Showing papers by "Martin Rinard published in 2006"

Probabilistic accuracy bounds for fault-tolerant computations that discard tasks

Abstract: We present a new technique for enabling computations to survive errors and faults while providing a bound on any resulting output distortion. A developer using the technique first partitions the computation into tasks. The execution platform then simply discards any task that encounters an error or a fault and completes the computation by executing any remaining tasks. This technique can substantially improve the robustness of the computation in the face of errors and faults. A potential concern is that discarding tasks may change the result that the computation produces.Our technique randomly samples executions of the program at varying task failure rates to obtain a quantitative, probabilistic model that characterizes the distortion of the output as a function of the task failure rates. By providing probabilistic bounds on the distortion, the model allows users to confidently accept results produced by executions with failures as long as the distortion falls within acceptable bounds. This approach may prove to be especially useful for enabling computations to successfully survive hardware failures in distributed computing environments.Our technique also produces a timing model that characterizes the execution time as a function of the task failure rates. The combination of the distortion and timing models quantifies an accuracy/execution time tradeoff. It therefore enables the development of techniques that purposefully fail tasks to reduce the execution time while keeping the distortion within acceptable bounds.

Inference and enforcement of data structure consistency specifications

Abstract: Corrupt data structures are an important cause of unacceptable program execution. Data structure repair (which eliminates inconsistencies by updating corrupt data structures to conform to consistency constraints) promises to enable many programs to continue to execute acceptably in the face of otherwise fatal data structure corruption errors. A key issue is obtaining an accurate and comprehensive data structure consistency specification. We present a new technique for obtaining data structure consistency specifications for data structure repair. Instead of requiring the developer to manually generate such specifications, our approach automatically generates candidate data structure consistency properties using the Daikon invariant detection tool. The developer then reviews these properties, potentially rejecting or generalizing overly specific properties to obtain a specification suitable for automatic enforcement via data structure repair. We have implemented this approach and applied it to three sizable benchmark programs: CTAS (an air-traffic control system), BIND (a widely-used Internet name server) and Freeciv (an interactive game). Our results indicate that (1) automatic constraint generation produces constraints that enable programs to execute successfully through data structure consistency errors, (2) compared to manual specification, automatic generation can produce more comprehensive sets of constraints that cover a larger range of data structure consistency properties, and (3) reviewing the properties is relatively straightforward and requires substantially less programmer effort than manual generation, primarily because it reduces the need to examine the program text to understand its operation and extract the relevant consistency constraints. Moreover, when evaluated by a hostile third party "Red Team" contracted to evaluate the effectiveness of the technique, our data structure inference and enforcement tools successfully prevented several otherwise fatal attacks.

Deciding Boolean Algebra with Presburger Arithmetic

Abstract: We describe an algorithm for deciding the first-order multisorted theory BAPA, which combines Boolean algebras of sets of uninterpreted elements (BA) and Presburger arithmetic operations (PA). BAPA can express the relationship between integer variables and cardinalities of unbounded finite sets, and it supports arbitrary quantification over sets and integers. Our motivation for BAPA is deciding verification conditions that arise in the static analysis of data structure consistency properties. Data structures often use an integer variable to keep track of the number of elements they store; an invariant of such a data structure is that the value of the integer variable is equal to the number of elements stored in the data structure. When the data structure content is represented by a set, the resulting constraints can be captured in BAPA. BAPA formulas with quantifier alternations arise when verifying programs with annotations containing quantifiers or when proving simulation relation conditions for refinement and equivalence of program fragments. Furthermore, BAPA constraints can be used for proving the termination of programs that manipulate data structures, as well as in constraint database query evaluation and loop invariant inference. We give a formal description of an algorithm for deciding BAPA. We analyze our algorithm and show that it has optimal alternating time complexity and that the complexity of BAPA matches the complexity of PA. Because it works by a reduction to PA, our algorithm yields the decidability of a combination of sets of uninterpreted elements with any decidable extension of PA. When restricted to BA formulas, the algorithm can be used to decide BA in optimal alternating time. Furthermore, the algorithm can eliminate individual quantifiers from a formula with free variables and therefore perform projection onto a desirable set of variables. We have implemented our algorithm and used it to discharge verification conditions in the Jahob system for data structure consistency checking of Java programs; our experience suggest that a straightforward implementation of the algorithm is effective on nontrivial formulas as long as the number of set variables is small. We also report on a new algorithm for solving the quantifier-free fragment of BAPA.

