Specification, Verification, and Synthesis of Concurrency Control Components
description
Transcript of Specification, Verification, and Synthesis of Concurrency Control Components
Specification, Verification, and Synthesis of Concurrency Control Components
Tuba Yavuz-Kahveci
Tevfik Bultan
Department of Computer Science
University of California, Santa Barbara
{tuba,bultan}@cs.ucsb.edu
Problem
Concurrent programming is difficult and error prone– Sequential programming: states of the variables– Concurrent programming: states of the variables &
processes
When there is concurrency, testing is not enough– State space increases exponentially with the number of
processes
We would like to guarantee certain properties of a concurrent system
Our Approach
Specification of the concurrency component– Using Action Language
Automated verification– Using an infinite state model checker
• Action Language Verifier
Automated code synthesis– Using a symbolic representation manipulator
• Composite Symbolic Library
Tools for Specification, Verification, and Synthesis of Concurrent Systems
Action Language Action Language Specification of the Specification of the Concurrency ComponentConcurrency Component
Action LanguageAction LanguageParserParser
Action LanguageAction LanguageVerifierVerifier
Composite SymbolicComposite SymbolicLibraryLibrary
Code GeneratorCode Generator Omega Omega LibraryLibrary
CUDDCUDDPackagePackage
Verified codeVerified code
Outline
Monitors Specification of Monitors
– Action Language Verification
– Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control
– Experiments Related Work Conclusions
Concurrency Control with Monitors
A set of variables – Modeling shared resources– Cannot be accessed outside of the monitor
A set of procedures– Only one can be active at any time
• Provided my the monitor semantics
Synchronization among concurrent processes– Using condition variables
Monitor Basics
What happens if a process needs to wait until a condition becomes true?– Create a condition variable that corresponds to that
condition
Each condition variable has a wait queue– A process waits for a condition in the wait queue of the
corresponding condition variable– When a process updates the shared variables that may
cause a condition to become true:
it signals the processes in the wait queue of the corresponding condition variable
Monitors
Challenges in monitor programming– Condition variables– Wait and signal operations
Why not use a single wait queue?– Inefficient: Every waiting process has to wake up when any
of the shared variables are updated
Even with a few condition variables coordinating wait and signal operations can be difficult– Avoid deadlock– Avoid inefficiency due to unnecessary signaling
Java Monitors
A simplified implementation of Hoare monitors – No separate notion of condition variables
• Can be simulated by objects
– Each object associated with a mutual exclusion lock• synchronized(o) {…}• Synchronized methods• wait(), notify(), notifyAll()
– Implementing monitors is complicated To implement a monitor as a Java class
– Shared resources must be implemented using private fields– All methods can change state of the fields only in
synchronized blocks
Outline
Monitors Specification of Monitors
– Action Language Verification
– Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control
– Experiments Related Work Conclusions
Action Language
A state based language– Actions correspond to state changes
States correspond to valuations of variables– Integer (possibly unbounded), boolean and enumerated
variables– Parameterized constants
Transition relation is defined using actions– Atomic actions: Predicates on current and next state variables– Action composition: synchronous (&) or asynchronous (|)
Modular– Modules can have submodules
CTL properties– Invariant(p) : p always holds– Eventually(p) : p eventually holds
Readers Writersmodule main()
integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;
module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;
endmodule
module Writer() ... endmodule
main: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])
endmodule
S S :: Cartesian product ofCartesian product of variable domains defines variable domains defines the set of statesthe set of states
I I : Predicates defining : Predicates defining the initial statesthe initial states
RR : Atomic actions of the : Atomic actions of the ReaderReader
RR : Transition relation of : Transition relation of Reader defined as Reader defined as asynchronous composition asynchronous composition of its atomic actionsof its atomic actions
RR : Transition relation of main defined as : Transition relation of main defined as asynchronous composition of two Reader and asynchronous composition of two Reader and two Writer processestwo Writer processes
PP : Temporal property : Temporal property of main moduleof main module
What About Arbitrary Number of Processes?
Use counting abstraction– Create an integer variable for each local state of a process
type– Each variable will count the number of processes in a
particular state
Local states of the process types have to be finite– Specify only the process behavior that relates to the
correctness of the monitor– Shared variables of the monitor can be unbounded
Counting abstraction can be automated
Readers-Writers Monitor Specification After Counting Abstraction
module main()integer nr;boolean busy;
parameterized integer numReader, numWriter;restrict: nr>=0 and numReader>=0
and numWriter>=0;initial: nr=0 and !busy;module Reader()
integer readingF, readingT;initial: readingF=numReader
and readingT=0;rEnter: readingF>0 and !busy and nr’=nr+1 and
readingF’=readingF-1 and readingT’=readingT+1;
rExit: readingT>0 and nr’=nr-1 and readingT’=readingT-1 and
readingF’=readingF+1;Reader: rEnter | rExit;
endmodule...
