Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify...
Transcript of Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify...
![Page 1: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/1.jpg)
SYNTHESIS OF SYNCHRONIZATION
1
Eran Yahav Technion
![Page 2: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/2.jpg)
Joint work with
2
Martin Vechev Greta Yorsh
Michael Kuperstein
![Page 3: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/3.jpg)
can we use computational power to simplify concurrent programming?
3
![Page 4: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/4.jpg)
4
Some tasks are best done by machine, while others are best done by human insight; and a properly designed system will find the right balance. – D. Knuth
![Page 5: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/5.jpg)
Dimensions of Concurrent Program Synthesis
5
Synthesis Algorithm
Input “program”
specification
concurrent program(s)
one/all solutions
correctness guarantee
optimality
Sequential Program
Program
Examples
generate/verify
transformations games with abstraction
equivalence to sequential program
LTL
assertions
dynamic
Schema
![Page 6: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/6.jpg)
6
The verification problem is solved
for anything you can specify
--David Harel
![Page 7: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/7.jpg)
Synthesis of Synchronization: Specifications
concurrent data structures
should provide the illusion of sequential data structures (linearizability)
synchronization primitives
simple specs (e.g., mutual exclusion)
…
7
![Page 8: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/8.jpg)
Examples
8
Domain Input Spec Technique Guarantee Reference
concurrent data structures
schema equiv to sequential
gen/verify checked [pldi’08]
concurrent gc schema gc safety gen/verify verified [pldi’07]
concurrent gc sequential program
gc safety transformations verified [pldi’06]
Atomic Sections
program safety AGS verified [popl’10]
Weak Memory Models
program safety or SC-equiv
AGS
checked, verified
[fmcad’10], [pldi’11]
Cooperative Concurrency
program safety AGS verified [tacas’09]
…
![Page 9: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/9.jpg)
Non-Blocking Concurrent Data Structures
Extremely tricky to get right
A new algorithm is a publishable result
Very fragile, minor changes can have drastic effects
Have to understand underlying memory model
For performance, have to consider mem hierarchy
(e.g., Hopscoth Hashing / Herlihy, Shavit, Tzafrir)
Tricky to adapt from existing implementations
9
![Page 10: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/10.jpg)
bool add(int key) {
Entry *pred,*curr,*entry
restart:
locate(pred,curr,key)
k = (curr->key == key)
if (k) return false
entry = new Entry()
entry->next = curr
val=CAS(&pred->next,curr.ptr,0,entry.ptr,0) if (val) goto restart if (k) return true goto restart
}
bool remove(int key) {
Entry *pred,*curr,*r
restart:
locate(pred,curr,key)
k = (curr->key ≠ key)
if (k) return false
r = curr->next
lval=CAS(&curr->next, r.ptr,0,r.ptr,1) if (lval) goto restart
pval=CAS(&pred->next,curr.ptr,0,r.ptr,0) if (pval) goto restart pred->next = r
if (k) return true }
Example: Concurrent Set Algorithm
bool add(int key)
{
Entry *pred,*curr,*entry
locate(pred,curr,key)
k = (curr->key == key)
if (k) return false
entry = new Entry()
entry->next = curr
pred->next = entry
return true
}
bool remove(int key)
{
Entry *pred,*curr,*r
locate(pred,curr,key)
k = (curr->key ≠ key)
if (k) return false
r = curr->next
pred->next = r
return true
}
bool contains(int key)
{
Entry *pred,*curr
locate(pred,curr,key)
k = (curr->key == key)
if (k) return true
if (k) return false }
locate(int k) {
pred = head
curr = head->next
while(curr->key < k)
{
pred=curr
curr=curr->next
}
}
Systematically derived with machine assistance Correctness – machine checked “Performance” – only uses CAS
![Page 11: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/11.jpg)
Memory Fences
Fences are expensive 10s-100s of cycles collateral damage (e.g., prevent compiler
optimizations)
Required fences depend on memory
model
Where should I put fences?
