Specification, Verification, and Synthesis of Concurrency Control Components

Specification, Verification, and Synthesis of Concurrency Control Components

Tuba Yavuz-Kahveci

Tevfik Bultan

Department of Computer Science

University of California, Santa Barbara

{tuba,bultan}@cs.ucsb.edu

Problem

Concurrent programming is difficult and error prone– Sequential programming: states of the variables– Concurrent programming: states of the variables &

processes

When there is concurrency, testing is not enough– State space increases exponentially with the number of

processes

We would like to guarantee certain properties of a concurrent system

Our Approach

Specification of the concurrency component– Using Action Language

Automated verification– Using an infinite state model checker

• Action Language Verifier

Automated code synthesis– Using a symbolic representation manipulator

• Composite Symbolic Library

Tools for Specification, Verification, and Synthesis of Concurrent Systems

Action Language Action Language Specification of the Specification of the Concurrency ComponentConcurrency Component

Action LanguageAction LanguageParserParser

Action LanguageAction LanguageVerifierVerifier

Composite SymbolicComposite SymbolicLibraryLibrary

Code GeneratorCode Generator Omega Omega LibraryLibrary

CUDDCUDDPackagePackage

Verified codeVerified code

Outline

Monitors Specification of Monitors

– Action Language Verification

– Action Language Verifier Code Synthesis Case Study: Airport Ground Traffic Control

– Experiments Related Work Conclusions

Concurrency Control with Monitors

A set of variables – Modeling shared resources– Cannot be accessed outside of the monitor

A set of procedures– Only one can be active at any time

• Provided my the monitor semantics

Synchronization among concurrent processes– Using condition variables

Monitor Basics

What happens if a process needs to wait until a condition becomes true?– Create a condition variable that corresponds to that

condition

Each condition variable has a wait queue– A process waits for a condition in the wait queue of the

corresponding condition variable– When a process updates the shared variables that may

cause a condition to become true:

it signals the processes in the wait queue of the corresponding condition variable

Monitors

Challenges in monitor programming– Condition variables– Wait and signal operations

Why not use a single wait queue?– Inefficient: Every waiting process has to wake up when any

of the shared variables are updated

Even with a few condition variables coordinating wait and signal operations can be difficult– Avoid deadlock– Avoid inefficiency due to unnecessary signaling

Java Monitors

A simplified implementation of Hoare monitors – No separate notion of condition variables

• Can be simulated by objects

– Each object associated with a mutual exclusion lock• synchronized(o) {…}• Synchronized methods• wait(), notify(), notifyAll()

– Implementing monitors is complicated To implement a monitor as a Java class

– Shared resources must be implemented using private fields– All methods can change state of the fields only in

synchronized blocks

Outline





Action Language

A state based language– Actions correspond to state changes

States correspond to valuations of variables– Integer (possibly unbounded), boolean and enumerated

variables– Parameterized constants

Transition relation is defined using actions– Atomic actions: Predicates on current and next state variables– Action composition: synchronous (&) or asynchronous (|)

Modular– Modules can have submodules

CTL properties– Invariant(p) : p always holds– Eventually(p) : p eventually holds

Readers Writersmodule main()

integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;

module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;

endmodule

module Writer() ... endmodule

main: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])

endmodule

S S :: Cartesian product ofCartesian product of variable domains defines variable domains defines the set of statesthe set of states

I I : Predicates defining : Predicates defining the initial statesthe initial states

RR : Atomic actions of the : Atomic actions of the ReaderReader

RR : Transition relation of : Transition relation of Reader defined as Reader defined as asynchronous composition asynchronous composition of its atomic actionsof its atomic actions

RR : Transition relation of main defined as : Transition relation of main defined as asynchronous composition of two Reader and asynchronous composition of two Reader and two Writer processestwo Writer processes

PP : Temporal property : Temporal property of main moduleof main module

What About Arbitrary Number of Processes?

Use counting abstraction– Create an integer variable for each local state of a process

type– Each variable will count the number of processes in a

particular state

Local states of the process types have to be finite– Specify only the process behavior that relates to the

correctness of the monitor– Shared variables of the monitor can be unbounded

Counting abstraction can be automated

Readers-Writers Monitor Specification After Counting Abstraction

module main()integer nr;boolean busy;

parameterized integer numReader, numWriter;restrict: nr>=0 and numReader>=0

and numWriter>=0;initial: nr=0 and !busy;module Reader()

integer readingF, readingT;initial: readingF=numReader

and readingT=0;rEnter: readingF>0 and !busy and nr’=nr+1 and

readingF’=readingF-1 and readingT’=readingT+1;

rExit: readingT>0 and nr’=nr-1 and readingT’=readingT-1 and

readingF’=readingF+1;Reader: rEnter | rExit;

endmodule...

main: Reader() | Writer();spec: invariant([busy => nr=0])

endmodule

Parameterized constants Parameterized constants representing the number representing the number of readers and number of of readers and number of writerswriters

Variables for counting the Variables for counting the number of processes in number of processes in specific local statesspecific local states

