Synthesis for Concurrency

Size: px

Start display at page:

Download "Synthesis for Concurrency"

Conrad Snow
6 years ago
Views:

1 Synthesis for Concurrency Martin Vechev ETH Zurich (joint work with Eran Yahav, Greta Yorsh) 1

2 Concurrency is Everywhere

3 Unreliable Concurrency is Everywhere

4 2003 Northeast Blackout concurrency error triggers massive power outage economic effect : ~ 6 billion $USD

5 Unreliable Concurrency: Data Structures val popright() { while (true) { rh = RightHat; lh = LeftHat; if (rh->r == rh) return "empty"; if (rh == lh) { if (DCAS(&RightHat, &LeftHat, rh, lh, Dummy, Dummy)) return rh->v; else { rhl = rh->l; if (DCAS(&RightHat, &rh->l, rh, rhl, rhl, rh)) { result = rh->v; rh->r = Dummy; return result; Even better DCAS-based concurrent deques, DISC 2000

Unreliable Concurrency: Data Structures val popright() { while (true) { rh = RightHat; lh = LeftHat; if (rh->r == rh) return "empty"; if (rh == lh) { Bad News: if (DCAS(&RightHat, &LeftHat, rh, lh,

6 Unreliable Concurrency: Data Structures val popright() { while (true) { rh = RightHat; lh = LeftHat; if (rh->r == rh) return "empty"; if (rh == lh) { Bad News: if (DCAS(&RightHat, &LeftHat, rh, lh, Dummy, Dummy)) return rh->v; else { 2 rhl errors = rh->l; in < 20 lines of code if (DCAS(&RightHat, &rh->l, rh, rhl, rhl, rh)) { result = rh->v; rh->r = Dummy; return result; Even better DCAS-based concurrent deques, DISC 2000

7 Unreliable Concurrency: Weak Memory Models int take() long b = bot-1; item_t *q = wsq; bot = b long t = top if (b < t) { bot = t; return EMPTY; task = q->ap[b%q->sz]; if (b > t) return task if (!CAS(&top,t,t+1)) return EMPTY; bot = t + 1; return task; void push(int task) long b = bot; long t = top; item_t *q = wsq; if (b t q->sz 1){ wsq = expand(); q = wsq; q->ap[b%q->sz]=task; bot = b+1; int steal() long t = top; long b = bot; item_t *q = wsq; if (t b) return EMPTY; task=q->ap[t%q->sz]; if (!CAS(&top,t,t+1)) return ABORT; return task; 7

8 Unreliable Concurrency: Weak Memory Models int take() long b = bot-1; item_t *q = wsq; bot = b long t = top if (b < t) { bot = t; return EMPTY; task = q->ap[b%q->sz]; if (b > t) return task if (!CAS(&top,t,t+1)) return EMPTY; bot = t + 1; return task; void push(int task) long b = bot; long t = top; item_t *q = wsq; if (b t q->sz 1){ wsq = expand(); q = wsq; q->ap[b%q->sz]=task; bot = b+1; int steal() long t = top; long b = bot; item_t *q = wsq; if (t b) return EMPTY; task=q->ap[t%q->sz]; if (!CAS(&top,t,t+1)) return ABORT; return task; 8

9 9 Concurrent Set Algorithm bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) if ( val) goto restart bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false <r,m> = curr->next lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false

10 10 Concurrent Set Algorithm bool add(int key) { Entry *pred,*curr,*entry restart: The locate(pred,curr,key) Good k = (curr->key == key) if New (k) algorithm return false bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false entry Fine-grained = new Entry() synchronization (CAS) <r,m> = curr->next entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) if ( val) goto restart lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false

11 Concurrent Set Algorithm bool add(int key) { Entry *pred,*curr,*entry restart: The locate(pred,curr,key) Good k = (curr->key == key) if New (k) algorithm return false entry Fine-grained = new

11 11 Concurrent Set Algorithm bool add(int key) { Entry *pred,*curr,*entry restart: The locate(pred,curr,key) Good k = (curr->key == key) if New (k) algorithm return false entry Fine-grained = new Entry() synchronization (CAS) <r,m> = curr->next entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) The if ( val) Bad goto restart Can you understand what it does? Can you show it is correct? bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart

12 Concurrent Set Algorithm bool add(int key) { Entry *pred,*curr,*entry restart: The locate(pred,curr,key) Good k = (curr->key == key) if New (k) algorithm return false entry Fine-grained = new

12 12 Concurrent Set Algorithm bool add(int key) { Entry *pred,*curr,*entry restart: The locate(pred,curr,key) Good k = (curr->key == key) if New (k) algorithm return false entry Fine-grained = new Entry() synchronization (CAS) <r,m> = curr->next entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) The if ( val) Bad goto restart Can you understand what it does? Can you show it is correct? The Ugly How did you get it? Anything repeatable? Any other similar algorithms? bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart

13 13 Sequential Set Algorithm bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r bool contains(int key) { atomic Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false

remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next

14 14 Sequential Set Algorithm bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry Understandable Proving correctness easier bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r bool contains(int key) { atomic Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false

15 15 Sequential to Highly Concurrent bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r

16 16 Sequential to Highly Concurrent bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) if ( val) goto restart bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false <r,m> = curr->next lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart

17 17 Sequential to Highly Concurrent bool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry??? bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) if ( val) goto restart bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false <r,m> = curr->next lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart

18 18 Bridging the Gap Find small repeatable transformations NO magic insights Combination of manual and automatic transformations

19 Transformations Removing redundant atomicity s1 s2 s3 s4 s1 s2 s3 s4 Reordering statements s1 s2 s3 s4 s2 s1 s3 s4 Optimistic concurrency read update read If (validate) update else restart Add synchronization meta-data s1 s2 s3 s4 s1 If (t > 0) s2 s3 s4

20 Transformations Machine Removing redundant atomicity s1 s2 s3 s4 s1 s2 s3 s4 Machine Reordering statements s1 s2 s3 s4 s2 s1 s3 s4 Machine + Human Optimistic concurrency read update read If (validate) update else restart Only Human Add synchronization meta-data s1 s2 s3 s4 s1 If (t > 0) s2 s3 s4

21 Synthesis Process Machine verifier program yes/counterexample synthesizer Exploration Validation Checked Algorithms Schema Human

22 Program Synthesis verifier Machine program yes/counterexample synthesizer 15

23 Program Synthesis verifier Machine program yes/counterexample synthesizer analyze program 15

24 Program Synthesis verifier Machine program yes/counterexample synthesizer analyze program 15

25 Program Synthesis verifier Machine program yes/counterexample synthesizer analyze program 15

26 Program Synthesis verifier Machine program yes/counterexample synthesizer analyze program 15

27 Program Synthesis verifier Machine program yes/counterexample synthesizer propagate correctness 15

28 Program Synthesis verifier Machine program yes/counterexample synthesizer analyze program 15

29 Program Synthesis verifier Machine program yes/counterexample synthesizer propagate incorrectness 15

30 Sequential To Concurrent Sequential Schema Correct Algorithm Existing Algorithm New Algorithm Priority Queue Stack DCAS DCAS CAS CAS with LOCKS Michael (PODC 02) Heller et al. (OPODIS 05) CAS/DCAS Trieber Stack 30

31 31 step 1: Optimistic Concurrency [Kung & Robinson 81] bool remove(int key){ Entry *pred,*curr,*r atomic locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r Read Update bool remove(int key){ Entry *pred,*curr,*r restart: Read atomic if (validate) { Update goto restart

32 step 1: Optimistic Concurrency [Kung & Robinson 81] bool remove(int key){ Entry *pred,*curr,*r atomic locate(pred,curr,key) k = (curr->key key) if (k) return false r = curr->next pred->next = r Read Update bool remove(int key){ Entry *pred,*curr,*r restart: locate(pred,curr,key) atomic if (validate) { k = (curr->key key) if (k) return false r = curr->next pred->next = r goto restart

33 33 step 2: Run Tool bool remove(int key){ Entry *pred,*curr,*r restart: locate(pred,curr,key) atomic if (validate) { k = (curr->key key) if (k) return false r = curr->next pred->next = r goto restart ( (pred curr) (->next)? == (pred curr) (->next)? ) true Synthesizer looks for expressions to fill the validate hole Insufficient information to write a validation condition No correct completion found

34 34 step 2: Examine Counterexample Thread 1: Thread 2: add(4) remove(1) head tail head tail head tail pred curr pred curr add(4) starts remove(1) executes add(4) ends Addition of key 4 is lost How to deal with removed nodes?

35 But What Now? Space Synchronization Time

36 36 step 3: Synchronization Metadata OBJECT OBJECT key next key next marked REMOVE = { R1: k = (curr->key key) R2: if (k) return false R3: curr->marked = true R4: mp = pred->marked R5: mc = curr->marked R6: val= (pred->next == curr) ( mp)? ( mc)? R7: if ( val) goto restart R8: r = curr->next R9: pred->next = r

37 37 step 4: Run Synthesis bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE REMOVE = { R1: k = (curr->key key) R2: if (k) return false R3: curr->marked = true R4: mp = pred->marked R5: mc = curr->marked R6: val= (pred->next == curr)? ( mp)? ( mc) R7: if ( val) goto restart R8: r = curr->next R9: pred->next = r Synthesis bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE REMOVE = { k = (curr->key key) if (k) return false curr->marked = true r = curr->next atomic mp = pred->marked val=(pred->next==curr) mp if ( val) goto restart pred->next = r

