admissible! ● An action on Counter2 must fulfill the invariant of Counter2 and as such also the invariant of High2 . ● When checking invariant admissibility use fixpoint iteration. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 12

  13. LCI extended – Ghost State ● Ghost code can be removed without affecting functionality. ● Every instance of a user-defined object gets a ghost OwnerCtrl object attached. ● Problem: The initial state must be safe, but objects being created or destroyed might not satisfy this. ● Solution: Introduce ghost bool valid as a field for every object. Valid implies invariant. Valid is initially false. Set valid to true after creation, set it to false before destruction. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 13

  14. LCI extended – Ghost State ● Problem: An object is shared, what if someone destroys it? ● Solution: Ownership. Every object must have a unique owner. Transfer of ownership is possible, but requires an invariant check of both the old and the new owner. ● Problem: Ownership does not allow an object to be shared. ● Solution: Handles. Multiple clients can have handles on an object, and the handle's invariant guarantees the object's validity. The object owner keeps track of the handles, and can for example implement a simple read-write lock with a single ghost int . 5/13/13 Local Verification of Global Invariants in Concurrent Programs 14

  15. LCI extended – Definitions A condensed recap of the last few slides: 5/13/13 Local Verification of Global Invariants in Concurrent Programs 15

  16. LCI extended – Lock Example 5/13/13 Local Verification of Global Invariants in Concurrent Programs 16

  17. LCI in depth – Verify Procedure ● Definition of a procedure: Some actions chained together, where one can assume that no other thread will interfere with the current object(s). void incr ( Counter c) { < a := c.n; > // Someone could change c.n, so we get a ≤ c.n < if c.n = a then c.n := a + 2 end > // Now we know a < c.n < b := c.n; assert ( a < b ); > } ● Okay for humans, but sadly the verifier has problems with this. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 17

  18. LCI in depth – Claims ● Definition of thread-local data: A field o.f is thread-local iff the current thread can prevent any other thread from changing it. ● Definition of a claim: Claims are objects with invariant v. The stability of v implies a lemma. ● Claims are always ghost, and only used for verification. ● The verification if incr() relied on a lemma that a ≤ c.n is preserved by legal actions – this needs a claim. ● Together, thread-local data and claims allow verification. 5/13/13 Local Verification of Global Invariants in Concurrent Programs 18

  19. LCI in depth – Verify Procedure type Low2 { Counter cnt; int floor; inv (floor ≤ cnt.n) ghost Handle cntH; inv (cntH.ctrl.owner = this ∧ cntH.obj = cnt) inv (( unchg (floor) ∧ unchg (cntH) ∧ unchg (cnt)) ∨ inv (ctrl.owner)) } 5/13/13 Local Verification of Global Invariants in Concurrent Programs 19

  20. LCI in depth – Verify Procedure void incr( Counter c, ghost Handle h, ghost Low2 cl) requires (h.obj = c ∧ h.ctrl.owner = me ∧ h.valid) requires (¬cl.valid ∧ cl.ctrl.owner = me ) { < a := c.n ; ghost { cl.cnt = c; cl.cntH = h; h.ctrl.owner := cl; cl.floor := a; cl.valid := true ; } > // The ghost command essentially sets up cl. < if (c.n = a) then c.n := a + 2; end ghost { cl.floor := a + 1; } > // The ghost command is legal. If c.n = a then a+2 is the new floor, otherwise cl's invariant holds with a ≤ c.n before the action. Thus, a+1 is a valid new lower bound. < b := c.n; assert(a < b); > } 5/13/13 Local Verification of Global Invariants in Concurrent Programs 20

  21. Conclusion – what LCI achieved ● Formulated an admissibility condition for invariants, which permits the local checking of global invariants. ● Guide to transform common invariants to admissible invariants (using ghost state, etc.). ● The introduction of claims, which are often necessary to verify concurrent algorithms. Verification of the Hyper-V sources 5/13/13 Local Verification of Global Invariants in Concurrent Programs 21

  22. Conclusion – Problems remaining ● High overhead: LCI was incorporated into VCC, then used on Hyper-V. After 2 years, one third of the 100k lines were annotated. ● Assuming only one person working on it, working 235 days a year, this translates to 72 LOC annotated a day . ● Since LCI is only available as part of VCC, and VCC uses a different syntax, trying it out is somewhat more complicated. ● Link: http://rise4fun.com/vcc 5/13/13 Local Verification of Global Invariants in Concurrent Programs 22

  23. Questions 5/13/13 Local Verification of Global Invariants in Concurrent Programs 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) Local State Space Construction for Compositional

1.12k views • 50 slides
Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference

Introduction Generic critical value sets Integer invariants mod2 invariants Local invariants of maps between 3-manifolds Victor Goryunov University of Liverpool Conference Legacy of Vladimir Arnold Fields Institute, Toronto 25 November

1.37k views • 84 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (&lt;100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

A Unified Framework for Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with Sophia Drossopoulou and Adrian Francalanza 2 Object Invariants Express consistency criteria of objects Support

503 views • 18 slides
Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual Fahndrich, K. Rustan M. Leino an Wolfram Shulte 1 Overview Goal : design a sound methodology for specifying object invariants that can then be

809 views • 33 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS OUTLINE OF THIS LECTURE How to ensure software quality? Classical program logic Separation logic The next challenge: concurrent

1.36k views • 108 slides
Learning Loop Invariants for Program Verification Xujie Si*, Hanjun Dai*, Mukund Raghothaman,