11
![Page 12: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/12.jpg)
Synthesis of Memory Fences
There are ~3500 fences in the Linux Kernel
Which fences are required on x86? removal of one redundant fence in spin lock
=> 4% performance improvement [Sewell]
Automatically synthesize fences required to satisfy a given specification
Successfully synthesized required fences for concurrent data structures
mutual exclusion primitives
12
![Page 13: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/13.jpg)
Synthesizing locks from atomic sections
Program annotated with atomic sections
Use static information about the shape of the heap to enable automatic inference of locks
New locking protocol: domination locking
Automatic techniques for enforcing the protocol
13 [Guy Gueta et. al. OOPSLA’11]
![Page 14: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/14.jpg)
Process 1 Process 2 Process 3
Shared memory concurrent program
No synchronization: often incorrect (but “efficient”)
Coarse-grained synchronization: easy to reason about, often inefficient
Fine-grained synchronization: hard to reason about, programmer often gets this wrong
Challenge: Correct and Efficient Synchronization
14
![Page 15: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/15.jpg)
Process 1 Process 2 Process 3
Shared memory concurrent program
No synchronization: often incorrect (but “efficient”)
Coarse-grained synchronization: easy to reason about, often inefficient
Fine-grained synchronization: hard to reason about, programmer often gets this wrong
Challenge: Correct and Efficient Synchronization
15
![Page 16: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/16.jpg)
Process 1 Process 2 Process 3
Shared memory concurrent program
No synchronization: often incorrect (but “efficient”)
Coarse-grained synchronization: easy to reason about, often inefficient
Fine-grained synchronization: hard to reason about, programmer often gets this wrong
Challenge: Correct and Efficient Synchronization
16
![Page 17: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/17.jpg)
Challenge
Process 1 Process 2 Process 3
How to synchronize processes to achieve correctness and efficiency?
17
![Page 18: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/18.jpg)
Atomic sections
Conditional critical region (CCR)
Memory barriers (fences)
CAS
Semaphores
Monitors
Locks
....
Synchronization Primitives
18
![Page 19: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/19.jpg)
{
………………
……
………………….
…………………….
…………………………
}
P1()
Example: Correct and Efficient Synchronization with Atomic Sections
{
……………………………
…………………….
…
}
P2()
atom
ic
atom
ic
{
…………………..
……
…………………….
………………
……………………
}
P3()
atom
ic
Safety Specification: S
19
![Page 20: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/20.jpg)
{
………………
……
………………….
…………………….
…………………………
}
P1()
{
……………………………
…………………….
…
}
P2()
{
…………………..
……
…………………….
………………
……………………
}
P3()
Safety Specification: S
Assist the programmer by automatically inferring correct and efficient synchronization
Example: Correct and Efficient Synchronization with Atomic Sections
20
![Page 21: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/21.jpg)
Challenge
Find minimal synchronization that makes the program satisfy the specification
Avoid all bad interleavings while permitting as many good interleavings as possible
Assumption: we can prove that serial executions satisfy the specification
Interested in bad behaviors due to concurrency
21
![Page 22: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/22.jpg)
Sounds Suspiciously Like a Game?
A (safety) game of program vs. scheduler program’s goal - avoid error states
A winning strategy for the program avoids error states despite adversarial scheduler
Implementation mechanisms
Find a solution that corresponds to minimal synchronization
Infinite-state systems
22
![Page 23: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/23.jpg)
Synthesis of Synchronization with Abstract Interpretation
Compute over-approximation of all possible program executions
Add minimal synchronization to avoid (over-approximation of) bad interleavings
Interplay between abstraction and synchronization
Finer abstraction may enable finer synchronization
Coarse synchronization may enable coarser abstraction
23
![Page 24: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/24.jpg)
Crash Course on Abstract Interpretation
verify that property holds on all executions
challenges
programs with unbounded state
non trivial properties
bad news: problem is undecidable
good news: can use over-approximation
Consider a superset of possible executions
sound: a yes is a yes!
