PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson...

PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS

Martin Vechev Eran Yahav Greta Yorsh

IBM T.J. Watson Research Center

Motivation

Case Study: Concurrent Data Structures

Hoare’s CCR Finite State

Abstract Interpretation Based Synthesis

Memory Fences

(Optional)

Concurrency is Important

Concurrency is Hard

“…I develop Mozilla full time all day, and i get this lockup maybe once a day…”

Concurrency is Hard

“…For nearly two weeks I thought the above solution was correct, until I started to try to prove its correctness...it turned out to be wrong…

So there I was. Fooled again.”

-- Edsger W. Dijkstra

Problem

Manually Finding Correct and Efficient Synchronization

Our Approach

Automatically InferCorrect and Efficient Synchronization

• Believable starting point– Intuitive to a programmer, e.g. sequential program

• Specification should be easy to write– Reusability: e.g. sequential consistency

• Some quantitative notion of efficiency– E.g. Fewer locks

• Output should be a program– Synchronization implemented in the language

• Output program(s) should be correct– With respect to the specification (checked or verified)

• Output program(s) should be optimal– With respect to efficiency

Output

Motivation

Memory Fences

(Optional)

Concurrent Data Structures

• Applications (typically) have to share data• Need to synchronize• Concurrent data structures are critical for performance

– Used in various language runtimes, kernels, etc

• Coarse Locks are often a bad idea– Single thread holding lock can stop global system progress– Coarse-grained locking leads to contention– Fine-grained locking tricky to get right (deadlocks)

val popRight() { while (true) { rh = RightHat; lh = LeftHat; if (rh->R == rh) return "empty"; if (rh == lh) { if (DCAS(&RightHat, &LeftHat, rh, lh, Dummy, Dummy)) return rh->V; } else { rhL = rh->L; if (DCAS(&RightHat, &rh->L, rh, rhL, rhL, rh)) { result = rh->V; rh->R = Dummy; return result;}}}

“Even better DCAS-based concurrent deques”, DISC 2000

2 errors in < 20 lines of code !

Concurrent Data Structures

Existing Approaches for Concurrent Object Construction

Performance

ManualEffort

Sequential

NaïveSTM

Fine-grained STM

Expert Design

This Work

bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr

val=CAS(&pred->next,curr,0,entry,0) if (val) goto restart return true}

bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false <r,m> = curr->next

lval=CAS(&curr->next, r,m,r,1) if (lval) goto restart

pval=CAS(&pred->next,curr,0,r,0) if (pval) goto restart return true}

Sequential to Highly Concurrent Setsbool add(int key){ atomic Entry *pred,*curr,*entry locate(pred,curr,key); k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr pred->next = entry return true}

bool remove(int key){ atomic Entry *pred,*curr,*r locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true}

Generate - Verify

Generator Verifier

Schema Specification Abstraction

Program

Yes/No,Counterexample

Set Of Optimal Programs

Generator: Domain Specific Search

lessatomic

moreatomic

Generate-Verify

Atomicity Reduction: Steps

Removing redundant atomicity

Reordering

statements

Optimistic concurrency

Add synchronization

meta-data18

If (validate) updateelse restart

readupdate

s1If (t > 0) s2

Concurrent Sets: Generate-Check

Schema

Correct Algorithm

Sequential

DCAS CAS CASwith LOCKS

Priority Queue

CAS/DCAS

… …

Michael (PODC’02)

Heller et al.(OPODIS’05)

Trieber Stack

Existing Algorithm

New Algorithm

locate(pred,curr,key)

Step 1: Optimistic Concurrency[Kung & Robinson’81]

bool remove(int key){ Entry *pred,*curr,*r atomic locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true }

bool remove(int key){ Entry *pred,*curr,*r restart:

Read atomic

if (validate) {

Update

} goto restart }

k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true

Update

Step 2: Generate-Check

Generate-Check

No correctcompletion found

Insufficient information to write a validation condition

bool remove(int key){ Entry *pred,*curr,*r locate(pred,curr,key)atomic if (validate) { k = (curr->key ≠ key) if (k) return false r = curr->next pred->next = r return true } goto restart}

truepred->next == currpred == curr

( (pred | curr) (->next)? == (pred | curr) (->next)? ) | true

Step 2: Counterexample

- 1 5 9

head tail

pred curr r

pred curr

T1: remove(5) T2: add(7)||

Step 2: Counterexample

head tail

How to deal with removed nodes?