main: Reader() | Writer();spec: invariant([busy => nr=0])
endmodule
Parameterized constants Parameterized constants representing the number representing the number of readers and number of of readers and number of writerswriters
Variables for counting the Variables for counting the number of processes in number of processes in specific local statesspecific local states
When local state changes, When local state changes, decrement current local state decrement current local state counter and increment next counter and increment next local state counterlocal state counter
Initialize initial local state Initialize initial local state counter by the relevant counter by the relevant parameterized constant. parameterized constant. Initialize other local Initialize other local states to 0states to 0
Outline
Monitors Specification of Monitors
– Action Language Verification
– Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control
– Experiments Related Work Conclusions
Action Language Verifier
An infinite state symbolic model checker Composite representation
– uses a disjunctive representation to combine different symbolic representations
Computes fixpoints by manipulating formulas in composite representation– Heuristics to ensure convergence
• Widening & collapsing
• Loop closure
• Approximate reachable states
Composite Symbolic Library: Class Diagram
CUDD Library OMEGA Library
Symbolic
+intersect()+union()+complement()+isSatisfiable()+isSubset()+bacwardImage()+forwardImage()
CompSym
–representation: list of comAtom
+intersect()+ union() • • •
BoolSym
–representation: BDD
+intersect()+union() • • •
IntSym
–representation: Polyhedra
+intersect()+union() • • •
compAtom
–atom: *Symbolic
Outline
Monitors Specification of Monitors
– Action Language Verification
– Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control
– Experiments Related Work Conclusions
Synthesizing the Implementation of the Monitor
Automated generation of code from the monitor specification – Generate a Java class– Make shared variables private variables– Use synchronization to restrict access
Is the generated code efficient?– Yes! – The condition variables can be synthesized automatically– There is no unnecessary thread notification
Naïve Translation: Redundant Signaling
Module main()Module main() boolean a,b;boolean a,b; initial: a and b;initial: a and b;
module SetA()module SetA() SetA: b and a’=trueSetA: b and a’=true
and b’=false;and b’=false; endmoduleendmodule
module SetB()module SetB() SetB: a and a’=falseSetB: a and a’=false
and b’=true;and b’=true; endmoduleendmodule
main: setA() | setB()main: setA() | setB() … …endmoduleendmodule
public class SetAB {public class SetAB { private boolean a.b; private boolean a.b; public setAB() {public setAB() { a = true;a = true; b = true; b = true; }} public synchronized SetA() {public synchronized SetA() { while (!b)while (!b)
try{ try{ wait();wait();} catch(…){..}} catch(…){..} a = true;a = true; b = false;b = false; notifyAll();notifyAll(); }} public synchronized SetB() {public synchronized SetB() { while (!a)while (!a)
try{try{wait();wait();} catch(…){…} } catch(…){…} a = false;a = false; b = true;b = true; notifyAll();notifyAll(); }}}}
Action Language SpecificationAction Language Specification Implementation in JavaImplementation in Java
Specific Notification Pattern
Module main()Module main() boolean a,b;boolean a,b; initial: a and b;initial: a and b;
module SetA()module SetA() SetA: b and a’=trueSetA: b and a’=true
and b’=false;and b’=false; endmoduleendmodule
module SetB()module SetB() SetB: a and a’=falseSetB: a and a’=false
and b’=true;and b’=true; endmoduleendmodule
main: setA() | setB()main: setA() | setB() … …endmoduleendmodule
Action Language SpecificationAction Language Specification
class SetAB {class SetAB { private boolean a.b; private boolean a.b; private Object condA, condBprivate Object condA, condB;; … … private synchronized boolean Guard_SetA() {private synchronized boolean Guard_SetA() { if (b) { a = true; b = false; return true;}if (b) { a = true; b = false; return true;} else return false;else return false; }} public void SetA() {public void SetA() { synchronized(condB)synchronized(condB) { { while (!Guard_SetA())while (!Guard_SetA()) try{ try{ condB.wait();condB.wait(); } catch(…) {…} } catch(…) {…} }} condA.notifyAll();condA.notifyAll(); }} public void SetB() {public void SetB() { synchronized(condA) synchronized(condA) {{ while (!Guard_SetB())while (!Guard_SetB())
try{ try{ condA.wait(); condA.wait(); } catch(…) {..}} catch(…) {..} }} condB.notifyAll();condB.notifyAll(); }}}}
Implementation in JavaImplementation in Java
Algorithm for Extracting Synchronization Information
for each action A do// Does A check any condition?
if ds(A) true then mark A as guarded
create condition variable condA else
mark A as unguarded for each action B s.t. A B do
// Can A change the condition B waits on from false to true?