incomplete: a no is a maybe …
24
![Page 25: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/25.jpg)
Verification Challenge
main(int i) {
int x=3,y=1;
do {
y = y + 1;
} while(--i > 0)
assert 0 < x + y
}
Determine what states can arise during any execution
Challenge: set of states is unbounded
25
![Page 26: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/26.jpg)
Abstract Interpretation
French Recipe
1) Abstraction
2) Transformers
3) Exploration
main(int i) {
int x=3,y=1;
do {
y = y + 1;
} while(--i > 0)
assert 0 < x + y
}
Challenge: set of states is unbounded
Solution: compute a bounded representation of (a superset) of program states
Determine what states can arise during any execution
26
![Page 27: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/27.jpg)
1) Abstraction
concrete state
abstract state
main(int i) {
int x=3,y=1;
do {
y = y + 1;
} while(--i > 0)
assert 0 < x + y
}
: Var Z
#: Var{+, 0, -, ?}
x y i
3 1 7 x y i
+ + +
3 2 6
x y i
… 27
![Page 28: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/28.jpg)
2) Transformers
concrete transformer
abstract transformer
main(int i) {
int x=3,y=1;
do {
y = y + 1;
} while(--i > 0)
assert 0 < x + y
}
x y i
+ + 0
x y i
3 1 0
y = y + 1 x y i
3 2 0
x y i
+ + 0
y = y + 1
+ - 0 + ? 0
+ 0 0 + + 0
+ ? 0 + ? 0 28
![Page 29: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/29.jpg)
3) Exploration
+ + ? + + ?
x y i
main(int i) {
int x=3,y=1;
do {
y = y + 1;
} while(--i > 0)
assert 0 < x + y
}
+ + ?
+ + ?
? ? ?
x y i
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
+ + ?
29
![Page 30: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/30.jpg)
Incompleteness
main(int i) {
int x=3,y=1;
do {
y = y - 2;
y = y + 3;
} while(--i > 0)
assert 0 < x + y
}
+ ? ?
+ ? ?
x y i
+ ? ?
+ + ?
? ? ?
x y i
+ ? ?
+ ? ?
+ ? ?
30
![Page 31: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/31.jpg)
Parity Abstraction
31
challenge: how to find “the right” abstraction
while (x !=1 ) do {
if (x % 2) == 0 {
x := x / 2;
} else {
x := x * 3 + 1;
assert (x %2 ==0);
}
}
![Page 32: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/32.jpg)
Change the abstraction to match the program
A Standard Approach: Abstraction Refinement
program
specification
Abstract counter example
abstraction Abstraction Refinement
Abstract counter example
Verify
Valid
32
![Page 33: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/33.jpg)
program
specification
Abstract counter example
abstraction Abstraction Refinement
Change the program to match the abstraction
Verify
Our Approach: Abstraction-Guided Synthesis
Program Restriction
Implement P’
Abstract counter example
33
![Page 34: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/34.jpg)
AGS Trace-Based Algorithm – High Level
= true
while(true) {
BadTraces = { | (P ) and S }
if (BadTraces is empty) return implement(P,)
select BadTraces
if (?) {
= avoid()
if ( false) =
else abort
} else {
’ = refine(, )
if (’ ) = ’
else abort
}
}
Input: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under
34
![Page 35: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/35.jpg)
Avoid and Implement
Desired output – program satisfying the spec
Implementability guides the choice of constraint language
Examples
Atomic sections [POPL’10]
Conditional critical regions (CCRs) [TACAS’09]
Memory fences (for weak memory models) [FMCAD’10 + PLDI’11]
…
35
![Page 36: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/36.jpg)
Avoiding an interleaving with atomic sections
Adding atomicity constraints
Atomicity predicate [l1,l2] – no context switch allowed between execution of statements at l1 and l2
avoid()
A disjunction of all possible atomicity predicates that would prevent
Thread A A1 A2
Thread B B1 B2
= A1 B1 A2 B2
avoid() = [A1,A2] [B1,B2] 36
![Page 37: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/37.jpg)