Dealing with Removed Nodes?

Observability (Meta-Data)

Synchronization Time

Step 3: Apply Transformation

key next key next marked

REMOVE = { R1: k = (curr->key ≠ key) R2: if (k) return false R3: curr->marked = true R4: mp = pred->marked R5: mc = curr->marked R6: val= (pred->next == curr) ( mp)? ( mc)? R7: if (val) goto restart R8: r = curr->next R9: pred->next = r}

OBJECT OBJECT

Step 4: Run Generate-Verify

bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE return true}REMOVE = { R1: k = (curr->key ≠ key) R2: if (k) return false R3: curr->marked = true R4: mp = pred->marked R5: mc = curr->marked R6: val= (pred->next == curr) ? ( mp) ? ( mc) R7: if (val) goto restart R8: r = curr->next R9: pred->next = r}

bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) REMOVE return true}

REMOVE = { k = (curr->key ≠ key) if (k) return false curr->marked = true r = curr->next atomic mp = pred->marked val=(pred->next==curr) mp if (val) goto restart pred->next = r }

Generate-Verify

head tail

pred curr r

pred curr

Fixed Previous Counterexample

add(7) observes pred “5” is marked and restarts

pred curr

bool add(int key) { Entry *pred,*curr,*entry restart: locate(pred,curr,key) k = (curr->key == key) if (k) return false entry = new Entry() entry->next = curr val=CAS(&pred->next,

curr,0,entry,0) if (val) goto restart return true}

bool remove(int key) { Entry *pred,*curr,*r restart: locate(pred,curr,key) k = (curr->key ≠ key) if (k) return false <r,m> = curr->next lval=CAS(&curr->next, r,m,r,1) if (lval) goto restart pval=CAS(&pred->next, curr,0,r,0) if (pval) goto restart return true}

Final Result

bool contains(int key) { Entry *pred,*curr locate(pred,curr,key) k = (curr->key == key) if (k) return false return true}

Lessons• Generate-Verify Shortcomings

– Generate can produce programs that cannot be verified– Verifier doing redundant work

• Expressing insights as syntactic templates is cumbersome

• Concurrency inherently tied to Space

– Enable automatic verification to do inference• Verification: no longer only a yes/no answer

– Input: A (possibly incorrect) concurrent program

– Output: A set of programs (possibly empty set)

Verification-Driven Synthesis

Motivation

Memory Fences

(Optional)

High Level Setting

Process 1 Process 2 Process 3

High Level Setting

Challenge

How to synchronize processes in order to achieve correctness and good performance ?

• Semaphores • Monitors • Conditional critical region (CCR)• Fine grained (e.g., CAS)• Atomics• ....

Synchronization Primitives

Conditional Critical Regions

• Syntax of CCR

• Synchronization code – guard can observe the program state – guard does not modify program state

guard stmt

High Level Setting

CCR Setting

s1;s2; s5; s7;

s6; s3;s4;

Specification:

• Permissiveness

• Cost as a language of CCR guards

• Given a language LG, specification S and program A, program B is maximally permissive, if:

– B satisfies S

– B is obtained from A by adding guards from LG

– Cannot obtain a program C that is correct and more permissive than B from A via LG:

Maximal Permissiveness

if B C then C does not satisfy S

• Two Algorithms to infer CCR guards– Greedy– Exhaustive

• Guarantee maximal permissiveness– Greedy: under some conditions– Exhaustive: always

• Implementation in SPIN– prototype, examples

Contributions

This Work

Safety, No Stuck States

Specification:

