1 / 28

Principal Investigators

Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods. Principal Investigators. Matt Dwyer John Hatcliff Masaaki Mizuno Mitch Nielsen Gurdip Singh. Department of Computing and Information Sciences Kansas State University.

lbryant
Télécharger la présentation

Principal Investigators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Automatic Derivation, Integration, and Verification of Synchronization Aspects in Object-Oriented Design Methods Principal Investigators Matt Dwyer John Hatcliff Masaaki Mizuno Mitch Nielsen Gurdip Singh Department of Computing and Information Sciences Kansas State University http://www.cis.ksu.edu/santos

  2. Collaborative Research at K-State • SANTOS Group • Programming Languages/Semantics • Software Specifications • Software Model Checking (Bandera) • Systems Group • Distributed/Operating Systems, Networking, Synchronization • Object Orientation • Embedded Systems (CAN systems)

  3. Problem Statement :Trans Manager :Card Reader :Client Manager :Cash Counter :Display :Key Pad Insert Card Card inserted (ID) Ask for PIN code Show request Specify PIN code PIN Code (PIN) Request PIN validation Ask for amount to withdraw Show request Rational Unified Process (RUP) in the Unified Modeling Language (UML) is the de facto standard for OO development process. • …an effective way to develop a set of sequential codes which are executed by threads. • …DOES NOT provide a standard methodology to develop synchronization among such threads.

  4. Our Theme …Focus on building core functional code (minus synchronization) …Give formal high-level spec of synchronization behavior …Correct synchronization code is synthesized andlinked in automatically

  5. I.Provide high-level, modular specification of global synchronization aspects … powerful, yet easy to use … formal specification via global invariants … language of composable invariant patterns … integrated with UML/RUP II.Automatic derivation and weaving of synchronization code … multiple language and synchronization targets (Java, C++, monitors, semaphores, etc.) … weaving & optimization via abstract interpretation and program specialization techniques III. Automatic verification of critical safety and liveness properties of woven embedded code … built on previous DARPA work –Bandera environment … domain-specific model-checking engines Goals of the Project IV.Evaluation using military networking target vehicle electronics (CDA101)

  6. Readers Writer Implicit Implicit R_in++ W_in++ Buffer R_out++ W_out++ Invariant: (R_in – R_out == 0 || W_in – W_out == 0) Step 1 • Identify intended critical regions Global Invariant Approach && (W_in – W_out <= 1) • Assume each region has associated implicit in and out counters that are incremented as regions are entered and exited • State a global invariant constraining occupancy of the regions

  7. <await R_in–R_out == 0 && W_in-W_out == 0 -> W_in++> <await W_in–W_out == 0 -> R_in++> <W_out++> <R_out++> Invariant: (R_in – R_out == 0 || W_in – W_out == 0) Step 2 • Use invariant to guide formulation of guards for region enter/exit Global Invariant Approach Readers Writer Buffer && (W_in – W_out <= 1) <await B -> C>…wait until B then execute C atomically <C> …execute C atomically • Called the “coarse-grain” solution

  8. Call R_Enter; Call W_Enter; Call R_Exit; Call W_Exit; Monitor Proc R_Enter() … …; Proc R_Exit() … …; Proc W_Enter() … …; Proc W_Exit() … …; Monitor Step 3 • Translate await and atomic statements to chosen synchronization mechanism …monitors, rendezvous, semaphores, etc… Global Invariant Approach Readers Writer Buffer • Called the “fine-grain” solution

  9. Advantages of OurGlobal Invariant Approach • “Aspect-oriented” • Synchronization aspect is cleanly factored out • Formal approach • Enables rigorous reasoning about synchronization aspects • Synchronization coding lies at a high level • Namely, the specification of invariants • Global invariants are independent of platform, language and synchronization primitive

  10. Our Approach--- Invariant Patterns Users never write formulas but instead build invariants using a collection of global invariant patterns… • Bound(R,n) … at most n threads can be in region R • Exclusion(R1,R2) … occupancy of region R1 and R2 should be mutually exclusive • Resource(R1, R2, n) … region R1 is a producer, region R2 is a consumer of some resource with n initial resource values. • Barrier(R1,R2) … the kth thread to enter R1 and the kth thread to enter R2 meet and leave their respective regions together • Barrier with information interchange… • Complex Barrier…

  11. Our Approach--- Invariant Patterns Users never write formulas but instead build invariants using a collection of global invariant patterns… • Bound(R,n) …at most n threads can be in region R • Exclusion(R1,R2) … occupancy of region R1 and R2 should be mutually exclusive Example: Readers/Writers Exclusion(R,W) + Bound(W,1)

  12. Intermediate Representation Generator Fine-grain Java Representation Generator .java + guarded commands .java .java PVS .java .java + .java .java Core code Synchronization aspect Our Approach--- Automatic Synthesis Both coarse-grain and fine-grain solutions are synthesized automatically + Invariant

  13. UML Tools Functional Core Code Functional Core Code Templates Template Instantiation Solver/ Prover (Java, C++, …) (Java, C++, …) Traditional Development Environment Synchronization Aspect Specification Tool Intermediate Representation Generator Synchronization Aspect Back-end Fine-grain solution Course-grain solution Invariant & Region tags Bandera Analysis & Transformation Code Weaver Safety Properties Specialization Engine Liveness Properties Bandera Optimized Woven Code Finite State Models Tool Architecture