if POST( ds(B),EXP(A)) ds(B) then
add condB to notification list of A
Readers-Writer Example with Specific Notification Pattern
public class ReadersWriters{ private int nr; private boolean busy; private Object rEnterCond, wEnterCond; private synchronized boolean Guard_rEnter() { if (!busy) { nr++; return true; } else return false; } public void rEnter() { synchronized(rEnterCond) { while(!Guard_rEnter()) rEnterCond.wait(); } public void rExit() { synchronized(this) { nr--; } synchronized(wEnterCond) { wEnterCond.notify(); } } ...}
All condition variables andAll condition variables andwait and signal operations are wait and signal operations are generated automaticallygenerated automatically
Outline
Monitors Specification of Monitors
– Action Language Verification
– Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control
– Experiments Related Work Conclusions
Airport Ground Traffic Control
[Zhong 97] Modeling of airport operations using an object oriented approach
A concurrent program simulating the airport ground traffic control– multiple planes– multiple runways and taxiways
Can be used by controllers as advisory input Simulate behavior of each airplane with a thread Use a monitor which keeps track of number of
airplanes on each runway and each taxiway
A simplified model of Seattle Tacoma International Airport from [Zhong 97]A simplified model of Seattle Tacoma International Airport from [Zhong 97]
Airport Ground Traffic Control Monitor
Action Language specification– Has 13 integer variables– Has 4 Boolean variables per arriving airplane process to
keep the local state of each airplane– Has 2 Boolean variables per departing airplane process to
keep the local state of each airplane
Automatically generated monitor class– Has 13 integer variables– Has 14 condition variables– Has 34 procedures
Experiments
Processes Construction
(sec)
Verify-P1
(sec)
Verify-P2
(sec)
Verify-P3
(sec)
2 0.81 0.42 0.28 0.69
4 1.50 0.78 0.50 1.13
8 3.03 1.53 0.99 2.22
16 6.86 3.02 2.03 5.07
2A,PD 1.02 0.64 0.43 0.83
4A,PD 1.94 1.19 0.81 1.39
8A,PD 3.95 2.28 1.54 2.59
16A,PD 8.74 4.6 3.15 5.35
PA,2D 1.67 1.31 0.88 3.94
PA,4D 3.15 2.42 1.71 5.09
PA,8D 6.40 4.64 3.32 7.35
PA,16D 13.66 9.21 7.02 12.01
PA,PD 2.65 0.99 0.57 0.43
A: Arriving AirplaneA: Arriving AirplaneD: Departing AirplaneD: Departing AirplaneP: Arbitrary number of processesP: Arbitrary number of processes
Related Work: [Demartini et al., 99], [Corbett et al., 00], [Havelund et al., 00]
– Extracting compact models from the implementation• Employing techniques such as slicing and abstraction
– Automated verification of the model• Finite state model checker
• Explicit state model checking techniques
Related Work: [Mizuno-99]
Given a concurrency problem and a global invariant– Provides a course-grain solution
• <await B; S> or <S>
Translates the course-grain solution to a Java program– Using Specific Notification Pattern
• Creates a separate condition variable cB for each guard B
• When S may change B to true cB is signaled
– Preserving the global invariant
Not automated
Related Work[Deng et al., 02]
Extends and automates Mizuno’s approach Synthesizes the code from a global invariant:
– A logic formula• Uses a decision procedure
– A pattern specification• Bound, Exclusion, Resource, Barrier, Relay, and Group
Automatically verifies – synthesized synchronization code + functional application
code– Uses a finite state model checker
Conclusions and Future Work
We can automatically verify and synthesize nontrivial monitors in Java
Our tools can deal with boolean, enumerated and (unbounded) integer variables
What about recursive data types?– shape analysis– [SAS’02] Verification of Concurrent Linked Lists
Readers Writers Monitor in Action Languagemodule main()
integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;endmodulemodule Writer()boolean writing;initial: !writing;wEnter: !writing and nr=0 and !busy and busy’ and writing’;wExit: writing and !writing’ and !busy’;Writer: wEnter | wExit;endmodulemain: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])
endmodule
Action Language Verifier
An infinite state symbolic model checker Uses composite symbolic representation to encode a system
defined by (S,I,R) – S: set of states, I: set if initial states, R: transition relation
Maps each variable type to a symbolic representation type– Maps boolean and enumerated types to BDD representation
– Maps integer type to arithmetic constraint representation Uses a disjunctive representation to combine symbolic
representations– Each disjunct is a conjunction of formulas represented by different
symbolic representations
Temporal Properties Fixpoints
• • •• • •
Invariant(Invariant(pp))
ppInitialInitialstatesstates
initial states that initial states that violate Invariant(violate Invariant(pp))
BackwardBackwardfixpointfixpoint
ForwardForwardfixpointfixpoint
InitialInitialstatesstates
• • •• • •
states that can reach states that can reach pp i.e., states that violate Invariant(i.e., states that violate Invariant(pp))
reachable states reachable states of the systemof the system
pp
backwardImagebackwardImage of of pp
reachable states reachable states that violate that violate ppforward imageforward image
of initial statesof initial states
Control Logic
An airplane can land using 16R only if no airplane is using 16R at the moment
An airplane can takeoff using 16L only if no airplane is using 16L at the moment
An airplane taxiing on one of the exits C3-C8 can cross runway 16L only if no airplane is taking off at the moment
An airplane can start using 16L for taking off only if none of the crossing exits C3-C8 is occupied at the moment (arriving airplanes have higher priority)
Only one airplane can use a taxiway at a time
Synchronization Among Processes
condAcondAsignalsignal
Ready QueueReady Queue Executing ProcessExecuting Process
ProcessProcesskk
waitwait
Waiting QueueWaiting Queue
ProcessProcessii
ProcessProcessmm
ProcessProcessmm
ProcessProcesskk ProcessProcessiiProcessProcesskk