Language of Guards

Automatic Inference of Guards

s1;s2; s5; s7;

s6; s3;s4;

g1 s1;s2; s5; g2s7;

s6; s3;s4; Correct and Maximally Permissive

Inference Algorithm

• Construct transition system of input program and specification

• Remove a (minimal) set of transitions such that the result satisfies the specification

• Implement resulting transition system as program by strengthening guards of CCRs in the program

GREEDY(P : Program) : Program {

R = ∅while (true) {

ts = < States , Transitions \ R, Init >

if valid(ts) return implement(P,R)

B = cut-transitions(ts)

if B = abort “cannot find valid synchronization”∅ select a transition t B∈ R = R ∪ equiv(t)

Inference Algorithm

Example Language: Observability

• Obs: Variables that can be read by CCR guards

• LE(Obs): language of boolean combinations of equalities between variables in Obs and constants

• Example: Obs: {x, y, z} Guard Expression in LE(Obs): (x!=1 || y!=0 || z!=0)

Example: Full Observability

• ! (y = 2 && z = 1)• No Stuck States

Specification:

LE( { x, y, z } )

z=y+1;

Process 1

x=z+1; y=x+1;

Process 2 Process 3

What is in a state

s,s,s0,0,0

PC1PC2

Build Transition Systems,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

Select Transitions to Removes,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

s,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

e,s,e1,0,1

e,e,e1,2,1

Build Transition System

x!=1 || y!=0 || z!=0

Correct and Maximally Permissive

Example: Full Observability

Specification:

LE( { x, y, z } )

z=y+1;

Process 1

x=z+1; y=x+1;

Process 2 Process 3

(x!=1 || y!=0 || z!=0)z=y+1;

Process 1

x=z+1; y=x+1;

Process 2 Process 3

Example: Limited Observability

Specification:

LE( { x, , z } )

z=y+1;

Process 1

x=z+1; y=x+1;

Process 2 Process 3

s,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

Build Transition Systems,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

Select transition to removes,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

s,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

Select All Equivalent Transitions

• Implementability

s,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

58• Stuck states

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

y=x+1z=y+1 z=y+1x!=1 || z!=0

x!=1 || z!=0 z=y+1

x!=1 || z!=0

s,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

e,e,s1,2,0

e,s,e1,0,1

e,e,s1,1,0

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

y=x+1z=y+1 z=y+1x!=1 || z!=0

x!=1 || z!=0 z=y+1

x!=1 || z!=0

Select transitions to remove

s,s,s0,0,0

e,s,s1,0,0

s,e,s0,1,0

s,s,e0,0,1

e,e,31,2,0

e,2,e1,0,1

e,e,31,1,0

s,e,e0,1,2

e,s,e2,0,1

s,e,e0,1,1

e,e,e1,2,3

e,e,e1,2,1

e,e,e1,1,2

e,e,e3,1,2

e,e,e,2,3,1

e,e,e2,1,1

x=z+1 y=x+1 z=y+1

y=x+1z=y+1

x!=1 || z!=0

x!=0 || z!=0

x!=1 || z!=0

x!=0|| z!=0

Correct and Maximally Permissive

Example: Limited Observability

(x!=1 || z!=0)z=y+1;

Process 1

(x!=0 || z!=0)x=z+1; y=x+1;

Process 2 Process 3

z=y+1;

Process 1

x=z+1; y=x+1;

Process 2 Process 3

Specification:

LE( { x, , z } )

Inference Algorithms

• Greedy algorithm– Resulting program satisfies the specification– No side-effects guarantees maximal permissiveness– Experience: maximally permissive with side-effects– Polynomial

• Exhaustive algorithm– Resulting program satisfies the specification– Maximally permissive – Exponential

Implementation• Prototype

– Greedy algorithm– Using SPIN

• Examples – Dining philosophers – Asynchronous counters– Race correction

Summary• Algorithms for CCR guard inference

– Greedy (polynomial) and Exhaustive (exponential)

