verifying concurrent crash safe systems with perennial
play

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , - PowerPoint PPT Presentation

Jan 27, 2023 •373 likes •852 views

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

  1. Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College

  2. Many systems need concurrency and crash safety Examples: file systems, databases, and key-value stores Make strong guarantees about keeping your data safe Achieve high performance with concurrency 2

  3. Simple example: replicated disk replicated disk library disk 1 disk 2 3

  4. Simple example: replicated disk read/write replicated disk library disk 1 disk 2 3

  5. Simple example: replicated disk read/write replicated disk library disk 1 disk 2 3

  6. Replicated disk is subtle func write(a: addr, v: block) { lock_address(a) d1.write(a, v) d2.write(a, v) unlock_address(a) } 4

  7. Replicated disk is subtle func write(a: addr, v: block) { lock_address(a) d1.write(a, v) d2.write(a, v) what if system crashes here? unlock_address(a) what if disk 1 fails? } 4

  8. Replicated disk is subtle func write(a: addr, v: block) { lock_address(a) d1.write(a, v) d2.write(a, v) what if system crashes here? unlock_address(a) what if disk 1 fails? } // runs on reboot func recover() { for a in … { // copy from d1 to d2 } } 4

  9. Replicated disk is subtle func write(a: addr, v: block) { func read(a: addr): block { lock_address(a) lock_address(a) d1.write(a, v) v, ok := d1.read(a) d2.write(a, v) if !ok { what if system crashes here? unlock_address(a) v, _ = d2.read(a) what if disk 1 fails? } } unlock_address(a) return v } // runs on reboot func recover() { for a in … { // copy from d1 to d2 } } 4

  10. Goal: systematically reason about all executions with formal verification 5

  11. Existing verification frameworks do not support concurrency and crash safety verified crash safety verified concurrency FSCQ [SOSP ’15] CertiKOS [OSDI ’16] Yggdrasil [OSDI ’16] CSPEC [OSDI ’18] DFSCQ [SOSP ’17] AtomFS [SOSP ’19] … … no system can do both 6

  12. Combining verified crash safety and concurrency is challenging Crash and recovery can interrupt a critical section ➡ leases Crash wipes in-memory state ➡ memory versioning Recovery logically completes crashed threads’ operations ➡ recovery helping 7

  13. Perennial’s techniques address challenges integrating crash safety into concurrency reasoning Crash and recovery can interrupt a critical section ➡ leases Crash wipes in-memory state ➡ memory versioning Recovery logically completes crashed threads’ operations ➡ recovery helping 8

  14. Perennial’s techniques address challenges integrating crash safety into concurrency reasoning Crash and recovery can interrupt a critical section ➡ leases see paper Crash wipes in-memory state ➡ memory versioning Recovery logically completes crashed threads’ operations this talk ➡ recovery helping 8

  15. Contributions Perennial: framework for reasoning about crashes and concurrency Goose: reasoning about Go implementations see paper Evaluation: verified mail server written in Go with Perennial 9

  16. Specifying correctness: concurrent recovery refinement All operations are correct and atomic wrt concurrency and crashes Recovery repairs system after reboot 10

  17. Proving the replicated disk correct 11

  18. Background Proving refinement with forward simulation: relate code and spec states spec σ d 1 code d 2 12

  19. Background Proving refinement with forward simulation: prove every operation has a commit point tid: write(a, v) spec S 1 1. Write down abstraction relation between code and spec states code C 1 C 2 C 3 C 4 C 5 lock d1.write d2.write unlock 13

  20. Background Proving refinement with forward simulation: prove every operation has a commit point tid: tid: write(a, v) write(a, v) spec S 2 S 1 1. Write down abstraction relation between code and spec states 2. Prove every operation commits code C 1 C 2 C 3 C 4 C 5 lock d1.write d2.write unlock 13

  21. Background Proving refinement with forward simulation: prove every operation has a commit point tid: tid: write(a, v) write(a, v) spec S 2 S 1 1. Write down abstraction relation between code and spec states 2. Prove every operation commits 3. Prove abstraction relation is preserved code C 1 C 2 C 3 C 4 C 5 lock d1.write d2.write unlock 13