Avoid and abstraction
= avoid()
Enforcing avoids any abstract trace ’ such that ’
Potentially avoiding “good traces”
Abstraction may affect our ability to avoid a smaller set of traces
37
![Page 38: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/38.jpg)
Example
T1 1: x += z 2: x += z
T2 1: z++ 2: z++
T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 }
38
![Page 39: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/39.jpg)
Example: Concrete Values
0 2 3
1
2
3
4
5
4
6
y2
y1
1
Concrete values
T1 1: x += z 2: x += z
T2 1: z++ 2: z++
T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 }
x += z; x += z; z++;z++;y1=f(x);y2=x;assert y1=5,y2=0
z++; x+=z; y1=f(x); z++; x+=z; y2=x;assert y1=3,y2=3 …
39
![Page 40: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/40.jpg)
Example: Parity Abstraction
0 2 3
1
2
3
4
5
4
6
y2
y1
1
Concrete values
T1 1: x += z 2: x += z
T2 1: z++ 2: z++
T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 }
x += z; x += z; z++;z++;y1=f(x);y2=x;assert y1=Odd,y2=Even
0 2 3
1
2
3
4
5
4
6
y2
y1
1
Parity abstraction (even/odd)
40
![Page 41: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/41.jpg)
Example: Avoiding Bad Interleavings
avoid(1) = [z++,z++]
= [z++,z++] = true
= true
while(true) {
BadTraces={|(P ) and
S }
if (BadTraces is empty)
return implement(P,)
select BadTraces
if (?) {
= avoid()
} else {
= refine(, )
}
}
41
![Page 42: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/42.jpg)
Example: Avoiding Bad Interleavings
avoid(2) =[x+=z,x+=z]
= [z++,z++] = [z++,z++][x+=z,x+=z]
= true
while(true) {
BadTraces={|(P ) and
S }
if (BadTraces is empty)
return implement(P,)
select BadTraces
if (?) {
= avoid()
} else {
= refine(, )
}
}
42
![Page 43: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/43.jpg)
Example: Avoiding Bad Interleavings
T1 1: x += z 2: x += z
T2 1: z++ 2: z++
T3 1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
= [z++,z++][x+=z,x+=z] 43
= true
while(true) {
BadTraces={|(P ) and
S }
if (BadTraces is empty)
return implement(P,)
select BadTraces
if (?) {
= avoid()
} else {
= refine(, )
}
}
![Page 44: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/44.jpg)
0 2 3
1
2
3
4
5
4
6
y2
y1
1
parity
0 1 2 3
1
2
3
4
5
4
6
0 1 2 3
1
2
3
4
5
4
6 parity parity
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
Example: Avoiding Bad Interleavings
But we can also refine the abstraction…
44
![Page 45: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/45.jpg)
0 2 3
1
2
3
4
5
4
6
y2
y1
1
0 1 2 3
1
2
3
4
5
4
6
0 1 2 3
1
2
3
4
5
4
6
parity
interval
octagon
0 1 2 3
1
2
3
4
5
4
6
0 1 2 3
1
2
3
4
5
4
6
0 1 2 3
1
2
3
4
5
4
6
0 1 2 3
1
2
3
4
5
4
6
(a) (b) (c)
(d) (e)
(f) (g)
parity parity
interval
octagon
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
x+=z;
x+=z
z++;
z++;
y1=f(x)
y2=x
assert
y1!= y2
T1
T2
T3
45
![Page 46: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/46.jpg)
Multiple Solutions
Performance: smallest atomic sections
Interval abstraction for our example produces the atomicity constraint: ([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++])
Minimal satisfying assignments 1 = [z++,z++] 2 = [x+=z,x+=z]
46
![Page 47: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/47.jpg)
Input: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under
= true
while(true) {
BadTraces = { | (P ) and S }
if (BadTraces is empty) return implement(P,)
select BadTraces
if (?) {
= avoid()
if ( false) =
else abort
} else {
’ = refine(, )
if (’ ) = ’
else abort
}
}
Choosing between abstraction refinement and program restriction - not always possible to refine/avoid - may try and backtrack
AGS Trace-Baesd Algorithm – More Details
Forward Abstract Interpretation, taking into account for pruning infeasible interleavings
Backward exploration of invalid Interleavings using to prune infeasible interleavings.
