Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft...
Transcript of Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft...
![Page 1: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/1.jpg)
Summarizing Procedures in Concurrent Programs
Shaz Qadeer
Sriram K. Rajamani
Jakob Rehof
Microsoft Research
![Page 2: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/2.jpg)
Motivation
• How do you scale program analyses for sequential programs?– Summarize at procedure boundaries
• Sharir-Pnueli ‘81, Reps-Horwitz-Sagiv ‘95
– Used in compiler dataflow analyses– Used in error detection tools
• SLAM (Ball-Rajamani ‘00)• ESP (Das-Lerner-Seigle ‘02)
![Page 3: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/3.jpg)
Summarization is efficient!
• Boolean program with:– g globals– n procedures, each with at most m locals– |E| = size of the CFG of the program
• Complexity : O( |E| 2 O(g+m)
)
• Complexity linear in the number of procedures!
![Page 4: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/4.jpg)
Summarization gives termination!
• Possibly recursive boolean programs
• Infinite state systems
• Checking terminates with summarization!
![Page 5: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/5.jpg)
Question
Can summarization help analysis of concurrent programs?
![Page 6: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/6.jpg)
Difficulty
Assertion checking for multithreaded programs is undecidable– Even if all variables are boolean– Further, even if only two threads!– Reduce emptiness of intersection of two CFLs
to this problem(Ramalingam 00)
![Page 7: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/7.jpg)
Our work
• New model checking algorithm using summarization – useful for concurrent programs
• Summaries provide re-use and efficiency for analyzing concurrent programs
• Enable termination of analysis in a large class of concurrent programs – includes programs with recursion, shared variables
and concurrency
![Page 8: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/8.jpg)
Difficulties in summarizing concurrent programs
• What is a summary?– For sequential programs
• Summary of procedure P = Set of all pre-post state pairs (s,s’) obtained by invoking P
– This doesn’t work for concurrent programs• Does not model concurrent updates by other
threads
![Page 9: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/9.jpg)
Insight
• In a well synchronized concurrent program– A thread’s computation can be viewed as a
sequence of transactions– While analyzing a transaction, interleavings
with other threads need not be considered– Key idea: Summarize transactions!
![Page 10: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/10.jpg)
How do you identify transactions?
Lipton’s theory of reduction
![Page 11: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/11.jpg)
B: both right + left movers– variable access holding lock
N: non-movers – access unprotected variable
Four atomicities
•R: right movers– lock acquire
S0 S1 S2
acq(this) x
S0 T1 S2
x acq(this)
S7T6S5
rel(this) z
S7S6S5
rel(this)z
L: left movers– lock release
S2 S3 S4
r=bal y
S2 T3 S4
r=baly
S2 T3 S4
r=bal x
S2 S3 S4
r=balx
![Page 12: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/12.jpg)
Transaction
Any sequence of actions whose atomicities are in R*(N+)L* is a transaction
S0 S1 S2
R R
S5 S6
LS3 S4
R N LS7
R
Precommit
Transaction
Postcommit
![Page 13: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/13.jpg)
Transactions and summaries
Corollary of Lipton’s theorem:
No need to schedule other threads in the middle of a transaction
If a procedure body occurs in a transaction, we can summarize it!
![Page 14: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/14.jpg)
Resource allocator (1) bool available[N]; mutex m;
int getResource() { int i = 0; L0: acquire(m); L1: while (i < N) { L2: if (available[i]) { L3: available[i] = false; L4: release(m); L5: return i; } L6: i++; } L7: release(m); L8: return i; }
Choose N = 2
Summaries:<pc, i, m, (a[0],a[1])> <pc’, i’, m’, (a[0]’,a[1]’)>
<L0, 0, 0, (0, 0)> <L8, 2, 0, (0,0)><L0, 0, 0, (0, 1)> <L5, 1, 0, (0,0)><L0, 0, 0, (1, 0)> <L5, 0, 0, (0,0)><L0, 0, 0, (1, 1)> <L5, 0, 0, (0,1)>
![Page 15: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/15.jpg)
What if transaction boundaries and procedure boundaries do not coincide?