  22. Abstraction relation for the replicated disk σ abstraction relation: σ [ a ] = d 1 [ a ] ! locked ( a ) ⟹ ∧ σ [ a ] = d 2 [ a ] (if the disk has not failed) d 1 d 2 14

  23. Crashing breaks the abstraction relation func write(a: addr, v: block) { lock_address(a) d1.write(a, v) abstraction relation: lock reverts to being free, σ [ a ] = d 1 [ a ] ! locked ( a ) ⟹ but disks are not in-sync ∧ σ [ a ] = d 2 [ a ] 15

  24. So far: abstraction relation always holds spec abstraction relation R R R ? code crash 16

  25. Separate a crash invariant from the abstraction relation spec abstraction relation R crash invariant C C R R code crash 17

  26. Recovery proof uses the crash invariant to restore the abstraction relation crash spec abstraction relation R crash invariant C C R R R R code crash recover() 18

  27. Proving recovery correct: makes writes atomic func write(a: addr, v: block) { lock_address(a) d1.write(a, v) func recover() { for a in … { v, ok := d1.read(a) if !ok { … } d2.write(a, v) } } 19

  28. User sees an atomic write due to recovery pending crash spec operation tid: user’s view (spec) write(a, v) code execution 20

  29. User sees an atomic write due to recovery pending crash spec operation tid: user’s view (spec) write(a, v) code execution tid: w1(a,v) crash 20

  30. User sees an atomic write due to recovery pending crash spec operation tid: user’s view (spec) write(a, v) code execution r1(a) w2(a,v) tid: w1(a,v) return recover() crash 20

  31. User sees an atomic write due to recovery pending crash recovery helping spec operation tid: tid: user’s view (spec) write(a, v) write(a, v) code execution r1(a) w2(a,v) tid: w1(a,v) return recover() crash 20

  32. Recovery helping: recovery can commit writes from before the crash func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) func recover() { for a in … { v, ok := d1.read(a) if !ok { … } tid: d2.write(a, v) write(a, v) } } 21

  33. Crash invariant says “if disks disagree, some thread was writing the value on the first disk” func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) crash invariant: d 1 [ a ] ≠ d 2 [ a ] ⟹ func recover() { for a in … { ∃ tid. tid: v, ok := d1.read(a) write(a, ) d 1 [ a ] if !ok { … } tid: d2.write(a, v) write(a, v) } } 22

  34. Crash invariant says “if disks disagree, some thread was writing the value on the first disk” func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) crash invariant: d 1 [ a ] ≠ d 2 [ a ] ⟹ func recover() { for a in … { ∃ tid. tid: v, ok := d1.read(a) write(a, ) d 1 [ a ] if !ok { … } tid: d2.write(a, v) write(a, v) } } 22

  35. Key idea: crash invariant can refer to interrupted spec operations func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) crash invariant: d 1 [ a ] ≠ d 2 [ a ] ⟹ func recover() { for a in … { ∃ tid. tid: v, ok := d1.read(a) write(a, ) d 1 [ a ] if !ok { … } tid: d2.write(a, v) write(a, v) } } 23

  36. Recovery proof shows code restores the abstraction relation by completing all interrupted writes func write(a: addr, v: block) { tid: write(a, v) lock_address(a) d1.write(a, v) func recover() { for a in … { v, ok := d1.read(a) if !ok { … } tid: d2.write(a, v) write(a, v) } abstraction relation: } crash σ [ a ] = d 1 [ a ] ! locked ( a ) ⟹ ∧ σ [ a ] = d 2 [ a ] 24

  37. Proving concurrent recovery refinement Recovery proof uses crash invariant to restore abstraction relation Proof can refer to interrupted operations, enabling recovery helping reasoning Users get correct behavior and atomicity 25

