Inferring Synchronization under Limited Observability

1
Inferring Synchronization under Limited
Observability

• Martin Vechev Eran Yahav Greta Yorsh
• IBM T.J. Watson Research Center

2
High Level Setting
Process 1
Process 2
Process 3
2
3
High Level Setting
Process 1
Process 2
Process 3
3
4
High Level Setting
Process 1
Process 2
Process 3
4
5
High Level Setting
Process 1
Process 2
Process 3
5
6
Challenge
Process 1
Process 2
Process 3
How to synchronize processes in order to achieve
correctness and good performance ?
6
7
This Work
Assist the programmer by automatically
inferring correct
and efficient synchronization
7
8
Synchronization Primitives

• Semaphores
• Monitors
• Conditional critical region (CCR)
• Fine grained (e.g., CAS)
• Locks
• ....

8
9
Conditional Critical Regions

• Syntax of CCR
• Synchronization code
• guard can observe the program state
• guard does not modify program state

guard ? stmt
9
10
High Level Setting
Process 1
Process 2
Process 3
10
11
CCR Setting
Process 1
Process 2
Process 3
s1s2
s5
s7
s3s4
s6
?
Specification

• Permissiveness
• Cost as a language of CCR guards

11
12
Maximal Permissiveness

• Given a language LG, specification S and program
  A, program B is maximally permissive, if
• B satisfies S
• B is obtained from A by adding guards from LG
• Cannot obtain a program C that is correct and
  more permissive than B from A via LG

if ?B? ? ?C? then C does not satisfy S
12
13
Contributions

• Two Algorithms to infer CCR guards
• Greedy
• Exhaustive
• Guarantee maximal permissiveness
• Greedy under some conditions
• Exhaustive always
• Implementation in SPIN
• prototype, examples

14
This Work
Process 1
Process 2
Process 3
s1s2
s5
s7
s3s4
s6
Cost
Specification
Language of Guards
Safety, No Stuck States
Automatic Inference of Guards
Correct and Maximally Permissive
?
Process 1
Process 2
Process 3
s5
g2?s7
g1? s1s2
s3s4
s6
15
Inference Algorithm

• Construct transition system of input program and
  specification
• Remove a (minimal) set of transitions such that
  the result satisfies the specification
• Implement resulting transition system as program
  by strengthening guards of CCRs in the program

15
16
Inference Algorithm

• GREEDY(P Program) Program
• R Ø
• while (true)
• ts lt States , Transitions \ R, Init gt
• if valid(ts) return implement(P,R)
• B cut-transitions(ts)
• if B Ø abort cannot find valid
  synchronization
• select a transition t ? B
• R R ? equiv(t)

16
17
Example Language Observability

• Obs Variables that can be read by CCR guards
• LE(Obs) language of boolean combinations of
  equalities between variables in Obs and constants
• Example
• Obs x, y, z
• Guard Expression in LE(Obs) (x!1 y!0
  z!0)

17
18
Example Full Observability
Process 1
Process 2
Process 3
zy1
xz1
yx1
Cost
Specification

• ! (y 2 z 1)
• No Stuck States

LE( x, y, z )
Automatic Inference of Guards
19
What is in a state
PC2
PC1
PC3
s,s,s0,0,0
Z
Y
X
20
Build Transition System
s,s,s0,0,0
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
20
21
Select Transitions to Remove
s,s,s0,0,0
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
21
22
Build Transition System
s,s,s0,0,0
x!1 y!0 z!0 ?
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
x!1 y!0 z!0 ?
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,s,e1,0,1
x!1 y!0 z!0 ?
x!1 y!0 z!0 ?
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
e,e,e1,2,1
?
Correct and Maximally Permissive
22
23
Example Full Observability
Process 1
Process 2
Process 3
zy1
xz1
yx1
Cost
Specification

• ! (y 2 z 1)
• No Stuck States

LE( x, y, z )
Automatic Inference of Guards
24
Example Limited Observability
Process 1
Process 2
Process 3
zy1
xz1
yx1
Cost
Specification