38 38 Result (pldi 08) bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=cas(&pred->next, curr,0, entry,0 ) if ( val) goto restart bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key key) if (k) return false <r,m> = curr->next lval=cas(&curr->next, r,m, r,1 ) if ( lval) goto restart pval=cas(&pred->next, curr,0, r,0 ) if ( pval) goto restart bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false

39 39 Concurrent Set Algorithms Recap Sequential Schema Correct Algorithm Existing Algorithm New Algorithm DCAS DCAS CAS CAS with LOCKS CAS/DCAS Priority Queue Stack Michael (PODC 02) Heller et al. (OPODIS 05) Trieber Stack

40 Synthesis Process Machine verifier program yes/counterexample synthesizer Exploration Validation Checked Algorithms Schema Human

41 Key questions Are schemas a natural input for a designer? can be difficult for designers, prefer programs Why are search and verification separate? Verifier overwhelmed with many incorrect or similar programs Can synchronization inference be automated? atomicity, ordering, space (big challenge) 27

42 Another approach: verification-driven The input to synthesizer is a program synthesizer repairs or fixes an incorrect program Verifier does synthesis can output a program, not just yes/no Automates synchronization inference some synchronization (but not all, e.g. space is not) 28

43 Synthesis Process Synthesizer produces various repairs versions of the program verifier extended to do synthesis Synthesizer repairs the program by synthesizing synchronization Checked Algorithms Program Human

44 Challenge Find minimal synchronization that makes the program satisfy the specification Avoid all bad schedules while permitting as many good schedules as possible Assumption: we can prove that serial executions satisfy the specification Interested in bad behaviors due to concurrency Handle infinite-state programs 30

45 Abstraction-Guided Synthesis of Synchronization Synthesis of synchronization via abstract interpretation Compute over-approximation of all possible program executions Add minimal synchronization to avoid (over-approximation of) bad schedules Interplay between abstraction and synchronization Finer abstraction may enable finer synchronization Coarse synchronization may allow coarser abstraction 31

Abstraction Abstraction Refinement Abstract counter

46 A Standard Approach: Abstraction Refinement Program P Valid Specification S Verify Abstract counter example Abstraction Abstraction Refinement Abstract counter example Change the abstraction to match the program 32

47 Abstraction-Guided Synthesis [VYY-POPL 10] Program P ϕ Program Restriction Implement P Specification S Verify Abstract counter example Abstraction Abstraction Refinement Abstract counter example Change the program to match the abstraction 33

48 AGS Algorithm High Level Input: Program P, Specification S, Abstraction Output: Program P satisfying S under ϕ = true while(true) { BadTraces = {π π ( P ϕ ) and π S if (BadTraces is empty) return implement(p,ϕ) select π BadTraces if (?) { ψ = avoid(π) if (ψ false) ϕ = ϕ ψ else abort else { = refine(, π) if ( ) = else abort 34

49 Avoid and Implement Desired output program satisfying the spec Constraint has to be implementable in the program Implementation mechanism guides the choice of constraint language Implementation mechanisms Atomic sections [POPL 10] Conditional critical regions (CCRs) [TACAS 09] Memory fences (for relaxed memory models) [FMCAD 10 + PLDI 11] Barriers [SAS 13] 35

50 Avoiding a schedule with atomic sections Adding atomicity constraints Atomicity predicate [l 1,l 2 ] statements at l 1 and l 2 must execute together atomically avoid(π) A disjunction of all possible atomicity predicates that would prevent π Captures all ways to avoid π using atomic sections avoid(π) = { [label(π i ),label(π j )] 0 i < π, j > i + 1. tid(π i ) = tid(π j ) s.t. k.i < k < j, tid(π i ) tid(π k ) 36

51 Avoid with atomicity constraints A1 1,1 B1 Thread A 1: A1 2: A2 Thread B 1: B1 2: B2 2,1 1,2 A2 B1 A1 B2 3,1 B1 A2 2,2 B2 A1 1,3 π = A 1 B 1 A 2 B 2 avoid(π) = [A 1,A 2 ] [B 1,B 2 ] 3,2 2,3 B2 A2 3,3 37

52 Avoiding the good with the bad ψ = avoid(π) Enforcing ψ avoids any abstract trace π such that π ψ Potentially avoiding good traces as well A1 B1 A2 A3 A1 B1 A2 A3 avoid( 1) = [A1,A2] 38

53 Simple Example T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1!= y2) atomic f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 Initially x = z = 0 Every single statement is atomic 39

54 Example: Concrete Values y Concrete values y2 x += z; x += z; z++;z++;y1=f(x);y2=x;assert y1=5,y2=0 z++; x+=z; y1=f(x); z++; x+=z; y2=x;assert y1=3,y2=3 T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1!= y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 40