  38. Implementation Perennial (9k lines of Coq) - leases - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  39. Implementation Go source go build Perennial (9k lines of Coq) - leases exe - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  40. Implementation see paper Goose translator Go source Proof (2k lines of Go) go build Perennial (9k lines of Coq) - leases exe - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  41. Implementation see paper Goose translator Go source Proof (2k lines of Go) go build Perennial (9k lines of Coq) machine - leases checked by Coq exe - memory versioning - recovery helping developer-written Iris concurrency framework this paper prior work Coq 26

  42. Evaluation This talk: • proof-e ff ort comparison See paper: • verified examples • TCB • bug discussion 27

  43. Methodology: 
 Verify the same mail server as previous work, CSPEC [OSDI ’18] Users can read, deliver, and delete mail Implemented on top of a file system Operations are atomic (and crash safe in Perennial) 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek File systems should not lose data People use file systems to

1.17k views • 98 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11: Architectural support for a memory-safe C abstract machine David Chisnall , Colin Rothwell , Brooks Davis , Robert N.M. Watson ,

252 views • 22 slides
two-phase commit / network FSes 1 last time remote procedure calls imitate function/method call

two-phase commit / network FSes 1 last time remote procedure calls imitate function/method call

two-phase commit / network FSes 1 last time remote procedure calls imitate function/method call interface extra setup: where is server interface description language to specify interface extra concerns: portability (language + machine),

1.54k views • 127 slides
Evalua&ng Opera&ng System Vulnerability to Memory Errors

Evalua&ng Opera&ng System Vulnerability to Memory Errors

Evalua&ng Opera&ng System Vulnerability to Memory Errors Kurt B. Ferreira, Kevin Pedre1, Patrick Bridges , Ron Brightwell, David Fiala, and Frank

689 views • 23 slides
Ext3/4 file systems Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats

Ext3/4 file systems Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats

Ext3/4 file systems Don Porter CSE 506 Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture System Calls Kernel RCU File System Networking Sync Memory CPU Device Management Scheduler Drivers Hardware

598 views • 33 slides
Social Media Reboot Justin Ramers Director of Social Media @JustinRamers June 2012 For audio

Social Media Reboot Justin Ramers Director of Social Media @JustinRamers June 2012 For audio

Event Directors Best Practices Webinar Series Presents: Social Media Reboot Justin Ramers Director of Social Media @JustinRamers June 2012 For audio dial-in: Ireland: 1800 937 003 United Kingdom: 0844 871 9642 Conference Code: 423 657

864 views • 37 slides
Prometheus Best Practices and Beastly Pitfalls Julius Volz, August 17, 2017 Prometheus

Prometheus Best Practices and Beastly Pitfalls Julius Volz, August 17, 2017 Prometheus

Prometheus Best Practices and Beastly Pitfalls Julius Volz, August 17, 2017 Prometheus Prometheus Areas Instrumentation Alerting Querying Prometheus Instrumentation Prometheus What to Instrument Every component (including

579 views • 34 slides
The unbreakable, scalable elephant - Patroni automation with Ansible 18.10.2019 Who we are The

The unbreakable, scalable elephant - Patroni automation with Ansible 18.10.2019 Who we are The

18.10.2019 The unbreakable, scalable elephant - Patroni automation with Ansible 18.10.2019 Who we are The Company > Founded in 2010 > More than 70 specialists > Specialized in the Middleware Infrastructure > The invisible part of IT

429 views • 32 slides
Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa ,

Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa ,

Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa , Kazuhiko Kato University of Tsukuba, The University of Tokyo 1 Bare-metal Clouds An IaaS for high performance and device functionality

230 views • 21 slides
SRC MN Updated 12/10/14 Customer All Ratepayers $ Avoided costs (Fuel Clause Adjustment)

SRC MN Updated 12/10/14 Customer All Ratepayers $ Avoided costs (Fuel Clause Adjustment)

SRC MN Updated 12/10/14 Customer All Ratepayers $ Avoided costs (Fuel Clause Adjustment) Solar Energy Utility Developer RECs (if election made to sell) Bill Credit Types and Rates Gardens Not Receiving Gardens Receiving Incentives

377 views • 11 slides

More recommend