testing and verifying atomicity of composed concurrent
play

Testing and Verifying Atomicity of Composed Concurrent Operations - PowerPoint PPT Presentation

Oct 11, 2023 •98 likes •458 views

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

  1. Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

  2. Concurrent Data Structures • Writing highly concurrent data structures is complicated • Modern programming languages provide efficient concurrent collections with atomic operations … … … … … … … . … .

  3. TOMCAT Motivating Example TOMCAT 6.* TOMCAT 5.* attr = new ConcurrentHashMap(); attr = new HashMap(); … … Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute val = null; Attribute val = null; synchronized(attr) { /* synchronized(attr) { */ found = attr.containsKey(name) ; found = attr.containsKey(name) ; if (found) { if (found) { val = attr.get(name); val = attr.get(name); attr.remove(name); attr.remove(name); } } /* } */ } return val; return val; } } Invariant: removeAttribute(name) returns the removed value or null if it does not exist

  4. removeAttribute (“A”) { Attribute val = null; attr.put (“A”, o); found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); attr.remove (“A”); } o return val;  Invariant: removeAttribute(name) returns the removed value or null if it does not exist

  5. Challenge Testing and Verifying the atomicity of composed operations … … … … … … … …

  6. Challenges in Testing • Specifying software correctness • Bugs occur in rarely executed traces – Especially true in concurrent systems • Scalability of dynamic checking – large traces • Hard to find programs to test

  7. Challenges in Verification • Specifying software correctness • Many sources of unboundedness – Data • Integers • Stack • Heap • … – Interleavings • Scalability of static checking – Large programs • Hard to find programs to verify

  8. Testing atomicity of composed operations OOPSLA’ 11

  9. Challenge 1: Long traces • Assume that composed operations are written inside encapsulated methods • Modular testing – Unit testing in all contexts – Composed operations need to be correct in all contexts • May lead to false warnings

  10. False Warning if (m.contains(k)) m.remove(k); return m.get(k); else return k; • False warning in clients without remove • Sometimes indicate “future bugs”

  11. Challenge 2: Specification • Check that composed operations are Linearizable [Herlihy & Wing, TOPLAS’ 90] – Returns the same result as some sequential run

  12. Linearizability removeAttribute (“A”) { Attribute val = null; attr.put (“A”, o); null found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); o attr.remove (“A”); } return val; o attr.put(“A”, o); null attr.put(“A”, o); removeAttribute(“A”) { null removeAttribute(“A”) { Attribute val = null; attr.remove(“A”); o found = attr.containsKey(“A”) ; Attribute val = null; removeAttribute(“A”) { found = attr.containsKey(“A”) ; if (found) { Attribute val = null; return val; if (found) { null found = attr.containsKey(“A”) ; val = attr.get(“A”); attr.put(“A”, o); null if (found) { attr.remove(“A”); attr.remove(“A”); return val; null } o o return val; attr.remove(“A”); null

  13. But Linearizability errors only occur in rarely executed paths removeAttribute (“A”) { Attribute val = null; attr.put (“A”, o); found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); attr.remove (“A”); } return val;

  14. Linearizability errors only occur in rarely executed path • Only consider “atomic” executions of the base collection operation [TACAS’ 10, Ball et. al.] • Employ commutativity/influence of base collection operations – Operations on different key commute – Partial order reduction using the collection interface

  15. Influence table Operation Condition Potential Action get(k) get(k) == null put(k,*) get(k) get(k) != null remove(k) containsKey(k) get(k) == null put(k,*) containsKey(k) get(k) != null remove(k) remove(k) get(k) == null put(k,*) remove(k) get(k) != null remove(k)

  16. COLT Tester program CO extractor library spec Timeout Non-Lin candidate COs CO instrument Execution key/value driver linearizability influence driver checking

  17. Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } removeAttribute (“A”) { Attribute val = null; attr.put(“A”, o); null found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); o attr.remove (“A”); } return val; o