When local state changes, When local state changes, decrement current local state decrement current local state counter and increment next counter and increment next local state counterlocal state counter

Initialize initial local state Initialize initial local state counter by the relevant counter by the relevant parameterized constant. parameterized constant. Initialize other local Initialize other local states to 0states to 0

Outline





Action Language Verifier

An infinite state symbolic model checker Composite representation

– uses a disjunctive representation to combine different symbolic representations

Computes fixpoints by manipulating formulas in composite representation– Heuristics to ensure convergence

• Widening & collapsing

• Loop closure

• Approximate reachable states

Composite Symbolic Library: Class Diagram

CUDD Library OMEGA Library

Symbolic

+intersect()+union()+complement()+isSatisfiable()+isSubset()+bacwardImage()+forwardImage()

CompSym

–representation: list of comAtom

+intersect()+ union() • • •

BoolSym

–representation: BDD

+intersect()+union() • • •

IntSym

–representation: Polyhedra

+intersect()+union() • • •

compAtom

–atom: *Symbolic

Outline





Synthesizing the Implementation of the Monitor

Automated generation of code from the monitor specification – Generate a Java class– Make shared variables private variables– Use synchronization to restrict access

Is the generated code efficient?– Yes! – The condition variables can be synthesized automatically– There is no unnecessary thread notification

Naïve Translation: Redundant Signaling

Module main()Module main() boolean a,b;boolean a,b; initial: a and b;initial: a and b;

module SetA()module SetA() SetA: b and a’=trueSetA: b and a’=true

and b’=false;and b’=false; endmoduleendmodule

module SetB()module SetB() SetB: a and a’=falseSetB: a and a’=false

and b’=true;and b’=true; endmoduleendmodule

main: setA() | setB()main: setA() | setB() … …endmoduleendmodule

public class SetAB {public class SetAB { private boolean a.b; private boolean a.b; public setAB() {public setAB() { a = true;a = true; b = true; b = true; }} public synchronized SetA() {public synchronized SetA() { while (!b)while (!b)

try{ try{ wait();wait();} catch(…){..}} catch(…){..} a = true;a = true; b = false;b = false; notifyAll();notifyAll(); }} public synchronized SetB() {public synchronized SetB() { while (!a)while (!a)

try{try{wait();wait();} catch(…){…} } catch(…){…} a = false;a = false; b = true;b = true; notifyAll();notifyAll(); }}}}

Action Language SpecificationAction Language Specification Implementation in JavaImplementation in Java

Specific Notification Pattern

Module main()Module main() boolean a,b;boolean a,b; initial: a and b;initial: a and b;

module SetA()module SetA() SetA: b and a’=trueSetA: b and a’=true

and b’=false;and b’=false; endmoduleendmodule

module SetB()module SetB() SetB: a and a’=falseSetB: a and a’=false

and b’=true;and b’=true; endmoduleendmodule

main: setA() | setB()main: setA() | setB() … …endmoduleendmodule

Action Language SpecificationAction Language Specification

class SetAB {class SetAB { private boolean a.b; private boolean a.b; private Object condA, condBprivate Object condA, condB;; … … private synchronized boolean Guard_SetA() {private synchronized boolean Guard_SetA() { if (b) { a = true; b = false; return true;}if (b) { a = true; b = false; return true;} else return false;else return false; }} public void SetA() {public void SetA() { synchronized(condB)synchronized(condB) { { while (!Guard_SetA())while (!Guard_SetA()) try{ try{ condB.wait();condB.wait(); } catch(…) {…} } catch(…) {…} }} condA.notifyAll();condA.notifyAll(); }} public void SetB() {public void SetB() { synchronized(condA) synchronized(condA) {{ while (!Guard_SetB())while (!Guard_SetB())

try{ try{ condA.wait(); condA.wait(); } catch(…) {..}} catch(…) {..} }} condB.notifyAll();condB.notifyAll(); }}}}

Implementation in JavaImplementation in Java

Algorithm for Extracting Synchronization Information

for each action A do// Does A check any condition?

if ds(A) true then mark A as guarded

create condition variable condA else

mark A as unguarded for each action B s.t. A B do

// Can A change the condition B waits on from false to true?

if POST( ds(B),EXP(A)) ds(B) then

add condB to notification list of A

Readers-Writer Example with Specific Notification Pattern

public class ReadersWriters{ private int nr; private boolean busy; private Object rEnterCond, wEnterCond; private synchronized boolean Guard_rEnter() { if (!busy) { nr++; return true; } else return false; } public void rEnter() { synchronized(rEnterCond) { while(!Guard_rEnter()) rEnterCond.wait(); } public void rExit() { synchronized(this) { nr--; } synchronized(wEnterCond) { wEnterCond.notify(); } } ...}

All condition variables andAll condition variables andwait and signal operations are wait and signal operations are generated automaticallygenerated automatically

Outline





Airport Ground Traffic Control

[Zhong 97] Modeling of airport operations using an object oriented approach

A concurrent program simulating the airport ground traffic control– multiple planes– multiple runways and taxiways