Order of selection matters
Up to this point did not commit to a synchronization mechanism
47
![Page 48: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/48.jpg)
T1 0: if (y==0) goto L 1: x++ 2: L:
T2 0: y=2 1: x+=1 2: assert x !=y
Choosing a trace to avoid
pc1,pc2 x,y
0,0 0,0
0,1 0,2
2,0 0,0
1,1 0,2 2,1
0,2
2,2 1,2
2,1 1,2
2,2 2,2
y=2
if (y==0)
x++
x+=1
if (y==0)
y=2
x+=1
legend
0,0 E,E
0,1 E,E
2,0 E,E
1,1 E,E
2,1 T,E
2,2 T,E
y=2
if (y==0)
x++
x+=1
if (y==0)
y=2
x+=1
48
![Page 49: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/49.jpg)
Implementability
No program transformations (e.g., loop unrolling)
Memoryless strategy
T1 1: while(*) { 2: x++ 3: x++ 4: }
T2 1: assert (x != 1)
Separation between schedule constraints and how they are realized
Can realize in program: atomic sections, locks,…
Can realize in scheduler: benevolent scheduler
49
![Page 50: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/50.jpg)
Atomic sections results
If we can show disjoint access we can avoid synchronization
Requires abstractions rich enough to capture access pattern to shared data
Parity
Intervals
Program Refine Steps Avoid Steps
Double buffering 1 2
Defragmentation 1 8
3D array update 2 23
Array Removal 1 17
Array Init 1 56
50
![Page 51: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/51.jpg)
AGS with guarded commands
Implementation mechanism: conditional critical region (CCR)
Constraint language:
Boolean combinations of equalities over variables (x == c)
Abstraction: what variables a guard can observe
guard stmt
51
![Page 52: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/52.jpg)
Avoiding a transition using a guard
Add guard to z = y+1 to prevent execution from state s1
Guard for s1 : (x 1 y 1 z 0)
Can affect other transitions where z = y+1 is executed
x=1, y=1, z=0
y=x+1 z=y+1
x=1, y=1, z=2
x=1, y=2, z=0
s1
s2 s3
52
![Page 53: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/53.jpg)
Example: full observability
• (y = 2 z = 1) • No Stuck States
Specification:
{ x, y, z }
Abstraction:
T1 1: x = z + 1
T2 1: y = x + 1
T3 1: z = y + 1
53
![Page 54: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/54.jpg)
Build Transition System
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1 z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
1,1,1 0,0,0
X Y Z
PC1 PC2
PC3
legend
54
![Page 55: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/55.jpg)
Avoid transition
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1 z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
55
![Page 56: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/56.jpg)
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,1 1,2,0
e,e,1 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
e,1,e 1,0,1
e,e,e 1,2,1
y=x+1
x1 y0 z0
x1 y0 z0
x1 y0 z0
x1 y0 z0
Correct and Maximally Permissive Result is valid
56
x1 y0 z0 z=y+1
![Page 57: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/57.jpg)
Resulting program
• (y = 2 z = 1) • No Stuck States
Specification:
{ x, y, z }
Abstraction:
T1 1: x = z + 1
T2 1: y = x + 1
T3 1: z = y + 1
T1 1: x = z + 1
T2 1: y = x + 1
T3 1: (x 1 y 0 z 0) z = y + 1
57
![Page 58: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/58.jpg)
• (y = 2 z = 1) • No Stuck States
Specification:
{ x, z }
Abstraction:
Example: limited observability
T1 1: x = z + 1
T2 1: y = x + 1
T3 1: z = y + 1
58
![Page 59: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/59.jpg)
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1 z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
Build transition system
1,1,1 0,0,0
X Y Z
PC1 PC2
PC3
legend
59
![Page 60: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/60.jpg)
Avoid bad state
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1 z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
60
![Page 61: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/61.jpg)
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1 z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
Implementability