  14. Sensors Actuators Rudder Sensor Rudder Pump Throttle Engine Controller Rudder Controller Throttle Controller CAN Bus Other Sensors and Actuators Fiber/TP Hub GPS Example: Vessel Control …from Navy SEABORNE target vehicle documentation

  15. Buffer Gyroscope/Rudder Sub-system Rudder Controller Gyroscope Controller • Gyroscope produces position values which are placed in a single entry buffer • Rudder controller reads position values from buffer and uses them to actuate the rudder

  16. Critical Region: RR Read a value from the gyroscope Wait until gyroscope value is in buffer Wait until the buffer becomes empty Read value from buffer Write a new value in the buffer Actuate rudder based on value Critical Region: RG Use Cases and Critical Regions Gyroscope Controller Rudder Controller Identify segments (a) that must wait for some even to occur (b) segments that cause events waited for in (a)

  17. Resource(RG,RR ,0) Produce Consume Consume Produce Invariant: Resource(RG,RR ,0) + Resource(RR,RG ,1) + Exclusion(RG,RR) Resource(RR,RG ,1) Exclusion(RG,RR) Gyroscope/Rudder Synchronization Gyroscope Value RG RR Buffer Empty Buffer Slot Rudder Controller Gyroscope Controller

  18. …consumer in …producer out Resource(RR,RG ,1) G_in <= R_out + 1 Exclusion(RG,RR) (G_in == G_out) || (R_in == R_out) Invariant: Resource(RG,RR ,0) + Resource(RR,RG ,1) + Exclusion(RG,RR) Desugared Invariant: (R_in <= G_out) && (G_in <= R_out + 1) && ((G_in == G_out) || (R_in == R_out)) Generating Coarse-grain Solution Resource(RG,RR ,0) R_in <= G_out

  19. <await B -> G_in++> Step 1: generate weakest-precondition(G_in++,I) Substitute G_in+1 for G_in Generating Coarse-grain Solution …invariantI holdshere G_in++ …want I to hold here Task: generate a condition B that ensures that I holds after counter increment. (R_in <= G_out) && (G_in <= R_out + 1) && ((G_in == G_out) || (R_in == R_out)) (R_in <= G_out) && (G_in+1 <= R_out + 1) && ((G_in+1 == G_out) || (R_in == R_out))

  20. Example: 1. (R_in <= G_out) && (G_in+1 <= R_out+1) && (G_in+1 == G_out) || (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out) 2. (R_in <= G_out) && (G_in+1 <= R_out+1) && (R_in == R_out) 3. (G_in+1 <= R_out+1) && (R_in == R_out) Generating Coarse-grain Solution Step 2: simplify using decision procedures • Convert to disjunctive normal form • Eliminate disjuncts that are can never be satisfied using decision procedures • Minimize remaining conjuncts using decision procedures

  21. Coarse-Grain Solution (skeleton) Gyroscope controller critical region: <await (G_in+1 <= R_out+1) && (R_in == R_out) -> G_in++> /* insert gyroscope value into buffer */ <G_out++> Rudder controller critical region: <await (R_in < G_out) && (G_in == G_out) -> R_in++> /* insert gyroscope value into buffer */ <R_out++>

  22. Traditional Monitor Solution …counter variables int C1, C2, …, Cn; …condition variables with an associated queue for each await int cv1, cv2, …, cvn; …procedure to implement each await Procedure Await1 () … Procedure Await2 () … …… Procedure Awaitn () … Generating Fine-Grain Solution <await B1 -> C1++> <await B2 -> C2++> <await B3 -> C3++> <await B4 -> C4++> <await Bn -> Cn++>

  23. Generating Fine-grain Solution • Use a single lock to protect access to counters • Use a pattern called “specification notification” to implement await’s • One lock for each await statement • Ensures that separate waiting queues are maintained for each await

  24. Compilation of <await B -> S> public static void <aname>() { synchronized (condition$<name>) { while (!check$<aname>()) { try { condition$<aname>.wait(); } catch (InterruptedException e) {} } /* add relevant notify calls */ } } …grab lock for this await …if guard B is false …go to sleep …notify awaits whose conditions may become true because of the current counter increment public static boolean check$<aname>() { synchronized (clusterCounterLock) { if (<B>) { <S> return true; } else return false; } } …grab lock protecting counters …if guard is true …do increment …return true …else return false

  25. UML Tools Functional Core Code Functional Core Code Templates Template Instantiation Solver/ Prover (Java, C++, …) (Java, C++, …) Traditional Development Environment Synchronization Aspect Specification Tool Intermediate Representation Generator Synchronization Aspect Back-end Fine-grain solution Course-grain solution Invariant & Region tags Bandera Analysis & Transformation Code Weaver Safety Properties Specialization Engine Liveness Properties Bandera Optimized Woven Code Finite State Models Summarizing…

  26. Short-term goals (3-4 months) • Add GUI to current prototype • Generate solutions to a large collection of standard synchronization problems • Hook in Bandera to check safety/liveness properties • Examine SEABORNE target code to assess how much of synchronization can be expressed in terms of our patterns • Generate CAN-based message passing fine-grain solutions (C with CAN library)

  27. Medium-term goals (6-12 months) • Extend global invariant approach to include real-time properties • Integrate UML tools into front-end • Use specialization to compress verification models

  28. Long-term goals (1-2 years) • Generate fine-grain solutions for other languages (C++, AspectJ, etc.) • Consider other synchronization related aspects (distribution, coordinated error-handling, debugging) • Extensions to the language of global invariants

More Related