Learning Loop Invariants for Program Verification Xujie Si*, Hanjun Dai*, Mukund Raghothaman,

Learning Loop Invariants for Program Verification Xujie Si*, Hanjun Dai*, Mukund Raghothaman, Mayur Naik, Le Song University of Pennsylvania Georgia Institute of Technology NeurIPS 2018 Code: https://github.com/PL-ML/code2inv * equal

386 views • 34 slides
Local Distributed Verification A. Balliu , G. DAngelo, P. Fraigniaud, and D. Oliveti CNRS and

Local Distributed Verification A. Balliu , G. DAngelo, P. Fraigniaud, and D. Oliveti CNRS and

Model Local decision Local verification Local Hierarchy Complete Problems Conclusions Local Distributed Verification A. Balliu , G. DAngelo, P. Fraigniaud, and D. Oliveti CNRS and University Paris Diderot GSSI LAquila Model Local

1.41k views • 72 slides
Verification of Concurrent Systems Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7

Verification of Concurrent Systems Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7

Verification of Concurrent Systems Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 MOVEP12, CIRM, December 2012 A. Bouajjani (LIAFA, UP7) Verification of Concurrent Systems December 2012 1 / 42 Concurrent Programs Parallel

1.26k views • 112 slides
Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U

Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U

Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U Paris Diderot Paris 7 Locali Workshop, Beijing, November 2013 A. Bouajjani (U Paris Diderot UP7) Verification of Concurrent Programs Beijing,

924 views • 50 slides
Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R.

Program Correctness Literatuur Verification of Sequential and Concurrent Programs. Krzysztof R. Apt, Frank S. de Boer, Ernst-R udiger Olderog. Series: Texts in Computer Science. Springer. 3rd ed. 2nd Printing. ISBN: 978-1-84882-744-8. Te

1.23k views • 112 slides
Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd Millstein Jens Palsberg Concurrent Data Structures class ConcurrentHashmap&lt;K, V&gt; { // data structure V get(K k) { ... } void put(K k, V v)

512 views • 36 slides
Lecture 2: Verification of Concurrent Programs Part 2: Under Approximate Analysis Ahmed

Lecture 2: Verification of Concurrent Programs Part 2: Under Approximate Analysis Ahmed

Lecture 2: Verification of Concurrent Programs Part 2: Under Approximate Analysis Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 VTSA, MPI-Saarbr ucken, September 2012 A. Bouajjani (LIAFA, UP7) Lecture 2: Concurrent Programs

654 views • 47 slides
Degeneration formulae and its applications to local GW and DT invariants Jianxun Hu Department

Degeneration formulae and its applications to local GW and DT invariants Jianxun Hu Department

Degeneration formulae and its applications to local GW and DT invariants Jianxun Hu Department of Mathematics, Sun Yat-sen University stsjxhu@mail.sysu.edu.cn 1 1 Motivations Example: Consider the projective plane P 2 Fix two general

471 views • 33 slides
Toward Gear-Change and Beam-Beam Simula5ons with GHOST Bala Terzi Department of Physics, Old

Toward Gear-Change and Beam-Beam Simula5ons with GHOST Bala Terzi Department of Physics, Old

Toward Gear-Change and Beam-Beam Simula5ons with GHOST Bala Terzi Department of Physics, Old Dominion University Center for Accelerator Studies (CAS), Old Dominion University JLEIC CollaboraCon MeeCng, Jefferson Lab, March 31, 2016 1

447 views • 20 slides
PROGRAMMING ADVANCED FEEDBACK WITH ARDUINO Part 09 - State machine structure The

PROGRAMMING ADVANCED FEEDBACK WITH ARDUINO Part 09 - State machine structure The

Part 09 - State machine structure PROGRAMMING ADVANCED FEEDBACK WITH ARDUINO Part 09 - State machine structure The Pomodoro Technique Part 09 - State machine structure The Pomodoro Technique 1. Decide on the task to be done. 2.

139 views • 9 slides
Spark verification features Continued Paul Jackson School of Informatics University of

Spark verification features Continued Paul Jackson School of Informatics University of

Spark verification features Continued Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Executability of assertions Virtually all Spark assertions are executable. Are issues with quantifiers: Each

512 views • 9 slides
Bimetric theory, partial masslessness and conformal gravity Fawad Hassan Stockholm University,

Bimetric theory, partial masslessness and conformal gravity Fawad Hassan Stockholm University,

Bimetric theory, partial masslessness and conformal gravity Fawad Hassan Stockholm University, Sweden GGI Conference on Higher Spins, Strings and Duality Florence, May 6-9, 2013 Based on SFH, Angnis Schmidt-May, Mikael von Strauss

585 views • 44 slides
On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City

On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City

15:50-16:10, 9th Feb., GC2018 On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City University) ref. Rampei Kimura, YS, Masahide Yamaguchi Phys. Rev. D96 (2017) 044015, another paper in prep. WHY

855 views • 12 slides
Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard Nikolai Kosmatov Frdric Loulergue April 10, 2019 @ SAC-SVT 2019 0/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019 Motivation

831 views • 31 slides
Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis

Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis

Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis Papavassiliou Departament of Theoretical Physics and IFIC, University of Valencia CSIC, Spain Approaches to QCD, Oberwlz, Austria, 7-13th

458 views • 27 slides
Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs MPI-SWS, KU Leuven, ETH Zrich, University of Waterloo

1.02k views • 52 slides

More recommend