Goal-Directed Reasoning for Specification-Based Data Structure Repair

Abstract: Software errors and hardware failures can cause data structures in running programs to violate key data structure consistency properties. As a result of this violation, the program may produce unacceptable results or even fail. We present a new data structure repair system. This system accepts a specification of data structure consistency properties stated in terms of an abstract set-and relation-based model of the data structures in the running program. It then automatically generates a repair algorithm that, during the execution of the program, detects and repairs any violations of these constraints. The goal is to enable the program to continue to execute acceptably in the face of otherwise crippling data structure corruption errors. We have applied our system to repair inconsistent data structures in five applications: CTAS (an air traffic control system), AbiWord (an open source word processing program), Freeciv (an interactive multiplayer game), a parallel x86 emulator, and a simplified Linux file system. Our results indicate that the generated repair algorithms can effectively repair inconsistent data structures in these applications to enable the applications to continue to operate successfully in cases where the original application would have failed. Without repair, all of the applications fail

Field constraint analysis

Abstract: We introduce field constraint analysis, a new technique for verifying data structure invariants. A field constraint for a field is a formula specifying a set of objects to which the field can point. Field constraints enable the application of decidable logics to data structures which were originally beyond the scope of these logics, by verifying the backbone of the data structure and then verifying constraints on fields that cross-cut the backbone in arbitrary ways. Previously, such cross-cutting fields could only be verified when they were uniquely determined by the backbone, which significantly limits the range of analyzable data structures. Field constraint analysis permits non-deterministic field constraints on cross-cutting fields, which allows the verificiation of invariants for data structures such as skip lists. Non-deterministic field constraints also enable the verification of invariants between data structures, yielding an expressive generalization of static type declarations. The generality of our field constraints requires new techniques. We present one such technique and prove its soundness. We have implemented this technique as part of a symbolic shape analysis deployed in the context of the Hob system for verifying data structure consistency. Using this implementation we were able to verify data structures that were previously beyond the reach of similar techniques.

Modular Pluggable Analyses for Data Structure Consistency

Abstract: Hob is a program analysis system that enables the focused application of multiple analyses to different modules in the same program. In our approach, each module encapsulates one or more data structures and uses membership in abstract sets to characterize how objects participate in data structures. Each analysis verifies that the implementation of the module 1) preserves important internal data structure consistency properties and 2) correctly implements a set algebra interface that characterizes the effects of operations on the data structure. Collectively, the analyses use the set algebra to 1) characterize how objects participate in multiple data structures and to 2) enable the interanalysis communication required to verify properties that depend on multiple modules analyzed by different analyses. We implemented our system and deployed several pluggable analyses, including a flag analysis plug-in for modules in which abstract set membership is determined by a flag field in each object, a PALE shape analysis plug-in, and a theorem proving plug-in for analyzing arbitrarily complicated data structures. Our experience shows that our system can effectively 1) verify the consistency of data structures encapsulated within a single module and 2) combine analysis results from different analysis plug-ins to verify properties involving objects shared by multiple modules analyzed by different analyses

An overview of the Jahob analysis system: project goals and current status

Abstract: We present an overview of the Jahob system for modular analysis of data structure properties. Jahob uses a subset of Java as the implementation language and annotations with formulas in a subset of Isabelle as the specification language. It uses monadic second-order logic over trees to reason about reachability in linked data structures, the Isabelle theorem prover and Nelson-Oppen style theorem provers to reason about high-level properties and arrays, and a new technique to combine reasoning about constraints on uninterpreted function symbols with other decision procedures. It also incorporates new decision procedures for reasoning about sets with cardinality constraints. The system can infer loop invariants using new symbolic shape analysis. Initial results in the use of our system are promising; we are continuing to develop and evaluate it.

On Verifying Complex Properties using Symbolic Shape Analysis

Abstract: Note: MPI-I-2006-2-1 (Max-Planck Institute for Computer Science) Reference LARA-REPORT-2006-002 URL: http://arxiv.org/abs/cs.PL/0609104 Record created on 2007-08-21, modified on 2017-05-12

Pointer analysis for java programs: novel techniques and applications

Abstract: This dissertation presents a pointer analysis for Java programs, together with several practical analysis applications. For each program point, the analysis is able to construct a points-to graph that describes how local variables and object fields point to objects. Each points-to graph also contains escape information that identifies the objects that are reachable from outside the analysis scope. Our pointer analysis can extract correct information by analyzing only parts of a whole program. First, our analysis analyzes a method without requiring information about its calling context. Instead, our analysis computes parameterized results that are later instantiated for each relevant call site. Second, our analysis correctly handles calls to unanalyzable methods (e.g., native methods). Hence, our analysis can trade precision for speed without sacrificing correctness: if the analysis of a call to a specific callee requires too much time, the analysis can treat that callee as unanalyzable. The results of our analysis enable standard program optimizations like the stack allocation of local objects. More interestingly, this dissertation explains how to extend the analysis to detect pure methods. Our analysis supports a flexible definition of method purity: a method is pure if it does not mutate any object that exists in the program state before the start of the method. Therefore, our analysis allows pure methods to allocate and mutate temporary objects (e.g., iterators) and/or construct complex object structures and return them as a result.

