modular verification of concurrent assembly code with dynamic thread creation and termination
DESCRIPTION
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination. Xinyu Feng Yale University Joint work with Zhong Shao. Motivation. Proof-carrying code (PCC) In principle: verify any property on any code Real binaries & no loss of efficiency - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/1.jpg)
Modular Verification of Concurrent Assembly Codewith Dynamic Thread Creation and Termination
Xinyu FengYale University
Joint work with Zhong Shao
![Page 2: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/2.jpg)
2005-9-16 NJPLS@Stevens
Motivation Proof-carrying code (PCC)
In principle: verify any property on any code Real binaries & no loss of efficiency Embedded OS, device drivers… All safety & liveness properties… Formal, machine-checkable proofs
In reality: only works for sequential code
Can concurrent code ever be supported by the PCC framework ?
![Page 3: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/3.jpg)
2005-9-16 NJPLS@Stevens
Challenges Challenges for Proof-carrying concur. code
A general framework for concurrent assembly code verification
Lack of structures (e.g. cobegin/coend blocks) Specification/proof generation
Spec inference, proof assistant, theorem prover
Concurrent assembly code verification No directly applicable logic
Traditional Hoare-logic: only sequential code Type Systems: no Concurrent Typed Assembly
Language (TAL)
![Page 4: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/4.jpg)
2005-9-16 NJPLS@Stevens
Previous work Rely-Guarantee (R-G) Method
Shared memory concurrency Thread modular verification Only for higher-level code: cobegin/coend
CCAP[Yu&Shao, ICFP’04] The first PCC framework supporting concurrent
assembly code R-G method Only support static threads
P1 || … || Pn
![Page 5: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/5.jpg)
2005-9-16 NJPLS@Stevens
Concurrency Programming cobegin/coend
S::=…| cobegin P1 || P2 codend | … Higher-level, well-structured Only support properly nested concurrent code
fork/join S::=…| tid := fork f(a) | join tid | … More flexible: improperly nested code OSes/Java/…
![Page 6: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/6.jpg)
2005-9-16 NJPLS@Stevens
Our Contributions
A new PCC framework: CMAP Verification of general properties Dynamic thread creation/termination
Generalize the Rely-Guarantee method Modular verification Realistic features
Multiple instantiations of thread code Thread argument passing, thread-local data
![Page 7: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/7.jpg)
2005-9-16 NJPLS@Stevens
Outline of This Talk Background: the Rely-Guarantee
Method Challenges for Dynamic Thread
Creation/Termination Our Approach The CMAP Framework Conclusion and Future Work
![Page 8: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/8.jpg)
2005-9-16 NJPLS@Stevens
The Rely-Guarantee Method
Thread 1
Thread 2
(A1,G1)
(A2,G2)Shared Memory
S1 S2 S3 S4 S5
A1: S2 – S3, S4 – S5,…
G1: S1 – S2, S3 – S4,…
A2: S1 – S2, S3 – S4,…
G2: S2 – S3, S4 – S5,…
G1 A2
G2 A1
![Page 9: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/9.jpg)
2005-9-16 NJPLS@Stevens
The Rely-Guarantee Method Thread + Thread Environment Rely and Guarantee
A, G: State State Prop Thread Modularity
Non-Interference (interface compatibility): i,j. ij Gi Aj
Safety of each thread Ti: (Ai, Gi)
![Page 10: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/10.jpg)
2005-9-16 NJPLS@Stevens
GCD Example [Yu&Shao’04]
Thread1:
while(a<>b){
if(a > b)
a := a-b;
}
Thread2:
while(a<>b){
if(b > a)
b := b-a;
}
![Page 11: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/11.jpg)
2005-9-16 NJPLS@Stevens
Outline of This Talk Background: the Rely-Guarantee
Method Challenges for Dynamic Thread
Creation/Termination Our Approach The CMAP Framework Conclusion and Future Work
![Page 12: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/12.jpg)
2005-9-16 NJPLS@Stevens
Concurrency Programming cobegin/coend
S::=…| cobegin P1 || P2 codend | … Higher-level, well-structured Only support properly nested concurrent code
fork/join S::=…| tid := fork f(a) | join tid | … More flexible: improperly nested code OSes/Java/…
![Page 13: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/13.jpg)
2005-9-16 NJPLS@Stevens
Static and Dynamic Threads
f(a)...