  18. removeAttribute (“A”) { Attribute val = null; attr.put(“A”, o); null found = attr.containsKey (“A”) ; if (found) { val = attr.get (“A”); attr.remove (“A”); o attr.remove (“A”); } return val; o attr.put(“A”, o); null attr.put(“A”, o); removeAttribute(“A”) { null removeAttribute(“A”) { Attribute val = null; attr.remove(“A”); o found = attr.containsKey(“A”) ; Attribute val = null; removeAttribute(“A”) { found = attr.containsKey(“A”) ; if (found) { Attribute val = null; null return val; if (found) { found = attr.containsKey(“A”) ; val = attr.get(“A”); attr.put(“A”, o); null if (found) { attr.remove(“A”); attr.remove(“A”); return val; o null } o return val; attr.remove(“A”); null

  19. Evaluation • Use Google code search and Koders to search for collection operations methods with at least two operations • Used simple static analysis to extract composed operations – 29% needed manual modification • Check Linearizability of all public domain composed • Extracted 112 composed operations from 55 applications – Apache Tomcat, Cassandra, MyFaces – Trinidad, … • Each run took less than a second • Without influence timeout always occur

  20. 112 Unknown

  21. 59 53 Non Unknown Linearizable

  22. 17 Open Non Linearizable 53 Unknown 42 Non Linearizable

  23. 17 31 Open Non Linearizable Linearizable 42 22 Non Globals Linearizable

  24. 31 Linearizable 81 Non-Linearizable

  25. Results • Reported the bugs with fixes • Even bugs in open environment • As a result of the paper the Java library is being changed “A preliminary version is in the pre -java8 "jsr166e" package as ConcurrentHashMapV8. We can't release the actual version yet because it relies on Java8 lambda (closure) syntax support. See links from http://gee.cs.oswego.edu/dl/concurrency-interest/index.html including: http://gee.cs.oswego.edu/dl/jsr166/dist/jsr166edocs/jsr166e/Co ncurrentHashMapV8.html Good luck continuing to find errors and misuses that can help us create better concurrency components!”

  26. Verifying atomicity of composed operations

  27. Motivation • Unbounded number of potential composed operations – There exists no “thick” interface • Automatically prove Linearizability for composed operations beyond the ones provided – Already supports the existing interface – No higher order functions • Zero false alarms (beyond modularity)

  28. Data independent [Wolper , POPL’ 86] Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute removeAttribute(String name){ Attribute val = null; Attribute val = null; Attribute val = null; Attribute val = null; found = attr.containsKey(name) ; found = attr.containsKey(name) ; found = attr.containsKey(name) ; found = attr.containsKey(name) ; if (found) { if (found) { if (found) { if (found) { val = attr.get(name); val = attr.get(name); val = attr.get(name); val = attr.get(name); attr.remove(name); attr.remove(name); attr.remove(name); attr.remove(name); } } } } return val; return val; return val; return val; } } } }

  29. Verifying data independent operations using Linearization points in the code Single Mutation Data independent Verified using single input CO adds one value Influence Map elements are bounded

  30. Verifying data independent operations • Small model reduction • Decidable when the local state is bounded • Explore all possible executions using: – One input key and finite number of values – Influenced based environment uses single value • Employ SPIN

  33. program Composed Operation extractor Library spec candidate COs CO Data Independent verifier SCM/FCM No SCM Input keys/values CO CO key/value driver Input keys/values Influence driver Influence driver Linearizability Linearizability verifier tester generator generator Promela Java Lin Unknown SPIN Execution Non-Lin Non-Lin

  34. 31 Linearizable 81 Non-Linearizable

  35. Summary • Writing concurrent data structures is hard • Employing atomic library operations is error prone • Modular linearizability checking • Leverage influence • Leverage data independence • Sweet spot – Identify important bugs together with a traces showing and explaining the violations – Hard to find – Prove the linearizability of several composed operations – Simple and efficient technique

