Verifying Deadlock Freedom Duy-Khanh LE , Wei-Ngan CHIN, Yong-Meng - - PowerPoint PPT Presentation

verifying deadlock freedom
SMART_READER_LITE
LIVE PREVIEW

Verifying Deadlock Freedom Duy-Khanh LE , Wei-Ngan CHIN, Yong-Meng - - PowerPoint PPT Presentation

Jan 22, 2023 303 likes •739 views

An Expressive Framework for Verifying Deadlock Freedom Duy-Khanh LE , Wei-Ngan CHIN, Yong-Meng TEO {leduykha,chinwn,teoym} [at] comp.nus.edu.sg 11 th International Symposium on Automated Technology for Verification and Analysis (ATVA), Hanoi,

slide-1
SLIDE 1

An Expressive Framework for Verifying Deadlock Freedom

11th International Symposium on Automated Technology for Verification and Analysis (ATVA), Hanoi, Vietnam, Oct 15 – 18, 2013 {leduykha,chinwn,teoym} [at] comp.nus.edu.sg

Duy-Khanh LE, Wei-Ngan CHIN, Yong-Meng TEO

slide-2
SLIDE 2

Outline Motivation Related Work Objective & Contributions Approaches

  • Precise locksets
  • Delayed lockset checking
  • Combining lockset and locklevel

Implementation & Preliminary Experiment Conclusion

An Expressive Framework for Verifying Deadlock Freedom 2 18 October 2013

slide-3
SLIDE 3

Motivation Deadlock is a notoriously important issue

  • 6,500 reports out of 198,000 (∼3%) of Sun’s

bug report database containing the keyword “deadlock” [ICSE’09] Existing formal reasoning frameworks

  • focus on partial correctness
  • and mostly ignore deadlocks

 Need to formally reason about deadlock- freedom

An Expressive Framework for Verifying Deadlock Freedom 3 18 October 2013

slide-4
SLIDE 4

Types of Deadlocks

 Deadlocks are often defined as “states in which each thread in a set blocks waiting for others to finish, but neither ever does”  D1: Double lock acquisition  D2: Interactions between thread and lock

  • perations

 D3: Unordered locking

An Expressive Framework for Verifying Deadlock Freedom 4 18 October 2013

slide-5
SLIDE 5

Related Work Formal reasoning frameworks

  • Often use abstract predicates (e.g. locked(x)) to

represent states of locks

  • Partial correctness [APLAS’07, ESOP’08, POPL’11, etc]
  • Chalice [ESOP’09, ESOP’10] can prevent D1&D3

Dynamic analyses (e.g ICSE’12)

  • Cannot guarantee the absence of deadlocks

Static analyses and type systems (e.g.

ICSE’09, TLDI’12)

  • Tend to be less expressive than specification logics
  • Ignore D2

An Expressive Framework for Verifying Deadlock Freedom 5 18 October 2013

slide-6
SLIDE 6

Objective Propose an expressive logical framework for ensuring deadlock-freedom from various deadlock scenarios (D1, D2, and D3)

An Expressive Framework for Verifying Deadlock Freedom 6 18 October 2013

slide-7
SLIDE 7

Contributions C1: Advocate precise locksets as a deadlock-aware abstraction

  • for reasoning about concurrent programs that

manipulate non-recursive locks (D1) C2: Propose delayed lockset checking technique

  • to help reasoning about interactions between

thread and lock operations (D2) C3: Combine locksets with the locklevels

  • to form an expressive framework (D3)

An Expressive Framework for Verifying Deadlock Freedom 7 18 October 2013

slide-8
SLIDE 8

C1: Precise Lockset as an Abstraction Lockset

  • A verification concept (denoted as LS)
  • A thread-local ghost variable capturing the set
  • f locks held by a thread.

An Expressive Framework for Verifying Deadlock Freedom 8 18 October 2013

slide-9
SLIDE 9

C1: Precise Lockset as an Abstraction Precise Lockset

Under-approximation: Over-approximation: Precise lockset:

// ???

An Expressive Framework for Verifying Deadlock Freedom 9 18 October 2013

slide-10
SLIDE 10

D1: Double Lock Acquisition

An Expressive Framework for Verifying Deadlock Freedom 10 18 October 2013

slide-11
SLIDE 11

D1: Double Lock Acquisition

An Expressive Framework for Verifying Deadlock Freedom 11 18 October 2013

slide-12
SLIDE 12

D1: Double Lock Acquisition

An Expressive Framework for Verifying Deadlock Freedom 12 18 October 2013

slide-13
SLIDE 13

D2: Interactions between Thread and Lock Ops

 deadlocked  deadlock-free

An Expressive Framework for Verifying Deadlock Freedom 13 18 October 2013

slide-14
SLIDE 14

D2: Traditional Verification Fails

Verified but deadlocked !

