Proving Dekker with SPIN and PROMELA

Similar documents
The Spin Model Checker : Part I/II

The SPIN Model Checker

Tool demonstration: Spin

Automated Reasoning. Model Checking with SPIN (II)

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

1.7 Limit of a Function

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Patrick Trentin Formal Methods Lab Class, Feb 26, 2016

Using Spin to Help Teach Concurrent Programming

SPIN: Introduction and Examples

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

CSE 153 Design of Operating Systems

The SPIN Model Checker

The Spin Model Checker : Part I. Moonzoo Kim KAIST

SPIN, PETERSON AND BAKERY LOCKS

MP 6 Modeling in Promela and SPIN

Computer Science 61 Scribe Notes Tuesday, November 25, 2014 (aka the day before Thanksgiving Break)

The name of our class will be Yo. Type that in where it says Class Name. Don t hit the OK button yet.

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Formal Specification and Verification

CS354 gdb Tutorial Written by Chris Feilbach

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

CS477 Formal Software Development Methods / 32

INF5140: Specification and Verification of Parallel Systems

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter

Synchronization. Disclaimer: some slides are adopted from the book authors slides with permission 1

Concurrency. Glossary

These are notes for the third lecture; if statements and loops.

9 R1 Get another piece of paper. We re going to have fun keeping track of (inaudible). Um How much time do you have? Are you getting tired?

EECS 482 Introduction to Operating Systems

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Using TLC to Check Inductive Invariance

Formal Methods for Software Development

5 R1 The one green in the same place so either of these could be green.

Recap: Thread. What is it? What does it need (thread private)? What for? How to implement? Independent flow of control. Stack

CS4411 Intro. to Operating Systems Exam 1 Fall points 9 pages

CSE 374 Programming Concepts & Tools

Synchronization. Disclaimer: some slides are adopted from the book authors slides 1

Background. Old Producer Process Code. Improving the Bounded Buffer. Old Consumer Process Code

Formal Specification and Verification

Background. The Critical-Section Problem Synchronisation Hardware Inefficient Spinning Semaphores Semaphore Examples Scheduling.

Software Engineering using Formal Methods

Lectures 24 and 25: Scheduling; Introduction to Effects

CSE332: Data Abstractions Lecture 22: Shared-Memory Concurrency and Mutual Exclusion. Tyler Robison Summer 2010

Introduction to Programming in C Department of Computer Science and Engineering. Lecture No. #17. Loops: Break Statement

Software Engineering using Formal Methods

Logic Model Checking

Synchronization. Disclaimer: some slides are adopted from the book authors slides 1

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

Boot Camp. Dave Eckhardt Bruce Maggs

CSE 153 Design of Operating Systems Fall 2018

Synchronization. Heechul Yun. Disclaimer: some slides are adopted from the book authors and Dr. Kulkani

CS 4349 Lecture August 21st, 2017

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Reliable programming

Introduction to Embedded Systems. Lab Logistics

Thread Synchronization: Too Much Milk

Thread Safety. Review. Today o Confinement o Threadsafe datatypes Required reading. Concurrency Wrapper Collections

CS5460: Operating Systems

SWEN-220 Mathematical Models of Software. Process Synchronization Critical Section & Semaphores

Formal Verification by Model Checking

CS 220: Introduction to Parallel Computing. Introduction to CUDA. Lecture 28

Formal Methods for Software Development

COPYRIGHTED MATERIAL. Getting Started with Google Analytics. P a r t

Synchronization I. Jo, Heeseung

Lecture. DM510 - Operating Systems, Weekly Notes, Week 11/12, 2018

Project 1 Balanced binary

Distributed Systems. Lec 9: Distributed File Systems NFS, AFS. Slide acks: Dave Andersen

Lecture #7: Shared objects and locks

Computational Complexity and Implications for Security DRAFT Notes on Infeasible Computation for MA/CS 109 Leo Reyzin with the help of Nick Benes

CS477 Formal Software Development Methods / 39

Programmazione di sistemi multicore

Systèmes d Exploitation Avancés

(Refer Slide Time: 02.06)

COSC 2P91. Bringing it all together... Week 4b. Brock University. Brock University (Week 4b) Bringing it all together... 1 / 22

CSE 332: Data Structures & Parallelism Lecture 17: Shared-Memory Concurrency & Mutual Exclusion. Ruth Anderson Winter 2019

Lecture #7: Implementing Mutual Exclusion

Notebook Assignments

Ext3/4 file systems. Don Porter CSE 506

How to approach a computational problem

Design and Analysis of Distributed Interacting Systems

A Tutorial on Model Checker SPIN

Introduction to Programming

Dealing with Issues for Interprocess Communication

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Embedded Linux Day 2

Chapter 6: Process [& Thread] Synchronization. CSCI [4 6] 730 Operating Systems. Why does cooperation require synchronization?