– Produce maximally permissive programs

– Parametric on User-specified Cost

– Deals with side effects and implementability

Future Work

• Conditions for maximal permissiveness of greedy

• Infer other synchronization mechanisms– meta-data, atomic sections, non-blocking

• Abstraction for stuck states

Motivation

Memory Fences

(Optional)

Crash Course on Abstract Interpretation

• Verify that property holds on all executions

• Challenge: programs with unbounded state

bad news: problem is undecidablegood news: can use over-approximation

– Consider a superset of possible executions– sound: a yes is a yes!– incomplete: a no is a maybe …

Verification Challenge

main(int i) { int x=3,y=1;

do { y = y + 1; } while(--i > 0) assert 0 < x + y}

Determine what states can arise during any execution

Challenge: set of states is unbounded

Abstract Interpretation

Recipe1) Abstraction2) Transformers3) Exploration

Challenge: set of states is unbounded

Solution: compute a bounded representation of (a superset) of program states

Determine what states can arise during any execution

1) Abstraction

• concrete state

• abstract state

: Var Z

#: Var{+, 0, -, ?}

3 1 7 x y i

… 70

2) Transformers

• concrete transformer

• abstract transformer

3 1 0y = y + 1

y = y + 1

+ - 0 + ? 0

+ 0 0 + + 0

+ ? 0 + ? 071

3) Exploration

+ + ? + + ?

Incompleteness

do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y}

ConcurrentProgram

Specification Abstraction

Abstract Interpreter

Refine

Counter Example

Change the abstraction to match the program

Automatic Verification with Abstraction

ConcurrentProgram

Specification Abstraction

Abstract Interpreter

Refine

Counter Example

Restrict the program to match the abstraction

Counter Example

Program

Automatic Construction with Abstraction

AGS Algorithm – High Level

= true while(true) { Traces = { | (P ) and S} if (Traces is empty) return implement(P,) select Traces if (?) { = avoid() } else { = refine(, ) } }

Input: Program P, Specification S, Abstraction

Output: Program P’ satisfying S under

Trace Avoidance: avoid()

Thread A A1 A2

Thread B B1 B2

• Atomicity predicate [ st1 , st2 ] disables a context switch

• avoid() – disjunction of all possible atomicity predicates that would prevent

avoid() = [A1,A2] [B1,B2]

Example

1: x += z 2: x += z

1: z++ 2: z++

1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)

f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5}

How to place synchronization to achieve correctness and performance?

Example: Parity Abstraction

Concrete values

Parity abstraction (even/odd)

avoid(1) = [z++,z++]

= [z++,z++] = true

= true while(true) {

Traces={|(P ) and S }

if (Traces is empty) return implement(P,)

select Traces if (?) { = avoid() } else { = refine(, ) } }

Example: Avoiding Bad Traces

avoid(2) =[x+=z,x+=z]

= [z++,z++] = [z++,z++][x+=z,x+=z]

1: x += z 2: x += z

1: z++ 2: z++

1: y1 = f(x) 2: y2 = x 3: assert(y1 != y2)

= [z++,z++][x+=z,x+=z]

parity

0 1 2 3

6 parity

x+=z z++; z++;

y1=f(x)y2=xassert y1!= y2

x+=z z++; z++;

0 1 2 3

6 parity

x+=z z++; z++;

But we can also refine the abstraction…

0 1 2 3

parity

interval

octagon

0 1 2 3

(a) (b) (c)

(d) (e)

(f) (g)

parity parity

interval

octagon

x+=z z++; z++;

Choosing a solution

• Interval abstraction for our example:

([x+=z,x+=z] [z++,z++])∨ ([y1=f(x),y2=x] [x+=z,x+=z] [z++,z++])∧ ∨ ∨

• Minimal satisfying assignments– 1 = [z++, z++]– 2 = [x+=z, x+=z]