fork f(a1)
fork f(a2)fork f(an)
…
“Static Threads”
“Dynamic Threads”
![Page 14: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/14.jpg)
2005-9-16 NJPLS@Stevens
Challenges First attempt
Check NI between all static threads Ti: (Ai, Gi) i,j. ij Gi Aj
Too rigid to handle changing env.
![Page 15: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/15.jpg)
2005-9-16 NJPLS@Stevens
Challenges: Changing Env. I A-B: initialize data d
no other threads will change d A : d = d’
B-C: collaborate with T3 to process d
T3 may change d Still do not allow other threads
change d
C-D: T3 terminates No other threads can change d
T1 T2
A
B
T3
C
D
Use pc to mark stages?
![Page 16: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/16.jpg)
2005-9-16 NJPLS@Stevens
Challenges: Changing Env. I
main:
int i:=0;
while (i<100){
data[i]:=f(i);
fork child(i);
i++;
}
Global data: int data[100]T1 T2
A
B
T3
C
D
…
![Page 17: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/17.jpg)
2005-9-16 NJPLS@Stevens
Challenges: Changing Env. II T2 and T3 have no overlap in
their lifetime non-interference between all
threads? Only check those that overlap?
How to specify the overlapping?
T1 T2 T3
![Page 18: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/18.jpg)
2005-9-16 NJPLS@Stevens
Challenges: multiple instantiations
f(a)...
(Aa, Ga)
(Aa1, Ga1)
fork f(a1)
fork f(a2)fork f(an)
(Aa2, Ga2) (Aan, Gan)
GaiAaj
GaAa?
![Page 19: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/19.jpg)
2005-9-16 NJPLS@Stevens
Challenges: Modularity
T1:
.
.
.jmp f
f:...
exit
T2:
.
.
.jmp f
(A1, G1)
(A2, G2)
Certify once,
use everywhere?
![Page 20: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/20.jpg)
2005-9-16 NJPLS@Stevens
Outline of This Talk Background: the Rely-Guarantee
Method Challenges for Dynamic Thread
Creation/Termination Our Approach The CMAP Framework Conclusion and Future Work
![Page 21: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/21.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (1) Problems for checking NI of static threads
Changing environment Multiple instantiations Modularity issues
CMAP: “lazy checking” At each step, all live (dynamic) threads do not
interfere
![Page 22: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/22.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (2)
… t0 tnQ
(A0, G0)… (An, Gn)
How to track the changing thread queue?
jijiji AGttQtt .,WF(Q, ):
each ti satisfies (Ai, Gi)
![Page 23: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/23.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (3)
Q'
'
WF
Q
WF
Initial condition: 0 . WF(Q0, 0)
::= add | sub | jd f |…
| exit | fork | yield
Borrow ideas from typechecking data heaps (as in TAL):
![Page 24: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/24.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (4) Thread Termination: exit
Qt
(A,G) \{(Ai, Gi)}(Ai,G
i)
WF WF!
exit Q\{ti}tiQ
![Page 25: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/25.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (5) Thread Creation: fork f(a)
Qt
(A,G)
t
?
WF WF
fork
(1) t' does not interfere with Q
(2) t does not interfere with the new env.
Q t’
![Page 26: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/26.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (6)
t
(A,G)
Q{t’}tfork
G i Ai i Gi A
?(A’,G’)
{A’’,G’’}
G' (i Ai)A'' (i Gi)G'' A'
WF WF?
