verifying concurrent software using movers in cspec
play

Verifying concurrent software using movers in CSPEC Tej Chajed , - PowerPoint PPT Presentation

Sep 18, 2022 •459 likes •1.2k views

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

  1. Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft

  2. Concurrent software is difficult to get right Programmer cannot reason about code in sequence… � 2

  3. Concurrent software is difficult to get right Programmer cannot reason about code in sequence… instead, must consider many executions: � 3

  4. Concurrent software is difficult to get right Programmer cannot reason about code in sequence… instead, must consider many executions: … � 3

  5. Goal: verify concurrent software � 4

  6. Challenge for formal verification • Proofs must also cover every execution • Many approaches to managing this complexity • movers [Lipton, 1975] • rely-guarantee [1983] • RGSep [CONCUR 2007] • FCSL [PLDI 2015] • Iris [POPL 2017, LICS 2018, others] • many others � 5

  7. Challenge for formal verification • Proofs must also cover every execution • Many approaches to managing this complexity • movers [Lipton, 1975] • rely-guarantee [1983] • RGSep [CONCUR 2007] • FCSL [PLDI 2015] • Iris [POPL 2017, LICS 2018, others] • many others • This work: our experience using movers � 5

  8. Movers: reduce concurrent executions to sequential ones time 1 2 3 blue thread 1 A 2 3 B green thread A B � 6

  9. Movers: reduce concurrent executions to sequential ones 1 2 3 blue thread 1 A 2 3 B green thread A B movers has the same e ff ect as 1 2 3 A B � 6

  10. Movers: reduce concurrent executions to sequential ones 1 2 3 blue thread 1 A 2 3 B green thread A B movers has the same e ff ect as 1 2 3 A B sequential reasoning 2 1 3 A B � 6

  11. Prior systems with mover reasoning CIVL [CAV ’15, CAV ’18] framework relies pen & paper proofs IronFleet [SOSP ’15] only move network send/receive � 7

  12. Contribution: CSPEC • Framework for verifying concurrency in systems software • general-purpose movers • patterns to support mover reasoning • machine checked in Coq to support extensibility � 8

  13. Contribution: CSPEC • Framework for verifying concurrency in systems software • general-purpose movers • patterns to support mover reasoning • machine checked in Coq to support extensibility • Case studies using CSPEC • Lock-free file-system concurrency • Spinlock on top of x86-TSO (see paper) � 8

  14. Case study: mail server using file-system concurrency file system spool mbox � 9

  15. Mail servers exploit file-system concurrency # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 10

  16. Mail servers exploit file-system concurrency msg # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 11

  17. Spooling avoids reading partially-written messages $TID =10 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 12

  18. Spooling avoids reading partially-written messages $TID =10 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 10 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 12

  19. Threads use unique IDs to avoid conflicts msg $TID =10 $TID =11 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 13

  20. Threads use unique IDs to avoid conflicts $TID =10 $TID =11 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 14

  21. Threads use unique IDs to avoid conflicts $TID =10 $TID =11 # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 14

  22. Timestamps help generate unique message names # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 4 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): link(/spool/11, /mbox/4) break # cleanup unlink (“/spool/$TID”) � 15

  23. Timestamps help generate unique message names # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 4 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): link(/spool/10, /mbox/4) break # cleanup EEXISTS ✗ unlink (“/spool/$TID”) � 16

  24. Timestamps help generate unique message names # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 11 while True: 1 2 3 4 5 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): link(/spool/10, /mbox/5) break # cleanup unlink (“/spool/$TID”) � 17

  25. Delivery concurrency does not use locks # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store 10 while True: 1 2 3 4 5 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 18

  26. Delivery concurrency does not use locks # accept def deliver(msg): file system # spool create (“/spool/$TID”) spool mbox write (“/spool/$TID”, msg) # store while True: 1 2 3 4 5 t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break # cleanup unlink (“/spool/$TID”) � 19

  27. Proving delivery correct in CSPEC delivery specification implementation and proof file-system spec CSPEC provides supporting definitions CSPEC and theorems � 20

  28. Proof engineer reasons about file-system operations def deliver(msg): create (“/spool/$TID”, msg) while True: t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break unlink (“/spool/$TID”) create( link( link( unlink( /sp/$TID, /sp/$TID, /sp/$TID, /sp/$TID) msg) /mbox/$t) /mbox/$t) ✓ ✓ ✓ EEXISTS ✗ � 21

  29. Proof engineer reasons about file-system operations collapsed to def deliver(msg): one operation create (“/spool/$TID”) create (“/spool/$TID”, msg) write (“/spool/$TID”, msg) while True: t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break unlink (“/spool/$TID”) create( link( link( unlink( /sp/$TID, /sp/$TID, /sp/$TID, /sp/$TID) msg) /mbox/$t) /mbox/$t) ✓ ✓ ✓ EEXISTS ✗ � 21

  30. Proof engineer reasons about interleaving of file- system operations def deliver(msg): create (“/spool/$TID”, msg) while True: t = time.time() if link (“/spool/$TID”, “/mbox/$t”): break unlink (“/spool/$TID”) create( link( link( unlink( /sp/$TID, /sp/$TID, /sp/$TID, /sp/$TID) create link unlink msg) /mbox/$t) /mbox/$t) ✓ ✓ ✓ ✓ EEXISTS ✗ We assume file-system operations are atomic � 22