Programming and Data Structure

Synchronization. CS61, Lecture 18. Prof. Stephen Chong November 3, 2011

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

A practicalintroduction to embedded programming. Brian Plancher 10/17/2018

It s possible to get your inbox to zero and keep it there, even if you get hundreds of s a day.

Arranging lunch value of preserving the causal order. a: how about lunch? meet at 12? a: <receives b then c>: which is ok?

Network Protocol Design and Evaluation

! Why is synchronization needed? ! Synchronization Language/Definitions: ! How are locks implemented? Maria Hybinette, UGA

Applications of Formal Verification

(Refer Slide Time 6:48)

Mr G s Java Jive. #11: Formatting Numbers

T Parallel and Distributed Systems (4 ECTS)

Transcription:

15-410...fairness disabled... Proving Dekker with SPIN and PROMELA Joshua Wise With help from Greg Hartman L36_SPIN 1

Synchronization Project 4 due Wednesday Everyone having fun? Kernel interviews If you haven t gotten e-mail, see course staff right after lecture TA evaluations! The insanity must continue Check the bboards 2

Show of hands 3

Show of hands Who... 3

Show of hands Who... Had concurrency bugs during P2? 3

Show of hands Who... Had concurrency bugs during P2? Had concurrency bugs during P3? 3

Show of hands Who... Had concurrency bugs during P2? Had concurrency bugs during P3? Had the same concurrency bugs between P2 and P3? 3

Show of hands Who... Had concurrency bugs during P2? Had concurrency bugs during P3? Had the same concurrency bugs between P2 and P3? Stayed up all weekend debugging the same concurrency bugs from P2 to P3? 3

Show of hands Who... Had concurrency bugs during P2? Had concurrency bugs during P3? Had the same concurrency bugs between P2 and P3? Stayed up all weekend debugging the same concurrency bugs from P2 to P3? Really stayed up all weekend debugging the same concurrency bugs from P2 to P3, but won t admit it? 3

Concurrency bugs suck It s true. Race conditions make us sad. Wouldn t it be nice if we could prove our code free of race conditions?...or that if they had race conditions, that at least they don t produce bad behavior?...in every possible case? 4

What s a race condition? Well, better: what s a program? A program can be represented by states and transitions....some of them are not so good. Straight-line code has just one transition per state Sometimes states have multiple transitions If chosen nondeterministically, and the output changes, then we have a race condition. Interrupts, anyone? Not all races are bad. Program may well converge on correct state. 5

Multiple threads Threads change the game a bit Things are executed simultaneously, and always nondeterministically......which is one big race condition! So which races will make our program sad? 6

The saddest locks Let s take an example: the saddest mutexes. mutex_lock is a no-op, and mutex_unlock is, too. (ouch!) We ll have two threads, each of which looking like: stuff mutex_lock(); critical section mutex_unlock(); end Let s try to show that this won t work. 7

The saddest state diagram t0 in stuff t1 in stuff t0 in critical t1 in stuff t0 in stuff t1 in critical t0 in end t1 in stuff t0 in critical t1 in critical t0 in stuff t1 in end t0 in end t1 in critical t0 in critical t1 in end t0 in end t1 in end (I am terrible at drawing in Keynote, sorry) 8

See? That was no good! Path existed to something we called bad (i.e., system crashed!) Key idea: after every instruction, an interrupt could occur. Why not do this kind of graphing on real code? Maybe we ll get a few sheets of graph paper to take care of it 9

A bit of a problem joshua@escape:~/p3$ find kern/ -iname '*.[chs]' xargs wc -l grep total 8096 total 10

Well, a... big... problem... For real code, too many nodes to draw. (Especially with my poor Keynote skills!) Try doing this on mutexes that do work! Many more states than simple spinlocks Bakery / take-a-number / something with integers: oh no! 11

Introducing SPIN We are computer scientists Well, except for me, I m an ECE 12

Introducing SPIN We are computer scientists Let s insert a layer of indirection! SPIN compiles things that look like programs into things that look like states...and exhaustively executes them Some questions raised What do we look for? 13