• ! (y 2 z 1)
• No Stuck States

LE( x, , z )
Automatic Inference of Guards
25
Build Transition System
s,s,s0,0,0
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
25
26
Build Transition System
s,s,s0,0,0
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
27
Select transition to remove
s,s,s0,0,0
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
27
28
Select All Equivalent Transitions
s,s,s0,0,0
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
yx1
zy1
zy1
yx1
xz1
xz1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1

• Implementability

28
29
Build Transition System
s,s,s0,0,0
x!1 z!0 ?
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
x!1 z!0 ?
x!1 z!0 ?
yx1
zy1
zy1
yx1
xz1
xz1
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
x!1 z!0 ?
yx1
yx1
xz1
zy1
xz1
zy1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2

• Side-effects

29
30
Select transitions to remove
s,s,s0,0,0
x!1 z!0 ?
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
x!1 z!0 ?
x!1 z!0 ?
yx1
zy1
zy1
yx1
xz1
xz1
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
e,e,s1,2,0
e,s,e1,0,1
e,e,s1,1,0
x!1 z!0 ?
yx1
yx1
xz1
zy1
xz1
zy1
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
30
31
Build Transition System
s,s,s0,0,0
x!1 z!0 ?
x!0 z!0?
yx1
zy1
xz1
e,s,s1,0,0
s,e,s0,1,0
s,s,e0,0,1
x!1 z!0 ?
x!1 z!0 ?
yx1
x!0 z!0?
zy1
zy1
x!0 z!0?
yx1
xz1
xz1
e,e,31,2,0
e,2,e1,0,1
e,e,31,1,0
s,e,e0,1,2
e,s,e2,0,1
s,e,e0,1,1
x!0 z!0?
x!1 z!0 ?
x!0 z!0?
x!1 z!0 ?
yx1
yx1
zy1
xz1
zy1
xz1
e,e,e1,2,3
e,e,e1,2,1
e,e,e1,1,2
e,e,e3,1,2
e,e,e,2,3,1
e,e,e2,1,1
?
Correct and Maximally Permissive
32
Example Limited Observability
Process 1
Process 2
Process 3
zy1
xz1
yx1
Cost
Specification

• ! (y 2 z 1)
• No Stuck States

LE( x, , z )
Automatic Inference of Guards
Process 1
Process 2
Process 3
(x!1 z!0)?zy1
yx1
(x!0 z!0)?xz1
33
Inference Algorithms

• Greedy algorithm
• Resulting program satisfies the specification
• No side-effects guarantees maximal permissiveness
• Experience maximally permissive with
  side-effects
• Polynomial
• Exhaustive algorithm
• Resulting program satisfies the specification
• Maximally permissive
• Exponential

34
Implementation

• Prototype
• Greedy algorithm
• Using SPIN
• Examples
• Dining philosophers
• Asynchronous counters
• Race correction

35
Infinite Transition System

• Preliminary Work
• Finite state abstraction
• Same algorithm
• Conservatively eliminate potentially stuck states
• Cannot guarantee maximally permissive
• Future Work
• Refine when state becomes potentially stuck
• Specialized abstractions for stuckness
• Related to abstractions for termination

36
Summary

• Algorithms for CCR guard inferences
• Greedy (polynomial) and Exhaustive (exponential)
• Produce maximally permissive programs
• Parametric on User-specified Cost
• Deals with side effects and implementability

37
Related Work

• Recovery and predication mechanisms
• STM, Isolator, Tolerace
• Synthesis from temporal specification
• Game theory
• Memoryless winning strategy for Buchi games

38
Ongoing and Future Work

• Conditions for maximal permissiveness of greedy
• Infer other synchronization mechanisms
• meta-data, atomic sections, non-blocking
• Abstraction for stuck states

39
????
QUESTIONS ?
39
40
Questions

• Why cant I enumerate all the expressions of
  the language and call the checker externally ?
• How come the complexity is exponential, we know
  its double-exp ?
• You say its NP-hard and then you say its
  polynomial, how come ?
• Greedy is linear, not polynomial
• Can you always give strongest guard for a given
  language and a state ?