55 Example: Parity Abstraction y Concrete values y2 y y2 Parity abstraction (even/odd) x += z; x += z; z++;z++;y1=f(x);y2=x;assert y1=odd,y2=even T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1!= y2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 41

56 Example: Avoiding Bad Interleavings ϕ = true while(true) { z++ BadTraces={π π ( P ϕ ) and π S if (BadTraces is empty) return implement(p,ϕ) T1 x+=z x+=z select π BadTraces if (?) { ϕ = ϕ avoid(π) else { = refine(, π) z++ avoid(π 1 ) = [z++,z++] ϕ = [z++,z++] true Showing only states leading to bad states T3 y1=f(x) y2=x 42

57 Example: Avoiding Bad Interleavings ϕ = true while(true) { BadTraces={π π ( P ϕ ) and x+=z π S if (BadTraces is empty) return implement(p,ϕ) select π BadTraces if (?) { x+=z ϕ = ϕ avoid(π) else { = refine(, π) avoid(π 2 ) =[x+=z,x+=z] T3 y1=f(x) y2=x ϕ = [z++,z++] ϕ = [z++,z++] [x+=z,x+=z] 43

58 Example: Avoiding Bad Interleavings ϕ = true while(true) { BadTraces={π π ( P ϕ ) and π S if (BadTraces is empty) return implement(p,ϕ) select π BadTraces if (?) { ϕ = ϕ avoid(π) else { = refine(, π) T1 1: x += z 2: x += z T2 1: z++ 2: z++ T3 1: y1 = f(x) 2: y2 = x 3: assert(y1!= y2) ϕ = [z++,z++] [x+=z,x+=z] 44

59 Example: Avoiding Bad Interleavings parity T1 T2 T3 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y2 y y2 parity T1 T2 T3 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y parity T1 T2 T3 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y But we can also change the abstraction 45

60 parity interval (d) octagon (f) T1 T2 x+=z; x+=z z++; z++; y parity T3 y1=f(x) T3 y1=f(x) T3 y2=x y2=x assert assert y1!= y2 y1!= y2 (a) y2 (b) (c) T1 T2 T3 T1 T2 T3 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y2 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y2 interval (e) octagon (g) T1 T2 T1 T2 T3 T1 T2 T3 x+=z; x+=z z++; z++; x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y2 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y parity T1 T2 x+=z; x+=z z++; z++; y1=f(x) y2=x assert y1!= y

61 Multiple Solutions Interval abstraction for our example produces the atomicity constraint: ([x+=z,x+=z] [z++,z++]) ([y1=f(x),y2=x] [x+=z,x+=z] [z++,z++]) Performance: smallest atomic sections Minimal satisfying assignments 1 = [z++,z++] 2 = [x+=z,x+=z] 47

62 Implementability Separation between schedule constraints and how they are realized Can realize in program: atomic sections, locks, Can realize in scheduler: benevolent scheduler T1 1: while(*) { 2: x++ 3: x++ 4: T2 1: assert (x!= 1) No program transformations (e.g., loop unrolling) Memoryless strategy 48

63 Abstraction-Guided Synthesis Program P ϕ Program Restriction Implement P Specification S Verify Abstract counter example Abstraction Abstraction Refinement Abstract counter example 49

64 AGS instances Avoid Implementation Mechanism Abstraction Space (examples) Reference Context switch Atomic sections Numerical abstractions [POPL 10] Inter-thread ordering Synchronization barriers Numerical abstractions [SAS 13] Intra-thread ordering Memory fences Partial-Coherence abstractions for store buffers [FMCAD 10] [PLDI 11] [PLDI 12] Transition Conditional critical regions (CCRs) Observability [TACAS 09] 50

65 General Setting Revisited Program P ϕ Program Restriction Implement P specification S Verify Abstract counter example Spec Weakening S Abstraction Abstraction Refinement Σ Abstract counter example Change the specification to match the abstraction 51

66 Summary Synthesis of Concurrent Data Structures Search-based synthesis: schema + semantic search Discovered new algorithmic variants Synthesis of Synchronization Input is a program, synthesizer repairs programs Instances: atomics, barriers, memory fences, etc Future Challenges Synthesis of space is key Apply techniques in symbolic or dynamic execution Combining synchronization primitives 52

67 Thank You Questions? 53

ExCAPE. Expeditions in Computer Augmented Program Engineering

ExCAPE. Expeditions in Computer Augmented Program Engineering ExCAPE Expeditions in Computer Augmented Program Engineering Rajeev Alur, Ras Bodik, Jeff Foster, Bjorn Hartmann, Lydia Kavraki, Hadas Kress-Gazit, Stephane Lafortune, Boon Loo, P. Madhusudan, Milo Martin,