Select all equivalent transitions
61
![Page 62: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/62.jpg)
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
x=z+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
side-effects
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
y=x+1 z=y+1 z=y+1 x1 z0
x1 z0 z=y+1
x1 z0
x1 z0
Result has stuck states
62
![Page 63: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/63.jpg)
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
x=z+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
e,e,1 1,2,0
e,1,e 1,0,1
e,e,1 1,1,0
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
y=x+1 z=y+1 z=y+1
x 1 z 0
x1 z0 z=y+1
x1 z0
x1 z0
Select transition to remove
63
![Page 64: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/64.jpg)
1,1,1 0,0,0
e,1,1 1,0,0
1,e,1 0,1,0
1,1,e 0,0,1
e,e,3 1,2,0
e,2,e 1,0,1
e,e,3 1,1,0
1,e,e 0,1,2
e,1,e 2,0,1
1,e,e 0,1,1
e,e,e1,2,3
e,e,e 1,2,1
e,e,e 1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1 z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
x 1 z 0
x 1 z 0
x1 z0
x1 z0
x0 z0
x 0 z 0
x0 z0
x0 z0
x1 z0
x 0 z 0
Result is valid Correct and Maximally Permissive
64
![Page 65: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/65.jpg)
Resulting program
• ! (y = 2 && z = 1) • No Stuck States
Specification:
{ x, z }
Abstraction:
T1 1: x = z + 1
T2 1: y = x + 1
T3 1: z = y + 1
T1 1: (x 0 z 0) x = z + 1
T2 1: y = x + 1
T3 1: (x 1 z 0) z = y + 1
65
![Page 66: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/66.jpg)
T1 x = z + 1 T2 y = x + 1 T3 z = y + 1
T1 x = z + 1 T2 y = x + 1 T3 (x 1 z 0) z = y + 1
T1 (x 0 z 0) x = z + 1 T2 y = x + 1 T3 (x 1 z 0) z = y + 1
T1 x = z + 1 T2 y = x + 1 T3 z = y + 1
T1 x = z + 1 T2 y = x + 1 T3 (x 1 y 0 z 0) z = y + 1
{ x }
{ x,z }
{ x,y,z }
T1 x = z + 1 T2 y = x + 1 T3 z = y + 1
T1 x = z + 1 T2 y = x + 1 T3 (x 1) z = y + 1
T1 (x 0) x = z + 1 T2 y = x + 1 T3 (x 1) z = y + 1
66
![Page 67: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/67.jpg)
AGS with memory fences
Avoidable transition more tricky to define
Operational semantics of weak memory models
Special abstraction required to deal with potentially unbounded store-buffers
Even for finite-state programs
Informally “finer abstraction = fewer fences”
67
![Page 68: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/68.jpg)
Some AGS instances
Avoid Implementation Mechanism
Abstraction Space (examples)
Reference
Context switch Atomic sections Numerical abstractions [POPL’10]
Transition Conditional critical regions (CCRs)
Observability [TACAS’09]
Intra-thread ordering
Memory fences Partial-Coherence abstractions for Store buffers
[FMCAD’10] [PLDI’11]
inter-thread ordering
Synch barriers Numerical abstractions [in progress]
…
68
![Page 69: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/69.jpg)
Summary
An algorithm for Abstraction-Guided Synthesis
Synthesize efficient and correct synchronization
Handles infinite-state systems based on abstract interpretation
Refine the abstraction and/or restrict program behavior
Interplay between abstraction and synchronization
Quantitative Synthesis
Separate characterization of solution from choosing optimal solutions (e.g., smallest atomic sections)
69
![Page 70: Eran Yahav Technionbodik/ucb/... · Sequential Program Program Examples generate/ verify transformations games with abstraction ... heap to enable automatic inference of locks ...](https://reader035.fdocuments.in/reader035/viewer/2022070920/5fb968230eb067682566acf3/html5/thumbnails/70.jpg)
Invited Questions
1. What about other synchronization mechanisms?
2. Why not start from the most constrained program and work downwards (relaxing constraints)?
3. Can’t you solve the problem purely by brute force search of all atomic section placements?
4. Why are you enumerating traces? Can’t you compute your solution via state-based semantics?
5. Why use only a single CEX at a time? Could use information about the whole (abstract) transition system?
6. How is this related to supervisor synthesis?
70