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd

Automatic Atomicity Verification for Clients of Concurrent Data Structures Mohsen Lesani Todd Millstein Jens Palsberg Concurrent Data Structures class ConcurrentHashmap<K, V> { // data structure V get(K k) { ... } void put(K k, V v)

512 views • 36 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Testing atomicity Finding race conditions by random testing John Hughes "We know there is a

Testing atomicity Finding race conditions by random testing John Hughes "We know there is a

Testing atomicity Finding race conditions by random testing John Hughes "We know there is a lurking bug somewhere in the dets code. We have got 'bad object' and 'premature eof' every other month the last year. We have not been able to

584 views • 29 slides
Types Against Races Atomicity Analysis of Concurrent Software Cormac Flanagan Stephen N. Freund

Types Against Races Atomicity Analysis of Concurrent Software Cormac Flanagan Stephen N. Freund

Types Against Races Atomicity Analysis of Concurrent Software Cormac Flanagan Stephen N. Freund UC Santa Cruz Williams College Shaz Qadeer Microsoft Research Moore s Law Moore s Law is Over Transistors per chip doubles every 18

133 views • 9 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

Systems Design&Programming Linux Device Drivers III CMPE 310 Char Drivers Well develop a device driver, scull , which treats an area of memory as a device. There are several types of scull devices: scull[0-3] This type has four

481 views • 19 slides
Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device Driver? Hardware Functionality A device driver is the software that bridges Device Driver the two. 2 Focus of This Presentation

1.08k views • 93 slides
Toward Detection of Unsafe Driving with Wearables Luyang Liu Cagdas Karatas, Hongyu Li, Marco

Toward Detection of Unsafe Driving with Wearables Luyang Liu Cagdas Karatas, Hongyu Li, Marco

Toward Detection of Unsafe Driving with Wearables Luyang Liu Cagdas Karatas, Hongyu Li, Marco Gruteser, Richard Martin WINLAB, Rutgers University Sheng Tan, Jie Yang Florida State University Yingying Chen Stevens Institute of Technology

654 views • 20 slides
A Perception Index (And its square peg adaptor) Toby Young QCON 11 th March 2009 1 A

A Perception Index (And its square peg adaptor) Toby Young QCON 11 th March 2009 1 A

A Perception Index (And its square peg adaptor) Toby Young QCON 11 th March 2009 1 A Perception What? A lean method to prioritise IT projects and investments across multiple areas in a business. Prioritise using Perceived business

788 views • 42 slides
Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS

Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS

Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS Abdelraouf Ouadjaout, Antoine Min, Noureddine Lasla, Nadjib Badache ENS & UPMC, Paris CERIST & USTHB, Algiers Workshop on Static

1.08k views • 42 slides
I2C driver MPCore CPU mptimer mp wdt for a temperature sensor Temperature sensor GIC I2C

I2C driver MPCore CPU mptimer mp wdt for a temperature sensor Temperature sensor GIC I2C

Calcolatori Elettronici e Sistemi Operativi HW Virtual board rv_board I2C driver MPCore CPU mptimer mp wdt for a temperature sensor Temperature sensor GIC I2C Memory usense Unix socket HOST Device Driver I2C temperature sensor

305 views • 7 slides
enches : Reflections on People, Product, and Software Evolution Andy J. Ko , Ph.D. Associate

enches : Reflections on People, Product, and Software Evolution Andy J. Ko , Ph.D. Associate

Thr Three ee Year Years in n the he St Star artup up Tr Trenches enches : Reflections on People, Product, and Software Evolution Andy J. Ko , Ph.D. Associate Professor, The Information School Co-Founder & Chief Scientist, AnswerDash

226 views • 21 slides
Campus Renewal Congregational Meeting January 31, 2016 Agenda Introduction Contribution

Campus Renewal Congregational Meeting January 31, 2016 Agenda Introduction Contribution

Rock Spring CONGREGATIONAL UNITED CHURCH OF CHRIST Campus Renewal Congregational Meeting January 31, 2016 Agenda Introduction Contribution from the Endowment Proposed modifications to address budget issues Council Motion

564 views • 25 slides

More recommend