Introducing PROMELA, too Programs specified in a C-ish language called PROMELA PROcess MEta LAnguage Originally designed for verifying hardware We ll convince it to verify some locking algorithms for us Disclaimer: I am not a PROMELA guru! 14

The saddest locks, revisited byte t0_incrit = 0; byte t1_incrit = 0; inline mutex_lock() { skip; } inline mutex_unlock() { skip; } proctype B() { t1_incrit = 0; /* Some stuff */ mutex_lock(); t1_incrit = 1; /* Hi! */ t1_incrit = 0; /* Ok, done */ mutex_unlock(); } proctype A() { t0_incrit = 0; /* Some stuff */ mutex_lock(); t0_incrit = 1; /* Hi! */ t0_incrit = 0; /* Ok, done */ mutex_unlock(); } init { } run A(); run B(); 15

What about the tiberium? Let s run it: $ spin -a saddest.promela $ gcc -o pan pan.c $./pan (Spin version 4.3.0 -- 22 June 2007) + Partial Order Reduction Nothing happened? Not quite. SPIN checked all states......but not for anything useful. 16

Verifying mutual exclusion Some changes: proctype monitor() { assert(!(t0_incrit && t1_incrit)); } init { run A(); run B(); run monitor(); } Key point of monitor it could happen anywhere! Effectively happens everywhere, then. 17

Run it again Another build cycle: $ spin -a saddest.promela $ gcc -o pan pan.c $./pan pan: assertion violated!((t0_incrit&&t1_incrit)) (at depth 9) pan: wrote saddest.promela.trail [...] Aha! The assertion was violated, and it wrote out a trail telling us where. 18

What went wrong? XSPIN can tell us, or pan can tell us pan -C: read in the trail, and give annotation $./pan -C 1: :init:(0):[(run A())] 2: :init:(0):[(run B())] 3: :init:(0):[(run monitor())] 4: B(2):[t1_incrit = 0] 5: B(2):[(1)] 6: B(2):[t1_incrit = 1] 7: A(1):[t0_incrit = 0] 8: A(1):[(1)] 9: A(1):[t0_incrit = 1] pan: assertion violated!((t0_incrit&&t1_incrit)) (at depth 10) spin: trail ends after 10 steps Concrete path: what went wrong 19

Slightly happier mutexes One more example Spinlocks: this time, with more mutual exclusion. mutex_lock will spin-wait on a single locked variable For the example we gave, guaranteed to terminate -- why? 20

New PROMELA Code byte locked = 0; don t you wish C had that keyword? inline mutex_lock() { do :: 1 -> atomic { if :: locked == 0 -> locked = 1; break; :: else -> skip; fi } od } inline mutex_unlock() { assert (locked == 1); locked = 0; } 21

Any better? Well, let s find out: $ spin -a happier.promela $ gcc -o pan pan.c $./pan [...] State-vector 28 byte, depth reached 27, errors: 0 [...] Sweet. But what about other properties of mutexes? Progress Bounded Waiting 22

Unbounded waiting PROMELA feature: progress cycles Don t get hosed! In an infinite cycle, a progress cycle must be hit infinitely often. Who can tell me an execution path that makes spinlocks sad? Let s see if we can get SPIN to make this for us Game plan: insert progress cycle in a loop after both people get to run. 23

New monitor process proctype fairness() { do :: 1 -> t0_incrit -> skip; t1_incrit -> skip; progress: skip od } [...] [...] run fairness(); proctype A() { do :: 1 -> } od mutex_lock(); t0_incrit = 1; t0_incrit = 0; mutex_unlock(); 24

Is it fair? $ spin -a happier-waiting.promela $ gcc -o pan pan.c -DNP $./pan -l pan: non-progress cycle (at depth 20) pan: wrote happier-waiting.promela.trail [...] State-vector 36 byte, depth reached 35, errors: 1 [...] As we guessed, something went wrong SPIN made a state tree for us... and found a set of transitions that break bounded waiting! 25

What went wrong? 2 $./pan -l -C [...] <<<<<START OF CYCLE>>>>> 22: B(3):[((locked==0))] 24: B(3):[break] 26: B(3):[t1_incrit = 1] 28: B(3):[t1_incrit = 0] 30: B(3):[assert((locked==1))] 32: B(3):[locked = 0] 34: B(3):[(1)] 36: B(3):[(1)] 26