Q
G'' i Ai i Gi A''G
G
A
A
![Page 27: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/27.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (7) Queue Extension
WF(Q{t}, {(A, G)})
WF(Q{t',t}, {(A’’, G’’), (AG’’, GA’’)})
fork f(a)A A’’, G’’ G
![Page 28: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/28.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (8) Queue Update
WF(Q{t}, {(A, G)})
WF(Q{t}, {(A’, G’)})
AA’, G’G; t: (A’, G’)
![Page 29: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/29.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (9)
T1:
.
.
.jmp f
f:...
exit
T2:
.
.
.jmp f
(A1, G1)
(A2, G2) Certify once,
use everywhere?
(A, G)
AiA, GGi
![Page 30: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/30.jpg)
2005-9-16 NJPLS@Stevens
Our Approach (10) Check static threads Lazy Check
Changing Env. Changing (A, G) Multiple instantiation Not care Modularity Certify only once
General Enough Language (higher-level/assembly) Thread Model (preemptive/non-preempti
ve)
![Page 31: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/31.jpg)
2005-9-16 NJPLS@Stevens
Example – Unbounded Thread Creation
main:
int i:=0;
while (i<100){
data[i]:=f(i);
fork child(i);
i++;
}
void child(x:int){
data[x] = g(x, data[x])
}
Global data: int data[100]
![Page 32: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/32.jpg)
2005-9-16 NJPLS@Stevens
Example – Unbounded Thread Creation Specification of Child:
Ax: Gx:
Non-interference between children:
![Page 33: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/33.jpg)
2005-9-16 NJPLS@Stevens
Example – Unbounded Thread Creation How to specify the main thread?
main:
int i:=0;
while (i<100){
data[i]:=0;
fork(child, i);
i++
}
Do we need a G such that:
But main cannot satisfy such a G!
![Page 34: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/34.jpg)
2005-9-16 NJPLS@Stevens
main:
int i:=0;
while (i<100){
data[i]:=0;
fork(child, i);
i++
}
(A’, G’)
(A, G)
(A, G)
(A, G)(A, G)
![Page 35: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/35.jpg)
2005-9-16 NJPLS@Stevens
Outline of This Talk Background: the Rely-Guarantee
Method Challenges for Dynamic Thread
Creation/Termination Our Approach The CMAP Framework Conclusion and Future Work
![Page 36: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/36.jpg)
2005-9-16 NJPLS@Stevens
The CMAP Framework The abstract machine The verification logic
Specification language Inference rules Soundness proof
Example programs Unbounded dynamic thread creation Readers/Writers problem Lock-free program
All implemented in Coq!
![Page 37: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/37.jpg)
2005-9-16 NJPLS@Stevens
The CMAP Framework - MachineI1f1
: I2f2
: …
(code heap) C
(program) P::=(C,T,S,Q,I)
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S::=(H,R)
I1h1
: I2h2
: …(thrd entries) T
add…fork hyieldexit
(instr. seq.) I
I
R
I
R
I
R…
(dyn. queue) Q
![Page 38: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/38.jpg)
2005-9-16 NJPLS@Stevens
The CMAP Framework
The paper on CMAP (Feng&Shao ICFP’05):
http://flint.cs.yale.edu/publications/cmap.html
![Page 39: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/39.jpg)
2005-9-16 NJPLS@Stevens
Conclusion Problems for unbounded dynamic thread creation
Changing environment (fork/exit) Multiple instantiation of thread code No previously known modular verification method
Our approach INV: active threads in the system do not interfere
Combine the type-based proof technique with R-G method Unify thread’s assumption/guarantee with env.’s guarant
ee/assumption Thread modularity + code/proof reuse
The CMAP framework and its Coq implementation
![Page 40: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/40.jpg)
2005-9-16 NJPLS@Stevens
Future Work Certified Thread Libraries
fork, yield, exit join, lock, monitors
Surface language Higher-level specifications Partially infer A and G Certifying compilation to CMAP
Where is the threads ?User-level thread + thread lib.
![Page 41: Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination](https://reader035.vdocuments.us/reader035/viewer/2022081514/5681526b550346895dc09f1e/html5/thumbnails/41.jpg)
2005-9-16 NJPLS@Stevens
Thank you!