On Verifying Complex Properties using Symbolic Shape Analysis

Abstract: One of the main challenges in the verification of software systems is the analysis of unbounded data structures with dynamic memory allocation, such as linked data structures and arrays. We describe Bohne, a new analysis for verifying data structures. Bohne verifies data structure operations and shows that 1) the operations preserve data structure invariants and 2) the operations satisfy their specifications expressed in terms of changes to the set of objects stored in the data structure. During the analysis, Bohne infers loop invariants in the form of disjunctions of universally quantified Boolean combinations of formulas. To synthesize loop invariants of this form, Bohne uses a combination of decision procedures for Monadic Second-Order Logic over trees, SMT-LIB decision procedures (currently CVC Lite), and an automated reasoner within the Isabelle interactive theorem prover. This architecture shows that synthesized loop invariants can serve as a useful communication mechanism between different decision procedures. Using Bohne, we have verified operations on data structures such as linked lists with iterators and back pointers, trees with and without parent pointers, two-level skip lists, array data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob data structure analysis systems, enabling us to combine Bohne with analyses of data structure clients and apply it in the context of larger programs. This report describes the Bohne algorithm as well as techniques that Bohne uses to reduce the ammount of annotations and the running time of the analysis.

Incremental Deterministic Planning

Abstract: We present a new planning algorithm that formulates the planning problem as a counting satisfiability problem in which the number of available solutions guides the planner deterministically to its goal. In comparison with existing planners, our approach eliminates backtracking and supports efficient incremental planners that add additional sub-formulas without the need to recompute solutions for previously provided subformulas. Our experimental results show that our approach is competitive with existing state-of-the-art planners that formulate the planning problem as a satisfiability problem, then solve the satisfiability problem using specialized off-the-shelf satisfiability solvers such as zChaff

Survival Techniques for Computer Programs

Abstract: Programs developed with standard techniques often fail when they encounter any of a variety of internal errors. We present a set of techniques that prevent programs from failing and instead enable them to continue to execute even after they encounter otherwise fatal internal errors. Our results indicate that even though the techniques may take the program outside of its anticipated execution envelope, the continued execution often enables the program to provide acceptable results to their users. These techniques may therefore play an important role in making software systems more resilient and reliable in the face of errors.

Learning and Repair Techniques for Self-Healing Systems

Abstract: : Techniques were investigated for enabling systems to recover from data structure corruption errors. These errors could occur, for example, because of software errors or because of attacks. The technique developed contains three components. The first component observes the execution of training runs of the program to learn key data structure consistency constraints. The second component takes the learned data structure consistency constraints and examines production runs to detect violations of the constraints. The third component updates the corrupted data structures to eliminate the violations. The goal is not necessarily to restore the data structures to the state in which a (hypothetical) correct program would have left it, although in some cases our system may do this. The goal is instead to deliver repaired data structures that satisfy the basic consistency assumptions of the program, enabling the program to continue to operate successfully. A prototype system that contained these three components and the system was applied to two programs, BIND (part of the Internet Domain Name System (DNS)) and FreeCiv (a freely distributed multi-player game). Experience with BIND indicated that the technique can eliminate previously existing undesirable behavior in this program. The technique was applied to FreeCiv in the context of a Red Team experiment. The results of this experiment show that, on this program and for the workload in the Red Team experiment, our system significantly out-performed the DARPA Self-Regenerative System metrics: it recognized 80% (not just 10%) of the attacks, and it recovered from 60% (not just 5%) of them.

The ultra challenge: software systems beyond big

Abstract: How can the ultra large systems (ULS) of the future be built if they will have the complexity of trillions of lines of code, maintain continuous 24x7 operations with no downtime, and live in a hostile environment with unpredictably changing requirements? This panel will discuss and debate the challenges posed by ultra large systems in terms of their design, growth, deployment and dynamics.