 

An Expressive Framework for Verifying Deadlock Freedom 14 18 October 2013

slide-15
SLIDE 15

D2: Traditional Verification Fails

Deadlock-free but not verified !

An Expressive Framework for Verifying Deadlock Freedom 15 18 October 2013

slide-16
SLIDE 16

D2: Traditional Verification Fails

Verified but deadlocked !

Deadlock-free but not verified !

Observations

An Expressive Framework for Verifying Deadlock Freedom 16 18 October 2013

slide-17
SLIDE 17

C2: Delayed Lockset Checking

 Verified => deadlock-free

/* DELAY */ /* CHECK, error */ /* DELAY */ /* CHECK, ok */ Deadlocked => not verified

An Expressive Framework for Verifying Deadlock Freedom 17 18 October 2013

slide-18
SLIDE 18

Exercise – Deadlocked or Deadlock-free?

void main() { lock l = new lock(); int tid1 = fork(thread1,l); acquire(l); int tid2 = fork(thread2,l,tid1); release(l); join(tid2); } void thread1(lock l) { acquire(l); release(l); }

Note:

  • 3 PhD students need > 15 minutes to figure out (with several attempts)
  • Answer given in the last slide

void thread2(lock l,int tid1) { join(tid1); }

An Expressive Framework for Verifying Deadlock Freedom 18 18 October 2013

slide-19
SLIDE 19

D3: Unordered Locking

An Expressive Framework for Verifying Deadlock Freedom 19 18 October 2013

slide-20
SLIDE 20

D3: Unordered Locking

An Expressive Framework for Verifying Deadlock Freedom 20 18 October 2013

slide-21
SLIDE 21

C3: Encoding Waitlevel Using Lockset

An Expressive Framework for Verifying Deadlock Freedom 21 18 October 2013

slide-22
SLIDE 22

Programming Language

An Expressive Framework for Verifying Deadlock Freedom 22 18 October 2013

slide-23
SLIDE 23

Specification Language Example

An Expressive Framework for Verifying Deadlock Freedom 23 18 October 2013

slide-24
SLIDE 24

Verification Rules (1)

(standard)

An Expressive Framework for Verifying Deadlock Freedom 24 18 October 2013

slide-25
SLIDE 25

Verification Rules (2)

(delayed lockset checking) (precise lockset)

An Expressive Framework for Verifying Deadlock Freedom 25 18 October 2013

slide-26
SLIDE 26

Guarantee on Deadlock Freedom

An Expressive Framework for Verifying Deadlock Freedom 26 18 October 2013

slide-27
SLIDE 27

Implementation ParaHIP prototype for verifying correctness + deadlock freedom

  • Fork/join concurrency + non-recursive locks
  • Forking of recursive procedures
  • Unbounded #locks using shape predicates
  • Thread transfer

An Expressive Framework for Verifying Deadlock Freedom 27 18 October 2013

Download or try ParaHIP online at

http://loris-7.ddns.comp.nus.edu.sg/~project/parahip/

slide-28
SLIDE 28

Preliminary Experiment

No Scenario Chalice ParaHIP Comments 1 no-deadlock1 ✗ ✓ Chalice cannot prove that this program is deadlock-free 2 no-deadlock2 ✓ ✓ 3 no-deadlock3 ✗ ✓ Chalice cannot prove that this program is deadlock-free 4 deadlock1 ✗ ✓ Chalice verifies this deadlock scenario as deadlock-free 5 deadlock2 ✓ ✓ 6 deadlock3 ✓ ✓ 7 disj-no-deadlock ✓ ✓ 8 disj-deadlock ✗ ✓ Chalice verifies this deadlock scenario as deadlock-free 9

  • rdered-locking

✓ ✓ 10 unordered-locking ✓ ✓

(*) Comparison details and implications are discussed in the paper

An Expressive Framework for Verifying Deadlock Freedom 28 18 October 2013

slide-29
SLIDE 29

Conclusion (Take-home Message) C1: Advocate precise locksets as a deadlock-aware abstraction C2: Propose delayed lockset checking technique C3: Combine locksets with the locklevels Expressive framework for verifying deadlock-freedom

An Expressive Framework for Verifying Deadlock Freedom 29 18 October 2013

slide-30
SLIDE 30

Future Work Recursive locks

  • Lock bag, lock sequence

Other constructs, e.g. barriers

  • Single barrier (to appear in ICFEM’2013)
  • Multiple barriers
  • Multiple barriers, multiple locks

An Expressive Framework for Verifying Deadlock Freedom 30 18 October 2013

slide-31
SLIDE 31

Answer: It is Deadlock-free

 See the example “no-deadlock-nonlexical” in our webpage: http://loris-7.ddns.comp.nus.edu.sg/~project/parahip/