Can be used by controllers as advisory input Simulate behavior of each airplane with a thread Use a monitor which keeps track of number of

airplanes on each runway and each taxiway

A simplified model of Seattle Tacoma International Airport from [Zhong 97]A simplified model of Seattle Tacoma International Airport from [Zhong 97]

Airport Ground Traffic Control Monitor

Action Language specification– Has 13 integer variables– Has 4 Boolean variables per arriving airplane process to

keep the local state of each airplane– Has 2 Boolean variables per departing airplane process to

keep the local state of each airplane

Automatically generated monitor class– Has 13 integer variables– Has 14 condition variables– Has 34 procedures

Experiments

Processes Construction

(sec)

Verify-P1

(sec)

Verify-P2

(sec)

Verify-P3

(sec)

2 0.81 0.42 0.28 0.69

4 1.50 0.78 0.50 1.13

8 3.03 1.53 0.99 2.22

16 6.86 3.02 2.03 5.07

2A,PD 1.02 0.64 0.43 0.83

4A,PD 1.94 1.19 0.81 1.39

8A,PD 3.95 2.28 1.54 2.59

16A,PD 8.74 4.6 3.15 5.35

PA,2D 1.67 1.31 0.88 3.94

PA,4D 3.15 2.42 1.71 5.09

PA,8D 6.40 4.64 3.32 7.35

PA,16D 13.66 9.21 7.02 12.01

PA,PD 2.65 0.99 0.57 0.43

A: Arriving AirplaneA: Arriving AirplaneD: Departing AirplaneD: Departing AirplaneP: Arbitrary number of processesP: Arbitrary number of processes

Related Work: [Demartini et al., 99], [Corbett et al., 00], [Havelund et al., 00]

– Extracting compact models from the implementation• Employing techniques such as slicing and abstraction

– Automated verification of the model• Finite state model checker

• Explicit state model checking techniques

Related Work: [Mizuno-99]

Given a concurrency problem and a global invariant– Provides a course-grain solution

• <await B; S> or <S>

Translates the course-grain solution to a Java program– Using Specific Notification Pattern

• Creates a separate condition variable cB for each guard B

• When S may change B to true cB is signaled

– Preserving the global invariant

Not automated

Related Work[Deng et al., 02]

Extends and automates Mizuno’s approach Synthesizes the code from a global invariant:

– A logic formula• Uses a decision procedure

– A pattern specification• Bound, Exclusion, Resource, Barrier, Relay, and Group

Automatically verifies – synthesized synchronization code + functional application

code– Uses a finite state model checker

Conclusions and Future Work

We can automatically verify and synthesize nontrivial monitors in Java

Our tools can deal with boolean, enumerated and (unbounded) integer variables

What about recursive data types?– shape analysis– [SAS’02] Verification of Concurrent Linked Lists

Readers Writers Monitor in Action Languagemodule main()

integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;endmodulemodule Writer()boolean writing;initial: !writing;wEnter: !writing and nr=0 and !busy and busy’ and writing’;wExit: writing and !writing’ and !busy’;Writer: wEnter | wExit;endmodulemain: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])

endmodule

Action Language Verifier

An infinite state symbolic model checker Uses composite symbolic representation to encode a system

defined by (S,I,R) – S: set of states, I: set if initial states, R: transition relation

Maps each variable type to a symbolic representation type– Maps boolean and enumerated types to BDD representation

– Maps integer type to arithmetic constraint representation Uses a disjunctive representation to combine symbolic

representations– Each disjunct is a conjunction of formulas represented by different

symbolic representations

Temporal Properties Fixpoints

• • •• • •

Invariant(Invariant(pp))

ppInitialInitialstatesstates

initial states that initial states that violate Invariant(violate Invariant(pp))

BackwardBackwardfixpointfixpoint

ForwardForwardfixpointfixpoint

InitialInitialstatesstates

• • •• • •

states that can reach states that can reach pp i.e., states that violate Invariant(i.e., states that violate Invariant(pp))

reachable states reachable states of the systemof the system

pp

backwardImagebackwardImage of of pp

reachable states reachable states that violate that violate ppforward imageforward image

of initial statesof initial states

Control Logic

An airplane can land using 16R only if no airplane is using 16R at the moment

An airplane can takeoff using 16L only if no airplane is using 16L at the moment

An airplane taxiing on one of the exits C3-C8 can cross runway 16L only if no airplane is taking off at the moment

An airplane can start using 16L for taking off only if none of the crossing exits C3-C8 is occupied at the moment (arriving airplanes have higher priority)

Only one airplane can use a taxiway at a time

Synchronization Among Processes

condAcondAsignalsignal

Ready QueueReady Queue Executing ProcessExecuting Process

ProcessProcesskk

waitwait

Waiting QueueWaiting Queue

ProcessProcessii

ProcessProcessmm

ProcessProcessmm

ProcessProcesskk ProcessProcessiiProcessProcesskk

Documents

Specification, Verification, and Synthesis of Concurrency Control Components