scispace - formally typeset
Search or ask a question
Book ChapterDOI

Logical concurrency control from sequential proofs

TL;DR: This paper considers a sequential library annotated with assertions along with a proof that these assertions hold in a sequential execution and shows how it can be used to derive concurrency control that ensures that any execution of the library methods, when invoked by concurrent clients, satisfies the same assertions.
Abstract: We are interested in identifying and enforcing the isolation requirements of a concurrent program, i.e., concurrency control that ensures that the program meets its specification. The thesis of this paper is that this can be done systematically starting from a sequential proof, i.e., a proof of correctness of the program in the absence of concurrent interleavings. We illustrate our thesis by presenting a solution to the problem of making a sequential library thread-safe for concurrent clients. We consider a sequential library annotated with assertions along with a proof that these assertions hold in a sequential execution. We show how we can use the proof to derive concurrency control that ensures that any execution of the library methods, when invoked by concurrent clients, satisfies the same assertions. We also present an extension to guarantee that the library is linearizable with respect to its sequential specification.

Content maybe subject to copyright    Report

Citations
More filters
Journal ArticleDOI
Guoliang Jin1, Linhai Song1, Wei Zhang1, Shan Lu1, Ben Liblit1 
04 Jun 2011
TL;DR: AFix is a tool that automates the whole process of fixing one common type of concurrency bug: single-variable atomicity violations and shows that patches automatically generated by AFix correctly eliminate six out of eight real-world bugs and significantly decrease the failure probability in the other two cases.
Abstract: Fixing software bugs has always been an important and time-consuming process in software development. Fixing concurrency bugs has become especially critical in the multicore era. However, fixing concurrency bugs is challenging, in part due to non-deterministic failures and tricky parallel reasoning. Beyond correctly fixing the original problem in the software, a good patch should also avoid introducing new bugs, degrading performance unnecessarily, or damaging software readability. Existing tools cannot automate the whole fixing process and provide good-quality patches.We present AFix, a tool that automates the whole process of fixing one common type of concurrency bug: single-variable atomicity violations. AFix starts from the bug reports of existing bug-detection tools. It augments these with static analysis to construct a suitable patch for each bug report. It further tries to combine the patches of multiple bugs for better performance and code readability. Finally, AFix's run-time component provides testing customized for each patch. Our evaluation shows that patches automatically generated by AFix correctly eliminate six out of eight real-world bugs and significantly decrease the failure probability in the other two cases. AFix patches never introduce new bugs and usually have similar performance to manually-designed patches.

206 citations

Proceedings ArticleDOI
Guoliang Jin1, Wei Zhang1, Dongdong Deng1, Ben Liblit1, Shan Lu1 
08 Oct 2012
TL;DR: Evaluation using four different types of bug detectors and thirteen real-world concurrency-bug cases shows that CFix can successfully patch these cases without causing deadlocks or excessive performance degradation.
Abstract: Concurrency bugs are widespread in multithreaded programs. Fixing them is time-consuming and error-prone. We present CFix, a system that automates the repair of concurrency bugs. CFix works with a wide variety of concurrency-bug detectors. For each failure-inducing interleaving reported by a bug detector, CFix first determines a combination of mutual-exclusion and order relationships that, once enforced, can prevent the buggy interleaving. CFix then uses static analysis and testing to determine where to insert what synchronization operations to force the desired mutual-exclusion and order relationships, with a best effort to avoid deadlocks and excessive performance losses. CFix also simplifies its own patches by merging fixes for related bugs.Evaluation using four different types of bug detectors and thirteen real-world concurrency-bug cases shows that CFix can successfully patch these cases without causing deadlocks or excessive performance degradation. Patches automatically generated by CFix are of similar quality to those manually written by developers.

147 citations

Proceedings ArticleDOI
13 Jul 2015
TL;DR: A logical constraint based symbolic analysis method to aid in the diagnosis of concurrency bugs and to recommend repairs and it is demonstrated its effectiveness in di- agnosing bugs in multithreaded C programs.
Abstract: Programmers often have to spend a significant amount of time in- specting the software code and execution traces to identify the cause of a bug. For a multithreaded program, debugging is even more challenging due to the subtle interactions between threads and the often astronomical number of interleavings. In this work, we pro- pose a logical constraint based symbolic analysis method to aid in the diagnosis of concurrency bugs and to recommend repairs. Both diagnosis and repair are formulated as constraint solving prob- lems. Our method, by leveraging the power of satisfiability (SAT) solvers and a bounded model checker, performs a semantic analy- sis of the sequential computation as well as thread interactions. The constraint based analysis is designed for handling critical software with small to medium code size, but complex concurrency control, such as device drivers, implementations of synchronization proto- cols, and concurrent data structures. We have implemented our new method in a software tool and demonstrated its effectiveness in di- agnosing bugs in multithreaded C programs.

65 citations


Cites background from "Logical concurrency control from se..."

  • ...Our work is also related, at the high level, to the theoretical work on program synthesis [16, 46, 55, 15, 9] and controller synthesis [57, 58], where the focus is on automated construction of systems from their specifications....

    [...]

Journal ArticleDOI
TL;DR: This paper considers a sequential library annotated with assertions along with a proof that these assertions hold in a sequential execution and shows how it can be used to derive concurrency control that ensures that any execution of the library methods, when invoked by concurrent clients, satisfies the same assertions.
Abstract: We are interested in identifying and enforcing the isolation requirements of a concurrent program, i.e., concurrency control that ensures that the program meets its specification. The thesis of this paper is that this can be done systematically starting from a sequential proof, i.e., a proof of correctness of the program in the absence of concurrent interleavings. We illustrate our thesis by presenting a solution to the problem of making a sequential library thread-safe for concurrent clients. We consider a sequential library annotated with assertions along with a proof that these assertions hold in a sequential execution. We show how we can use the proof to derive concurrency control that ensures that any execution of the library methods, when invoked by concurrent clients, satisfies the same assertions. We also present an extension to guarantee that the library methods are linearizable or atomic.

17 citations


Cites background from "Logical concurrency control from se..."

  • ..., the point at which the procedure’appears to execute instantaneously) other than the procedure entry, subject to some constraints (see [5])....

    [...]

Book ChapterDOI
18 Jul 2015
TL;DR: A computer-aided programming approach to concurrency that allows programmers to program assuming a friendly, non-preemptive scheduler, and the synthesis procedure inserts synchronization to ensure that the final program works even with a preemptive Scheduler.
Abstract: We present a computer-aided programming approach to concurrency. The approach allows programmers to program assuming a friendly, non-preemptive scheduler, and our synthesis procedure inserts synchronization to ensure that the final program works even with a preemptive scheduler. The correctness specification is implicit, inferred from the non-preemptive behavior. Let us consider sequences of calls that the program makes to an external interface. The specification requires that any such sequence produced under a preemptive scheduler should be included in the set of such sequences produced under a non-preemptive scheduler. The solution is based on a finitary abstraction, an algorithm for bounded language inclusion modulo an independence relation, and rules for inserting synchronization. We apply the approach to device-driver programming, where the driver threads call the software interface of the device and the API provided by the operating system. Our experiments demonstrate that our synthesis method is precise and efficient, and, since it does not require explicit specifications, is more practical than the conventional approach based on user-provided assertions. Open image in new window

16 citations

References
More filters
Journal ArticleDOI
TL;DR: This paper defines linearizability, compares it to other correctness conditions, presents and demonstrates a method for proving the correctness of implementations, and shows how to reason about concurrent objects, given they are linearizable.
Abstract: A concurrent object is a data object shared by concurrent processes. Linearizability is a correctness condition for concurrent objects that exploits the semantics of abstract data types. It permits a high degree of concurrency, yet it permits programmers to specify and reason about concurrent objects using known techniques from the sequential domain. Linearizability provides the illusion that each operation applied by concurrent processes takes effect instantaneously at some point between its invocation and its response, implying that the meaning of a concurrent object's operations can be given by pre- and post-conditions. This paper defines linearizability, compares it to other correctness conditions, presents and demonstrates a method for proving the correctness of implementations, and shows how to reason about concurrent objects, given they are linearizable.

3,396 citations


"Logical concurrency control from se..." refers background in this paper

  • ...We can enable clients to reason about concurrent executions in a modular fashion by guaranteeing that the concurrent library is linearizable [11]....

    [...]

Proceedings ArticleDOI
01 Jan 2002
TL;DR: This work presents an algorithm for model checking safety properties using lazy abstraction and describes an implementation of the algorithm applied to C programs and provides sufficient conditions for the termination of the method.
Abstract: One approach to model checking software is based on the abstract-check-refine paradigm: build an abstract model, then check the desired property, and if the check fails, refine the model and start over. We introduce the concept of lazy abstraction to integrate and optimize the three phases of the abstract-check-refine loop. Lazy abstraction continuously builds and refines a single abstract model on demand, driven by the model checker, so that different parts of the model may exhibit different degrees of precision, namely just enough to verify the desired property. We present an algorithm for model checking safety properties using lazy abstraction and describe an implementation of the algorithm applied to C programs. We also provide sufficient conditions for the termination of the method.

1,238 citations


"Logical concurrency control from se..." refers background or methods in this paper

  • ...The vertex labelled u in the figure corresponds to the point before the execution of statement [10] (after the if-condition evaluates to true)....

    [...]

  • ..., predicate-abstraction based tools such as SLAM [3], BLAST [10] and Synergy [9]....

    [...]

Journal ArticleDOI
TL;DR: This paper shows how a resource-oriented logic, separation logic, can be used to reason about the usage of resources in concurrent programs.

560 citations


"Logical concurrency control from se..." refers background in this paper

  • ...Prior work on verifying concurrent programs [16] has also shown that attaching invariants to resources (such as locks and semaphores) can enable modular reasoning about concurrent programs....

    [...]

Journal ArticleDOI
01 Jan 2004
TL;DR: The model checker BLAST is extended with predicate discovery by Craig interpolation, and applied successfully to C programs with more than 130,000 lines of code, which was not possible with approaches that build less parsimonious abstractions.
Abstract: The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are required for proving correctness. Previous methods for automatically refining predicate abstractions until sufficient precision is obtained do not systematically construct parsimonious abstractions: predicates usually contain symbolic variables, and are added heuristically and often uniformly to many or all control locations at once. We use Craig interpolation to efficiently construct, from a given abstract error trace which cannot be concretized, a parsominous abstraction that removes the trace. At each location of the trace, we infer the relevant predicates as an interpolant between the two formulas that define the past and the future segment of the trace. Each interpolant is a relationship between current values of program variables, and is relevant only at that particular program location. It can be found by a linear scan of the proof of infeasibility of the trace.We develop our method for programs with arithmetic and pointer expressions, and call-by-value function calls. For function calls, Craig interpolation offers a systematic way of generating relevant predicates that contain only the local variables of the function and the values of the formal parameters when the function was called. We have extended our model checker Blast with predicate discovery by Craig interpolation, and applied it successfully to C programs with more than 130,000 lines of code, which was not possible with approaches that build less parsimonious abstractions.

532 citations

Journal ArticleDOI
TL;DR: A more powerful deductive system which is in some sense complete for partial correctness is defined, which provides for the use of auxiliary variables, which are added to a parallel program as an aid to proving it correct.
Abstract: An axiomatic method for proving a number of properties of parallel programs is presented Hoare has given a set of axioms for partial correctness, but they are not strong enough in most cases This paper defines a more powerful deductive system which is in some sense complete for partial correctness A crucial axiom provides for the use of auxiliary variables, which are added to a parallel program as an aid to proving it correct The information in a partial correctness proof can be used to prove such properties as mutual exclusion, freedom from deadlock, and program termination Techniques for verifying these properties are presented and illustrated by application to the dining philosophers problem

519 citations


"Logical concurrency control from se..." refers methods in this paper

  • ...Verifying Concurrent Programs: Our proposed style of reasoning is closely related to the axiomatic approach for proving concurrent programs of Owicki & Gries [16]....

    [...]