• Different Quantitative Notions:– Example: preference to solutions with fewer write

operations inside atomic sections

Separation between scheduling constraints in

and how they are realized

Can realize in program via atomic sections

Can realize in scheduler via benevolent scheduler

Implementation

Examples

Program Refine Steps Avoid Steps

Double buffering 1 2

Defragmentation 1 8

3D array update 2 23

Array Removal 1 17

Array Init 1 56

• Simplified versions of – Double buffering– Defragmentation – …

Future Work

• Add more powerful abstractions– E.g. Heap, Polyhedra

• Synthesize more complex synchronization– Infer practical concurrent algorithms

Motivation

Memory Fences

(Optional)

Results• Partial-Coherence Abstractions for Weak Memory Models

Kuperstein M., Vechev M., Yahav E.Submitted

• Automatic Inference of Memory Fences Kuperstein M., Vechev M., Yahav E.Submitted

• Verifying Linearizability with HindsightO'Hearn P., Rinetzky N., Vechev M., Yahav E., Yorsh G.PODC '10: Symposium on Principles of Distributed Computing

• Abstraction-Guided SynthesisVechev M., Yahav E., Yorsh G.POPL '10: 37th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages

• Experience with Model Checking LinearizabilityVechev M., Yahav E., Yorsh G. SPIN '09: 16th International SPIN Workshop on Model Checking of Software

• Inferring Synchronization Under Limited ObservabilityVechev M., Yahav E., Yorsh G. TACAS '09: 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems

• Deriving Linearizable Fine-Grained Concurrent ObjectsVechev M., Yahav EPLDI '08: ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation.

• CGCExplorer: A Semi-Automated Search Procedure for Provably Correct Concurrent CollectorsVechev M., Yahav E., Bacon D.F., and Rinetzky N. PLDI '07: ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation.

• Correctness-Preserving Derivation of Concurrent Garbage Collection AlgorithmsVechev M., Yahav E., and Bacon D.F. PLDI '06: ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation.

http://www.research.ibm.com/paraglide/

Thanks

PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson...

Documents

Transcript of PRACTICAL SYNTHESIS OF CONCURRENT SYSTEMS Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson...

ETH Zurich Andreas Krause Martin Vechev Learning Programs ... · Martin Vechev Andreas Krause ETH Zurich. Why learn programs from examples? 2 Input/output examples often easier to

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

1 Lecture 08(b) – Typestate Verification Eran Yahav.

Lecture 04 – Syntax analysis: top-down and bottom-up parsing Eran Yahav 1.

At Home in England, Or Projecting Liberal Citizenship in Moll Flanders - Yahav-Brown

Bottom-Up Syntax Analysis Mooly Sagiv & Greta Yorsh msagiv/courses/wcc05.html Textbook:Modern Compiler Design Chapter 2.2.5 (modified)

Lecture 15 – Dataflow Analysis Eran Yahav 1 yahave/tocs2011/compilers-lec15.pptx.

Protective Order-Yahav 12112015

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

IFM'17 keynote · IFM'17 keynote Author: Martin Vechev Created Date: 1/10/2018 2:11:04 AM ...

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University gretay@post.tau.ac.il gretay Modern Compiler Design.

Correctness-Preserving Derivation of Concurrent Garbage Collection Algorithms Martin T. Vechev Eran Yahav David F. Bacon University of Cambridge IBM T.J.

Shiluvim Integration Yona Yahav

Yorsh & Morning

Hawkeye: Effective Discovery of Dataflow Impediments to Parallelization Omer Tripp John Field Greta Yorsh Mooly Sagiv.

Bottom-Up Syntax Analysis Mooly Sagiv & Greta Yorsh msagiv/courses/wcc04.html Textbook:Modern Compiler Design Chapter 2.2.5 (modified)

An Efficient Runtime for Detecting Defects in Deployed Systems Matt ArnoldMartin VechevEran Yahav.

1 Lecture 05 – Pointer Analyses & CSSV Eran Yahav.

Assume/Guarantee Reasoning using Abstract Interpretation Nurit Dor Tom Reps Greta Yorsh Mooly Sagiv.

1 Lecture 09 – Synthesis of Synchronization Eran Yahav.