40
41
BACKUP
41
42
Problem on Graphs

• Input
• graph G (V,E)
• initial nodes Init ? V
• equivalence relation ? ? E?E
• E is admissible iff
• E is closed under ?
• every node reachable from Init using only edges
  in E has at least one outgoing edge in E
• Search problem find admissible E such that
  for every E if E ? E then E is not
  admissible
• Decision problem given k, is there a solution E
  to the search problem and E k
• Complexity NP-hard, coNP-hard, in ?2

43
Reduction from 3SAT
lij ? x1, ..., xn, x1, ..., xn
44
Construction

• Example

? ? (x1 ? x2 ? x3) ? (x1 ? x4 ? x3)
l11
l21
x1
x1
l12
x2
l22
x4
a
l13
l23
x3
x3
c
b
c
b
a
45
Reduction from 3SAT

• Build problem of decision problem from gadgets
• (G(E,V), Init, ?, k)
• NP-hard
• k 2n 2m m 2
• ? is sat iff (G, Init, ?, k) is YES
• coNP-hard
• k 2n 2m 2
• ? is not sat iff (G, Init, ?, k) is YES

46
Efficiency Dimensions

• Permissiveness
• P1 is more permissive than P2 when ? P2 ? ? ? P1
  ?
• Synchronization Cost
• P1 has lower cost than P2 when the running time
  of synchronization code in P1 is smaller than
  that of P2
• Maximize permissiveness and minimize cost

46
47
Parameters in the Space
47
48
Permissiveness vs. Cost
cost
max perm for bounded cost
permissiveness

• User input upper bound on synchronization cost
• Limits the observations about program state that
  can be made by the synchronization code

48
49
Synchronization under Limited Observability

• Input
• program P
• specification S
• cost function and cost bound C
• Output a program P
• P satisfies S
• P obtained from P by adding synchronization
  restricted to C

Is it always possible to find P s.t. ? P ? ?
? P ? ?
NO!
49
50
Our Goal

• Input
• program P
• specification S
• cost function and cost bound C
• Output a concurrent program P
• P satisfies S
• P obtained from P by adding synchronization
  restricted to C
• P is maximally permissive with respect to C
• synchronization code in P must not block
  indefinitely

50
51
Limited Observability

• Bounded cost of synchronization code means
  restricted language of guards
• LG guard cost(guard) lt bound
• Limits observations about program state thatcan
  be made by the guards

51
52
Example Languages of Guards

• EQ(V)
• boolean combination of equalities between
  variable from V and integer constant
• (x ! 1 z ! 0)
• EvenOdd(V)
• boolean combinations of predicates even and odd
  applied to program expressions over V
• even(x) odd(y)

52
53
Example

• Program

op1 1 x x 1 2 y y 1 3 goto
1
main x 0, y 0 op1 op2
op2 4 x x - 1 5 y y - 1 6 goto
4

• Specification

pc2 6 ? even(xy)

• Limited observability

EvenOdd(x,y)
53
54
Example

• Program

op2 4 x x - 1 5 odd(xy) ? y y - 1
6 goto 4
op1 1 odd(xy) ? x x 1 2 y y 1
3 goto 1
Result satisfies the spec but might block

• Specification

pc2 6 ? even(xy)

• Limited observability

EvenOdd(x,y)
54
55
Typical Development Process
56
Example This Work
Specification
!(y 2 z 1)
Correct Program
Program
P1 1 x z 1 P2 2 y x 1 P3 3(x!1
y!0 z!0)? z y 1 main 4 x0
y0 z0 5 P1 P2 P3 6
P1 1 x z 1 P2 2 y x 1 P3 3 z y
1 main 4 x0 y0 z0 5 P1 P2
P3 6
Automatic Inference
Synchronization Primitives
CCRs
57
This Work
Specification
Safety, No Deadlock
Program
Program
Correct Most Permissive In LG Min. synch cost

Set of Building blocks
Automatic Inference
Input S1, S2, S3. Output G-gtS1 In pictures.
Synchronization Primitives
CCRs
58
Permissiveness vs. Synchronization Cost
cost
max perm for bounded cost
permissiveness

• Program A is more permissive than B when ?B? ?
  ?A?
• Cost bound specified as a language LG for CCR
  guards

58
59
High Level Setting

• Manually using
  synchronization

59
60
Guard Inference align them
?
Correct
?
Performance
61
Permissiveness and Synchronization Cost

• Program A is more permissive than B when ?B? ?
  ?A?
• Cost bound specified as a language LG for CCR
  guards

61