Progress Third property of mutexes We ll define it as: Given code running infinitely long, somebody will continue to be able to acquire and release the mutex infinitely often. Not quite correct definition, but serves as OK example Use progress cycles again to define this 27

New PROMELA Code Remove fairness monitor, and put progress cycles in procedures proctype B() { do :: 1 -> mutex_lock(); progress: t1_incrit = 1; t1_incrit = 0; mutex_unlock(); od } 28

Verifying progress $ spin -a happier-progress.promela $ gcc -o pan pan.c -DNP $./pan -l pan: non-progress cycle (at depth 20) pan: wrote happier-progress.promela.trail WTF??? We know these mutexes provide progress; SPIN said they didn t What happened? $./pan -l -C [...] 20: B(3):[((locked==0))] <<<<<START OF CYCLE>>>>> 22: A(2):[else] 23: A(2):[(1)] 25: A(2):[(1)] 29

Even when it s going wrong $./pan -l [...] Full statespace search for: non-progress cycles [...] + (fairness disabled)...oooh. Of course we can t have progress... if the scheduler won t schedule us! (What if a meteor hits the stadium?) 30

Fair progress $ pan -l -f [...] State-vector 52 byte, depth reached 80, errors: 0 (-f is for weak fairness ) Once the scheduler schedules us......the world is much happier! We have shown that... No state that the world grinds to a halt If we keep going back and forth, somebody will keep winning 31

On to Dekker Dekker s Algorithm T. J. Dekker, 1964 2 threads only Guarantees the Big Three Let s try to prove it Mutual exclusion Bounded waiting Progress SPIN style warning! Namely, mine is bad. (I am not a professional!) 32

Mutual exclusion Let s write some PROMELA! proctype A() { f0 = 1; do :: f1 -> if :: turn!= 0 -> f0 = 0; turn == 0 -> skip; f0 = 1; :: else -> skip; fi :: else -> break; od; t0_incrit = 1; t0_incrit = 0; proctype B() { f1 = 1; do :: f0 -> if :: turn!= 1 -> f1 = 0; turn == 1 -> skip; f1 = 1; :: else -> skip; fi :: else -> break; od; t1_incrit = 1; t1_incrit = 0; } turn = 1; f0 = 0; } turn = 0; f1 = 0; 33

And, as we expect... $ spin -a dekker.promela $ gcc -o pan pan.c $./pan [...] State-vector 32 byte, depth reached 29, errors: 0 [...] If both threads run acquire lock; release lock once... we ve shown mutual exclusion for all reachable states Can we show that they ll always have bounded waiting? 34

Finite waiting Let s try a different tactic Every time you are waiting for the lock, you eventually get the lock. proctype fairness0() { f0 -> t0_incrit; } proctype fairness1() { f1 -> t1_incrit; } Procedures go in loops, like before Slightly weaker form of bounded waiting...but much easier to show in a few slides. 35

As we expect 2 $ spin -a dekker-waiting.promela $ gcc -o pan pan.c $./pan [...] State-vector 40 byte, depth reached 106, errors: 0 [...] Yes! Everything reached a valid end state, so there are no errors Always! Dekker s algorithm provides finite waiting 36

Dekker provides progress Similar modifications -- drop a progress cycle in the critical section $ spin -a dekker-progress.promela $ gcc -o pan pan.c -DNP $ pan -l pan: non-progress cycle (at depth 16) pan: wrote dekker-progress.promela.trail $ pan -l -f State-vector 52 byte, depth reached 113, errors: 0 Isn t that depth a bunch deeper? Only 80 before for the simple ones Every possible path will make progress 37

Limitations State explosion problem Machines are better than people......but only by six or seven orders of magnitude. Running RCU verification on Linux 1 updater, 1 reader: 2.6MByte 1u, 2r: 2.9 MByte 2u, 2r: 75.4 MByte 2u, 3r: 2,715.2 MByte... 3u, 2r: 14,979.9 MByte! Small world theory Extending proof to more Non-trivial? Trivial? 38

Summary Race conditions suck It is possible to think of programs in a more deterministic fashion Programs exist to prove other programs...but those programs are mostly science fair toys. These programs prove using... simplified models state traversals exhaustive search 39

References SPIN homepage: http://www.spinroot.com/ Book: The Spin Model Checker LWN article on RCU: http://lwn.net/ Articles/243851 PROMELA files available to play with tonight Questions? 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback