1 lecture 09 – synthesis of synchronization eran yahav
Post on 20-Dec-2015
221 views
TRANSCRIPT
![Page 1: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/1.jpg)
PROGRAM ANALYSIS & SYNTHESIS
Lecture 09 – Synthesis of Synchronization
Eran Yahav
![Page 2: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/2.jpg)
Previously
Predicate abstraction Abstraction refinement
at a high level
2
![Page 3: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/3.jpg)
Today
Synthesis of Synchronization
![Page 4: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/4.jpg)
Verification Challenge
4
P S?
![Page 5: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/5.jpg)
With abstraction
5
P S?
![Page 6: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/6.jpg)
Now what?
6
P S
P ’ Sabstraction refinement
![Page 7: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/7.jpg)
7Change the abstraction to match the program
A Standard Approach: Abstraction Refinement
program
specification
Abstractcounterexample
abstraction
AbstractionRefinement
Abstractcounterexample
Verify
Valid
![Page 8: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/8.jpg)
Alternatively…
8
P’ Sprogram modification
P S
![Page 9: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/9.jpg)
9
program
specification
Abstractcounterexample
abstraction
AbstractionRefinement
Change the program to match the abstraction
Verify
Abstraction-Guided Synthesis [VYY-POPL’10]
ProgramRestriction
Implement
P’
Abstractcounterexample
![Page 10: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/10.jpg)
Alternatively…
10
P S’change specification (but to what?)
P S
![Page 11: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/11.jpg)
Focus on Program Modification Given a program P, specification S, and an
abstraction such that P S
find a modified program P’ such that P’ S
how do you find such a program? very hard in general there is some hope when considering equivalent
programs or restricted programs changing a program to add new legal behaviors is
hard program restriction natural in concurrent programs
reducing permitted schedules 11
![Page 12: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/12.jpg)
Example
int x, y, sign;
x = ?;
if (x<0) {
sign = -1;
} else {
sign = 1;
}
y = x/sign;
12Example from “The Trace Partitioning Abstract Domain” Rival&Mauborgne
x [-, ], sign
x [-, -1], sign [-1, -1]
x [0, ], sign [1, 1]
x [-, ], sign [-1, 1]
Specification S: no division by zero.
Abstract domain : intervals
0 [-1,1]division by zero seems
possible
P S
![Page 13: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/13.jpg)
Now what? Can use a more refined abstract domain Disjunctive completion abstract value = set (disjunction) of intervals
13
int x, y, sign;
x = ?;
if (x<0) {
sign = -1;
} else {
sign = 1;
}
y = x/sign;
x {[-, ]}, sign
x {[-, -1]}, sign {[-1, -1]}
x {[0, ]}, sign {[1, 1]}
x {[-, -1],[0, ]}, sign {[-1, -1],[1,1]}
Specification S: no division by zero.
Abstract domain ’: set of intervals
0 [-1, -1] and 0 [1,1]
division by zero impossible
P ’ S
![Page 14: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/14.jpg)
Are we done?
Exponential cost ! Can we do better?
Idea: track relationship between x and sign
14
x < 0 sign = -1x >= 0 sign = 1
Problem: again, expensive Which relationships should I track? Domains such as polyhedra won’t help
(convex)
![Page 15: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/15.jpg)
Trace partitioning abstract domain
refine abstraction by adding some control history
won’t get into that further reading
Rival and Mauborgne. The trace partitioning abstract domain. TOPLAS’07.
Holley and Rosen. Qualified data flow problems. POPL'80
15
![Page 16: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/16.jpg)
We can also change the program
16
int x, y, sign;
x = ?;
if (x<0) {
sign = -1;
} else {
sign = 1;
}
y = x/sign;
int x, y, sign;
x = ?;
if (x<0) {
sign = -1;
y = x/sign;
} else {
sign = 1;
y = x/sign;
}P P’
![Page 17: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/17.jpg)
Modified Program
17
int x, y, sign;
x = ?;
if (x<0) {
sign = -1;
y = x/sign;
} else {
sign = 1;
y = x/sign;
}
x [-, ], sign
x [-, -1], sign [-1, -1]
x [0, ], sign [1, 1]
x [-, ], sign [-1, 1]
Specification S: no division by zero.
Abstract domain : intervals
0 [-1, -1] division by zero impossible
0 [1, 1] division by zero impossible
![Page 18: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/18.jpg)
Another Example
18
while(e) {
s;
}
…
if (e) {
s;
while(e) {
s;
}
}
…P P’
![Page 19: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/19.jpg)
19
Process 1 Process 2 Process 3
Shared memory concurrent program No synchronization: often incorrect (but “efficient”) Coarse-grained synchronization: easy to reason about, often inefficient Fine-grained synchronization: hard to reason about, programmer often
gets this wrong
Challenge: Correct and Efficient Synchronization
![Page 20: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/20.jpg)
20
Process 1 Process 2 Process 3
Shared memory concurrent program No synchronization: often incorrect (but “efficient”) Coarse-grained synchronization: easy to reason about, often inefficient Fine-grained synchronization: hard to reason about, programmer often
gets this wrong
Challenge: Correct and Efficient Synchronization
![Page 21: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/21.jpg)
21
Process 1 Process 2 Process 3
Shared memory concurrent program No synchronization: often incorrect (but “efficient”) Coarse-grained synchronization: easy to reason about, often inefficient Fine-grained synchronization: hard to reason about, programmer often
gets this wrong
Challenge: Correct and Efficient Synchronization
![Page 22: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/22.jpg)
22
ChallengeProcess 1 Process 2 Process 3
How to synchronize processes to achieve correctness and efficiency?
![Page 23: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/23.jpg)
23
Atomic sections Conditional critical region (CCR) Memory barriers (fences) CAS Semaphores Monitors Locks ....
Synchronization Primitives
![Page 24: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/24.jpg)
24
{ ……………… …… …………………. …………………….…………………………}
P1()
Example: Correct and Efficient Synchronization with Atomic Sections
{ …………………………… ……………………. …}
P2()
ato
mic
ato
mic
{ ………………….. …… ……………………. ……………… ……………………}
P3()
ato
mic
Safety Specification: S
![Page 25: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/25.jpg)
25
{ ……………… …… …………………. …………………….…………………………}
P1()
{ …………………………… ……………………. …}
P2()
{ ………………….. …… ……………………. ……………… ……………………}
P3()
Safety Specification: S
Assist the programmer by automatically inferring correct and efficient synchronization
Example: Correct and Efficient Synchronization with Atomic Sections
![Page 26: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/26.jpg)
26
Challenge
Find minimal synchronization that makes the program satisfy the specification Avoid all bad interleavings while permitting as
many good interleavings as possible
Assumption: we can prove that serial executions satisfy the specification Interested in bad behaviors due to concurrency
Handle infinite-state programs
![Page 27: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/27.jpg)
27
Abstraction-Guided Synthesis of Synchronization
Synthesis of synchronization via abstract interpretation Compute over-approximation of all possible
program executions Add minimal synchronization to avoid
(over-approximation of) bad interleavings
Interplay between abstraction and synchronization Finer abstraction may enable finer
synchronization Coarse synchronization may enable coarser
abstraction
![Page 28: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/28.jpg)
28
program
specification
Abstractcounterexample
abstraction
AbstractionRefinement
Change the program to match the abstraction
Verify
Abstraction-Guided Synthesis
ProgramRestriction
Implement
P’
Abstractcounterexample
![Page 29: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/29.jpg)
29
AGS Algorithm – High Level
= true
while(true) {
BadTraces = { | (P ) and S }
if (BadTraces is empty) return implement(P,)
select BadTraces
if (?) {
= avoid()
if ( false) =
else abort
} else {
’ = refine(, )
if (’ ) = ’
else abort
}
}
Input: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under
![Page 30: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/30.jpg)
30
Avoid and Implement
Desired output – program satisfying the spec
Implementability guides the choice of constraint language
Examples Atomic sections [POPL’10] Conditional critical regions (CCRs) [TACAS’09] Memory fences (for weak memory models)
[FMCAD’10 + abstractions in progress] …
![Page 31: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/31.jpg)
31
Avoiding an interleavingwith atomic sections
Adding atomicity constraints Atomicity predicate [l1,l2] – no context
switch allowed between execution of statements at l1 and l2
avoid() A disjunction of all possible atomicity
predicates that would prevent Thread A A1 A2
Thread B B1 B2
= A1 B1 A2 B2
avoid() = [A1,A2] [B1,B2]
![Page 32: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/32.jpg)
32
Avoid and abstraction
= avoid() Enforcing avoids any abstract trace ’
such that ’ Potentially avoiding “good traces” Abstraction may affect our ability to avoid
a smaller set of traces
![Page 33: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/33.jpg)
33
Example
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5}
![Page 34: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/34.jpg)
34
Example: Concrete Values
0 2 3
12345
4
6
y2
y1
1
Concrete values
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5}
x += z; x += z; z++;z++;y1=f(x);y2=x;assert y1=5,y2=0
z++; x+=z; y1=f(x); z++; x+=z; y2=x;assert y1=3,y2=3
…
![Page 35: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/35.jpg)
35
Example: Parity Abstraction
0 2 3
12345
4
6
y2
y1
1
Concrete values
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5}
x += z; x += z; z++;z++;y1=f(x);y2=x;assert y1=Odd,y2=Even
0 2 3
12345
4
6
y2
y1
1
Parity abstraction (even/odd)
![Page 36: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/36.jpg)
36
Example: Avoiding Bad Interleavings
avoid(1) = [z++,z++]
= [z++,z++] = true
= true while(true) {
BadTraces={|(P ) and S }
if (BadTraces is empty)
return implement(P,)
select BadTraces if (?) {
= avoid() } else {
= refine(, ) }
}
![Page 37: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/37.jpg)
37
Example: Avoiding Bad Interleavings
avoid(2) =[x+=z,x+=z]
= [z++,z++] = [z++,z++][x+=z,x+=z]
= true while(true) {
BadTraces={|(P ) and S }
if (BadTraces is empty)
return implement(P,) select BadTraces if (?) {
= avoid() } else {
= refine(, ) }
}
![Page 38: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/38.jpg)
38
Example: Avoiding Bad Interleavings
T1
1: x += z 2: x += z
T2
1: z++ 2: z++
T3
1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)
= [z++,z++][x+=z,x+=z]
= true while(true) {
BadTraces={|(P ) and S }
if (BadTraces is empty)
return implement(P,) select BadTraces if (?) {
= avoid() } else {
= refine(, ) }
}
![Page 39: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/39.jpg)
39
0 2 3
12345
4
6
y2
y1
1
parity
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6 parity parity
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
Example: Avoiding Bad Interleavings
But we can also refine the abstraction…
![Page 40: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/40.jpg)
40
0 2 3
12345
4
6
y2
y1
1
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
parity
interval
octagon
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
0 1 2 3
12345
4
6
(a) (b) (c)
(d) (e)
(f) (g)
parity parity
interval
octagon
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
x+=z;
x+=z z++; z++;
y1=f(x)y2=xassert y1!= y2
T1
T2
T3
![Page 41: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/41.jpg)
41
Multiple Solutions
Performance: smallest atomic sections
Interval abstraction for our example produces the atomicity constraint:
([x+=z,x+=z] ∨ [z++,z++]) ∧ ([y1=f(x),y2=x] ∨ [x+=z,x+=z] ∨ [z++,z++])
Minimal satisfying assignments 1 = [z++,z++] 2 = [x+=z,x+=z]
![Page 42: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/42.jpg)
42
Input: Program P, Specification S, Abstraction
Output: Program P’ satisfying S under = true
while(true) {
BadTraces = { | (P ) and S }
if (BadTraces is empty) return implement(P,)
select BadTraces
if (?) {
= avoid()
if ( false) =
else abort
} else {
’ = refine(, )
if (’ ) = ’
else abort
}
}
Choosing between abstraction refinement and program restriction- not always possible to refine/avoid- may try and backtrack
AGS Algorithm – More Details
Forward Abstract Interpretation, taking
into account for pruning infeasible
interleavings
Backward exploration of invalid Interleavings using to prune infeasible interleavings.
Order of selection matters
Up to this point did not commit to a
synchronization mechanism
![Page 43: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/43.jpg)
43
T1
0: if (y==0) goto L1: x++2: L:
T2
0: y=21: x+=12: assert x !=y
Choosing a trace to avoid
pc1,pc2x,y
0,00,0
0,10,2 2,0
0,0
1,10,2 2,1
0,2
2,21,22,1
1,2
2,22,2
y=2
if (y==0)
x++
x+=1
if (y==0)
y=2
x+=1
legend
0,0E,E
0,1E,E 2,0
E,E
1,1E,E
2,1T,E
2,2T,E
y=2
if (y==0)
x++
x+=1
if (y==0)
y=2
x+=1
![Page 44: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/44.jpg)
44
Implementability
No program transformations (e.g., loop unrolling) Memoryless strategy
T1
1: while(*) { 2: x++ 3: x++ 4: }
T2
1: assert (x != 1)
Separation between schedule constraints and how they are realized Can realize in program: atomic sections,
locks,… Can realize in scheduler: benevolent
scheduler
![Page 45: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/45.jpg)
45
Atomic sections results
If we can show disjoint access we can avoid synchronization
Requires abstractions rich enough to capture access pattern to shared data
Parity
Intervals
Program Refine Steps Avoid Steps
Double buffering 1 2
Defragmentation 1 8
3D array update 2 23
Array Removal 1 17
Array Init 1 56
![Page 46: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/46.jpg)
46
AGS with guarded commands
Implementation mechanism: conditional critical region (CCR)
Constraint language: Boolean combinations of equalities over variables (x == c)
Abstraction: what variables a guard can observe
guard stmt
![Page 47: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/47.jpg)
47
Avoiding a transition using a guard
Add guard to z = y+1 to prevent execution from state s1
Guard for s1 : (x 1 y 1 z 0)
Can affect other transitions where z = y+1 is executed
x=1,
y=1,
z=0y=x+1 z=y+1
x=1,
y=1,
z=2
x=1,
y=2,
z=0
s1
s2 s3
![Page 48: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/48.jpg)
48
Example: full observability
• (y = 2 z = 1)• No Stuck States
Specification:
{ x, y, z }
Abstraction:
T1
1: x = z + 1
T2
1: y = x + 1
T3
1: z = y + 1
![Page 49: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/49.jpg)
49
Build Transition System
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,1
1,2,0
e,1,e
1,0,1
e,e,1
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,2,1
e,e,e
1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
1,1,1
0,0,0
X Y Z
PC1PC2
PC3
legend
![Page 50: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/50.jpg)
50
Avoid transition
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,1
1,2,0
e,1,e
1,0,1
e,e,1
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,2,1
e,e,e
1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
![Page 51: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/51.jpg)
51
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,1
1,2,0
e,e,1
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
e,1,e
1,0,1
e,e,e
1,2,1
y=x+1
x1 y0 z0
x1 y0 z0
x1 y0 z0
x1 y0 z0
Correct and Maximally PermissiveResult is valid
x1 y0 z0 z=y+1
![Page 52: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/52.jpg)
52
Resulting program
• (y = 2 z = 1)• No Stuck States
Specification:
{ x, y, z }
Abstraction:
T1
1: x = z + 1
T2
1: y = x + 1
T3
1: z = y + 1
T1
1: x = z + 1
T2
1: y = x + 1
T3
1: (x 1 y 0 z 0) z = y + 1
![Page 53: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/53.jpg)
53
• (y = 2 z = 1)• No Stuck States
Specification:
{ x, z }
Abstraction:
Example: limited observability
T1
1: x = z + 1
T2
1: y = x + 1
T3
1: z = y + 1
![Page 54: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/54.jpg)
54
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,1
1,2,0
e,1,e
1,0,1
e,e,1
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,2,1
e,e,e
1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
Build transition system1,1,
10,0,
0
X Y Z
PC1PC2
PC3
legend
![Page 55: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/55.jpg)
55
Avoid bad state
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,1
1,2,0
e,1,e
1,0,1
e,e,1
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
![Page 56: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/56.jpg)
56
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,1
1,2,0
e,1,e
1,0,1
e,e,1
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
Implementability
Select all equivalent transitions
![Page 57: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/57.jpg)
57
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
x=z+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
side-effects
e,e,11,2,0
e,1,e
1,0,1
e,e,11,1,0
e,e,e1,2,3
e,e,e
1,2,1
e,e,e
1,1,2
y=x+1z=y+1 z=y+1x1 z0
x1 z0 z=y+1
x1 z0
x1 z0
Result has stuck states
![Page 58: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/58.jpg)
58
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
x=z+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
e,e,11,2,0
e,1,e
1,0,1
e,e,11,1,0
e,e,e1,2,3
e,e,e
1,2,1
e,e,e
1,1,2
y=x+1z=y+1 z=y+1x 1 z 0
x1 z0 z=y+1
x1 z0
x1 z0
Select transition to remove
![Page 59: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/59.jpg)
59
1,1,1
0,0,0
e,1,1
1,0,0
1,e,1
0,1,0
1,1,e
0,0,1
e,e,3
1,2,0