An Expressive Framework for Verifying Deadlock Freedom 31 18 October 2013

slide-32
SLIDE 32

Answer: It is Deadlock-free

An Expressive Framework for Verifying Deadlock Freedom 32 18 October 2013

slide-33
SLIDE 33

THANK YOU FOR LISTENING

END

Q&A

leduykha@comp.nus.edu.sg

Download or try ParaHIP online at

http://loris-7.ddns.comp.nus.edu.sg/~project/parahip/

An Expressive Framework for Verifying Deadlock Freedom 33 18 October 2013

slide-34
SLIDE 34

[APLAS’07] Gotsman, A., Berdine, J., Cook, B., Rinetzky, N., Sagiv, M.: Local Reasoning for Storable Locks and Threads. In: Shao, Z. (ed.) APLAS 2007. LNCS, vol. 4807, pp. 19–37. Springer, Heidelberg (2007) [ESOP’08] Hobor, A., Appel, A.W., Nardelli, F.Z.: Oracle Semantics for Concurrent Separation Logic. In: Drossopoulou, S. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 353–367. Springer, Heidelberg (2008) [ESOP’09] Leino, K.R.M., M¨ uller, P.: A Basis for Verifying Multi-threaded Programs. In: Castagna, G. (ed.) ESOP 2009. LNCS,

  • vol. 5502, pp. 378–393. Springer, Heidelberg (2009)

[ESOP’10] Leino, K.R.M., M¨ uller, P., Smans, J.: Deadlock-Free Channels and Locks. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 407–426. Springer, Heidelberg (2010)

References (1)

An Expressive Framework for Verifying Deadlock Freedom 34 18 October 2013

slide-35
SLIDE 35

[ICSE’09] Naik, M., Park, C.-S., Sen, K., Gay, D.: Effective Static Deadlock Detection. In: ICSE, pp. 386–396 (2009) [POPL’11] Jacobs, B., Piessens, F.: Expressive Modular Fine- grained Concurrency Specification. In: POPL, New York, NY, USA,

  • pp. 271–282 (2011)

[TLDI’12] Gordon, C.S., Ernst, M.D., Grossman, D.: Static Lock Capabilities for Deadlock Freedom. In: TLDI, pp. 67–78 (2012) [ICSE’12] Cai, Y., Chan, W.K.: MagicFuzzer: Scalable Deadlock Detection for Large-scale Applications. In: ICSE, pp. 606–616 (2012)

References (2)

An Expressive Framework for Verifying Deadlock Freedom 35 18 October 2013

slide-36
SLIDE 36

Backup Slides

and miscellaneous stuff

An Expressive Framework for Verifying Deadlock Freedom 36 18 October 2013

slide-37
SLIDE 37

Current Abstraction: Lock Predicates Lock predicates

{emp} acquire(l); {locked(l)} {locked(l)} release(l); {emp}

  • For non-recursive locks

e.g. {emp}acquire(l);acquire(l);{locked(l)*locked(l)} locked(l) * locked(l) = false

 With frame rule, it’s hard to reason about the absence of a given predicate Hard to verify deadlock freedom

Note: since now, ignore an implicit predicate saying that “l” is a lock

An Expressive Framework for Verifying Deadlock Freedom 37 18 October 2013

slide-38
SLIDE 38

Lock Predicates Are Not Deadlock-aware

func(lock l) { acquire(l); release(l); } thread() { lock l = new lock(); acquire(l); func(l); release(l); }

There is a deadlock

An Expressive Framework for Verifying Deadlock Freedom 38 18 October 2013

slide-39
SLIDE 39

Lock Predicates Are Not Deadlock-aware

func(lock l) requires emp ensures emp; { //{emp} acquire(l); //{locked(l)} release(l); //{emp} } thread() { lock l = new lock(); //{emp} acquire(l); //{locked(l)} //{emp * locked(l)} func(l); //{emp * locked(l)} //{locked(l)} release(l); //{emp} }

The program is verified even though there is a deadlock

An Expressive Framework for Verifying Deadlock Freedom 39 18 October 2013

slide-40
SLIDE 40

System Design

Concurrent Program Code Pre/Post Specifications Hoare-style Verifier Proof Obligations Entailment Checker Forward Verification Rules* Automated Verification System – ParaHIP User-supplied Pure Constraints Mona Prover Redlog Prover

* Required for verifying deadlock freedom Valid?

Partial Correctness Properties Lockset & Locklevel Constraints*

An Expressive Framework for Verifying Deadlock Freedom 40 18 October 2013

slide-41
SLIDE 41

An Implementation of a Timer

An Expressive Framework for Verifying Deadlock Freedom 41 18 October 2013

slide-42
SLIDE 42

END

An Expressive Framework for Verifying Deadlock Freedom 42 18 October 2013