  31. Proving atomicity of delivery atomicity : concurrent deliveries appear create create link link link unlink unlink to execute all at once (in some order) ✓ ✓ ✗ deliver deliver create link unlink create link link unlink ✓ ✓ ✗ � 23

  32. Proving atomicity of delivery atomicity : concurrent deliveries appear create create link link link unlink unlink to execute all at once (in some order) ✓ ✓ ✗ Step 1: developer identifies commit point deliver deliver create link unlink create link link unlink ✓ ✓ ✗ � 23

  33. Proving atomicity of delivery atomicity : concurrent deliveries appear create create link link link unlink unlink to execute all at once (in some order) ✓ ✓ ✗ Step 1: developer identifies commit point Step 2: prove operation occurs logically at commit point deliver deliver create link unlink create link link unlink ✓ ✓ ✗ � 23

  34. Example of movers for this execution create create link link link unlink unlink ✓ ✓ ✗ � 24

  35. Example of movers for this execution create create link link link unlink unlink ✓ ✓ ✗ create link create link link unlink unlink ✓ ✓ ✗ � 24

  36. Example of movers for this execution create create link link link unlink unlink ✓ ✓ ✗ create link create link link unlink unlink ✓ ✓ ✗ create link unlink create link link unlink ✓ ✓ ✗ � 24

  37. Right mover can be reordered after any green thread operation A A r r � 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

1.94k views • 156 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

458 views • 35 slides
International Network of Movers Contacts International Network of Movers Italian Van Lines Head

International Network of Movers Contacts International Network of Movers Italian Van Lines Head

International Network of Movers Contacts International Network of Movers Italian Van Lines Head Office is in Bari and Operation Office is in Rome. Our network covers the whole Italian territory and our HUBs are located at crucial geographic

485 views • 21 slides
1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Puiseux Monoids and Their Atomic Structure Felix Gotti felixgotti@berkeley.edu UC Berkeley

Puiseux Monoids and Their Atomic Structure Felix Gotti felixgotti@berkeley.edu UC Berkeley

Puiseux Monoids and Their Atomic Structure Felix Gotti felixgotti@berkeley.edu UC Berkeley International Meeting on Numerical Semigroups July 6, 2016 Felix Gotti felixgotti@berkeley.edu Puiseux Monoids and Their Atomic Structure Outline

998 views • 77 slides
ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a

ACID and BASE 1 ACID Atomicity: a transaction happens or it does not 2 ACID Atomicity: a transaction happens or it does not Consistency: a correct database is still correct afterwards i.e. money balanced, no dangling pointers 3 ACID

712 views • 29 slides
Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U

Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U

Verification of Concurrent Programs Decidability, Complexity, Reductions. Ahmed Bouajjani U Paris Diderot Paris 7 Locali Workshop, Beijing, November 2013 A. Bouajjani (U Paris Diderot UP7) Verification of Concurrent Programs Beijing,

924 views • 50 slides
Monoxide: Scale out Blockchains with Asynchronous Consensus Zones Present by: Yi-Chen Liu (Leo

Monoxide: Scale out Blockchains with Asynchronous Consensus Zones Present by: Yi-Chen Liu (Leo

Monoxide: Scale out Blockchains with Asynchronous Consensus Zones Present by: Yi-Chen Liu (Leo Liu), Jia-Wei Liang (Jessie Liang) Overview Agenda Purpose and Goal 2019/11/18 System Structure Security Discussion Overview

771 views • 29 slides
CS 764: Topics in Database Management Systems Lecture 1: Introduction Xiangyao Yu 9/2/2020 Who

CS 764: Topics in Database Management Systems Lecture 1: Introduction Xiangyao Yu 9/2/2020 Who

CS 764: Topics in Database Management Systems Lecture 1: Introduction Xiangyao Yu 9/2/2020 Who am I? Name: Xiangyao Yu Assistant professor in computer sciences, database group Research interests: Transaction processing New hardware

973 views • 26 slides
15-415/615 - DB Applications Lecture #20: Overview of Transaction Management (R&G ch. 16)

15-415/615 - DB Applications Lecture #20: Overview of Transaction Management (R&G ch. 16)

CMU SCS 15-415/615 Faloutsos, CMU SCS Carnegie Mellon Univ. Dept. of Computer Science 15-415/615 - DB Applications Lecture #20: Overview of Transaction Management (R&G ch. 16) Faloutsos CMU SCS 15-415/615 1 CMU SCS Motivation We

561 views • 30 slides
Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma

Transaction Support in Windows Transaction Support in Windows NTFS NTFS Surendra Verma Surendra Verma Development Manager Development Manager Windows File Systems Windows File Systems Microsoft Microsoft Transactional NTFS (TxF)

494 views • 21 slides
Spanner Doug Woos (based on slides by Dan Ports) Bigtable in retrospect Definitely a useful,

Spanner Doug Woos (based on slides by Dan Ports) Bigtable in retrospect Definitely a useful,

Spanner Doug Woos (based on slides by Dan Ports) Bigtable in retrospect Definitely a useful, scalable system! Still in use at Google, motivated lots of NoSQL DBs Biggest mistake in design (per Jeff Dean, Google): not supporting

653 views • 21 slides

More recommend