e,2,e
1,0,1
e,e,3
1,1,0
1,e,e
0,1,2
e,1,e
2,0,1
1,e,e
0,1,1
e,e,e1,2,3
e,e,e
1,2,1
e,e,e
1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
x=z+1 y=x+1 z=y+1
y=x+1
y=x+1z=y+1
z=y+1
x=z+1
z=y+1
z=y+1
x=z+1
x=z+1
x=z+1
y=x+1
y=x+1
x 1 z 0
x 1 z 0
x1 z0
x1 z0
x0 z0
x 0 z 0
x0 z0
x0 z0
x1 z0
x 0 z 0
Result is validCorrect and Maximally Permissive
![Page 60: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/60.jpg)
60
Resulting program
• ! (y = 2 && z = 1)• No Stuck States
Specification:
{ x, z }
Abstraction:
T1
1: x = z + 1
T2
1: y = x + 1
T3
1: z = y + 1
T1
1: (x 0 z 0) x = z + 1
T2
1: y = x + 1
T3
1: (x 1 z 0) z = y + 1
![Page 61: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/61.jpg)
61
T1 x = z + 1T2 y = x + 1T3 z = y + 1
T1 x = z + 1T2 y = x + 1T3 (x 1 z 0) z = y + 1
T1 (x 0 z 0) x = z + 1T2 y = x + 1T3 (x 1 z 0) z = y + 1
T1 x = z + 1T2 y = x + 1T3 z = y + 1
T1 x = z + 1T2 y = x + 1T3 (x 1 y 0 z 0) z = y + 1
{ x }
{ x,z }
{ x,y,z }
T1 x = z + 1T2 y = x + 1T3 z = y + 1
T1 x = z + 1T2 y = x + 1T3 (x 1) z = y + 1
T1 (x 0) x = z + 1T2 y = x + 1T3 (x 1) z = y + 1
![Page 62: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/62.jpg)
62
AGS with memory fences
Avoidable transition more tricky to define Operational semantics of weak memory
models
Special abstraction required to deal with potentially unbounded store-buffers Even for finite-state programs
Informally “finer abstraction = fewer fences”
![Page 63: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/63.jpg)
63
Synthesis Results
Mostly mutual exclusion primitives Different variations of the abstraction
Program FD k=0 FD k=1 PD k=0 PD k=1 PD k=2
Sense0
Pet0
Dek0
Lam0 T/O T/O T/O
Fast0 T/O T/O T/O T/O
Fast1a
Fast1b
Fast1c T/O T/O
![Page 64: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/64.jpg)
Chase-Lev Work-Stealing Queue1 int take() {2 long b = bottom – 1;3 item_t * q = wsq;4 bottom = b5 fence(“store-load”);6 long t = top7 if (b < t) {8 bottom = t;9 return EMPTY;10 }11 task = q->ap[b % q->size];12 if (b > t)13 return task14 if (!CAS(&top, t, t+1))15 return EMPTY;16 bottom = t + 1;17 return task;18 }
1 void push(int task) {2 long b = bottom;3 long t = top;4 item_t * q = wsq;5 if (b – t >= q->size – 1) {6 wsq = expand();7 q = wsq;8 }9 q->ap[b % q->size] = task;10 fence(“store-store”);11 bottom = b + 1;12 }
1 int steal() {2 long t = top;3 fence(“load-load”);4 long b = bottom;5 fence(“load-load”);6 item_t * q = wsq;7 if (t >= b)8 return EMPTY;9 task = q->ap[t % q->size];10 fence(“load-store”);11 if (!CAS(&top, t, t+1))12 return ABORT;13 return task;14 }
Specification: no lost items, no phantom items, memory safety
1 item_t* expand() {2 int newsize = wsq->size * 2;3 int* newitems = (int *) malloc(newsize*sizeof(int));4 item_t *newq = (item_t *)malloc(sizeof(item_t));5 for (long i = top; i < bottom; i++) {6 newitems[i % newsize] = wsq->ap[i % wsq->size];7 }8 newq->size = newsize;9 newq->ap = newitems; 10 fence("store-store");11 wsq = newq; 12 return newq;}
![Page 65: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/65.jpg)
Results
![Page 66: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/66.jpg)
Performance
![Page 67: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/67.jpg)
67
Some AGS instances
Avoid Implementation Mechanism
Abstraction Space(examples)
Reference
Context switch
Atomic sections Numerical abstractions
[POPL’10]
Transition Conditional critical regions (CCRs)
Observability [TACAS’09]
Reordering Memory fences Partial-Coherence abstractions for Store buffers
[FMCAD’10][PLDI’11]
…
![Page 68: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/68.jpg)
68
program
specification
Abstractcounterexample
abstraction
AbstractionRefinement
Change the specification to match the abstraction
Verify
General Setting Revisited
ProgramRestriction
Implement
P’
Abstractcounterexample
S’Spec
Weakening
![Page 69: 1 Lecture 09 – Synthesis of Synchronization Eran Yahav](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649d485503460f94a22d63/html5/thumbnails/69.jpg)
69
Summary
Modifying the program to fit an abstraction examples inspired by the trace partitioning domain (trace partitioning domain can capture these effects,
and more, without changing the program) An algorithm for Abstraction-Guided Synthesis
Synthesize efficient and correct synchronization Handles infinite-state systems based on abstract
interpretation Refine the abstraction and/or restrict program behavior Interplay between abstraction and synchronization Separate characterization of solution from choosing
optimal solutions (e.g., smallest atomic sections)