Two level model checking algorithm
![Page 16: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/16.jpg)
Two level algorithm
• First level maintains stack
• Second level maintains stack-less summaries
• Summaries can start and end anywhere in a procedure
![Page 17: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/17.jpg)
Resource allocator (2) bool available[N]; mutex m[N];
int getResource() { int i = 0; L0: while (i < N) { L1: acquire(m[i]); L2: if (available[i]) { L3: available[i] = false; L4: release(m[i]); L5: return i; } else { L6: release(m[i]); } L7: i++; } L8: return i; }
Choose N = 2
Summaries:<pc,i,(m[0],m[1]),(a[0],a[1]> <pc’,i’,(m[0]’,m[1]’),(a[0]’,a[1]’)>
<L0, 0, (0,0), (0,0)> <L1, 1, (0,0), (0,0)>
<L0, 0, (0,0), (0,1)> <L1, 1, (0,0), (0,1)>
<L0, 0, (0,0), (1,0)> <L5, 0, (0,0), (0,0)>
<L0, 0, (0,0), (1,1)> <L5, 0, (0,0), (0,1)>
<L1, 1, (0,0), (0,0)> <L8, 2, (0,0), (0,0)>
<L1, 1, (0,0), (0,1)> <L5, 1, (0,0), (0,0)>
<L1, 1, (0,0), (1,0)> <L8, 2, (0,0), (1,0)>
<L1, 1, (0,0), (1,1)> <L5, 1, (0,0), (1,0)>
![Page 18: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/18.jpg)
Two level model checking algorithm: in pictures
Lets first review the sequential CFL algorithm…
![Page 19: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/19.jpg)
bar()
main( ) bar( )
![Page 20: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/20.jpg)
bar()
main( ) bar( )
![Page 21: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/21.jpg)
Two level model checking algorithm: in pictures
![Page 22: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/22.jpg)
bar()
main( ) bar( )
![Page 23: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/23.jpg)
bar()
main( ) bar( )
main
T1
main
T2
End of transaction
bar
Three kinds of summaries:
1. MAX
2. MAXCALL
3. MAXRETURNMAXCALL
MAXRETURN
MAXRETURN
MAX
![Page 24: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/24.jpg)
Concurrency + recursion
void foo(int r) {L0: if (r == 0) {L1: foo(r); } else {L2: acquire(m);L3: g++;L4: release(m); }L5: return;}
Summaries for foo:<pc,r,m,g> <pc’,r’,m’,g’><L0,1,0,0> <L5,1,0,1><L0,1,0,1> <L5,1,0,2>
Summaries for main:<pc,q,m,g> <pc’,q’,m’,g’><M0,1,0,0> <M1,1,0,1><M0,1,0,1> <M1,1,0,2>
<M1,1,0,1> <M4,1,0,1><M1,1,0,2> <M4,1,0,2>
void main() {
int q = choose({0,1});
M0: foo(q);
M1: acquire(m)
M2: assert(g >= 1);
M3: release(m);
M4: return;
}
P = main() || main()
int g = 0;
mutex m;
![Page 25: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/25.jpg)
What if the same procedure is called from different phases of a transaction?
Instrument the transaction phase into the state of the program
![Page 26: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/26.jpg)
Transactional context
void foo1() {L0: acquire(n);L1: gn++;L2: bar();L3: release(n);L4: return;}
void foo2() {
M0: acquire(n);
M1: gn++;
M2: release(n);
M3: bar();
M4: return;
}
P = foo1() || foo2()
int gm = 0, gn = 0;
mutex m, n;
void bar() {
N0: acquire(m);
N1: gm++;
N2: release(m);
}
![Page 27: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/27.jpg)
Recap of technical problems
• How do you identify transactions– Using the theory of reduction (Lipton ’75)
• What if transaction boundaries do not coincide with procedure boundaries?– Two level model checking algorithm– First level maintains stack– Second level maintains stack-less summaries
• Procedure can be called from different phases of a transaction– Instrument the transaction phase into the state of
program
![Page 28: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/28.jpg)
Termination
• A function is transactional if no transaction ends in the “middle” of its exectution (includes all transitive callees)
• Theorem: For concurrent boolean programs, if all recursive functions are transactional, then the algorithm terminates.
![Page 29: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/29.jpg)
Sequential case
• If we feed a sequential program to our algorithm it functions exactly like the Reps-Sagiv-Horwitz-POPL95 algorithm
• Our algorithm generalizes the RHS algorithm to concurrent programs!
![Page 30: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/30.jpg)
Related work
• Summarizing sequential programs– Sharir-Pnueli ‘81, Reps-Horwitz-Sagiv ‘95,
Ball-Rajamani ‘00
• Concurrency+Procedures– Bouajjani-Esparza-Touili ‘02– Esparza-Podeslki ‘00
• Reduction– Lipton ‘75– Qadeer-Flannagan ‘03
![Page 31: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/31.jpg)
(joint work with Tony Andrews)
![Page 32: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/32.jpg)
Sequential C program
Finite state machines
Source code
FSM
abstraction
modelchecker
C data structures, pointers,procedure calls, parameter passing,scoping,control flow
Automatic abstraction
Boolean program
Data flow analysis implemented using BDDs
SLAM
Push down model
![Page 33: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/33.jpg)
Source code
abstraction
modelchecker
Zing
Rich control constructs: thread creation, function call, exception, objects, dynamic allocation
Model checking is undecidable!
Device driver (taking concurrency into account), web services code
![Page 34: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/34.jpg)
What is Zing?
• Zing is a framework for software model-checking– Language, compiler, runtime, tools
• Supports key software concepts– Enables easier extraction of models from code
• Supports research in exploring large state spaces
• Operates seamlessly with the VS.Net design environment
![Page 35: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/35.jpg)
Current status• Summarization:
– Theory: to appear in POPL 04– Implementation: in progress
• Zing: – Compiler, model checker and conformance checker
operational– State-delta and transaction-based reduction
implemented– Plans:
• Symbolic reasoning• Automatic abstraction
![Page 36: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/36.jpg)
Bluetooth demo
![Page 37: Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.](https://reader033.fdocuments.net/reader033/viewer/2022061306/55147561550346284e8b6268/html5/thumbnails/37.jpg)
BPEL4WS checking
Zing Model
Zing State
Explorer
BuyerBuyer SellerSeller
AuctionAuctionHouseHouse
RegRegServiceService
BPEL ProcessesBPEL Processes