© 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel:...
-
Upload
benjamin-wilcox -
Category
Documents
-
view
213 -
download
0
Transcript of © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel:...
![Page 1: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/1.jpg)
© 2007 GrammaTech, Inc. All rights reserved
GrammaTech, Inc.317 N Aurora St.Ithaca, NY 14850Tel: 607-273-7340E-mail: [email protected]
Verifying Software for Multi-core Systems
Presented by:
Michael [email protected]
![Page 2: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/2.jpg)
Motivation
Old: software got faster as hardware improved
New: must parallelize software to benefit
Challenges:› Concurrency bugs subtle, hard to diagnose› Verification hard for concurrent systems› Multi-core less forgiving
• Parallelization must be fine grained• Shared memory behaves in odd ways
•DARPA project:› Flag bugs in lock-free algorithms
![Page 3: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/3.jpg)
GrammaTech, Inc.
• ~25 people, including 10 phds• Founded by Tim Teitelbaum (Cornell) and Tom Reps (Wisconsin) • Locations: Ithaca NY, San Jose CA, Madison WI, Rochester NY• Expertise: software analysis (static & dynamic) of source and binary• Applications:
› Software assurance (correctness, bug finding, malware detection)
› Software re-writing (legacy software, anti-reverse-engineering)
• Research projects: NASA, Army, AF, Navy, OSD, NSF• Products:
› CodeSonar: bug finding for C/C++/Ada
› CodeSurfer: program understanding + analysis library
• Customers: 150+› Lockheed Martin, FDA, Qualcomm, LG Electronics, NASA
![Page 4: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/4.jpg)
Focusing on Formal Verification
• This talk focuses on verification by automatic analysis of software
› Ideally, exhaustive exploration of software behavior without running the software
› In practice, partial exploration that complements other verification methods
• Not covering › Traditional testing› System testing › Inspections/audits› ..though formal verification techniques can be applied there too
![Page 5: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/5.jpg)
Software Analysis OverviewRigorous Complete
Exhaustive
Easy to applyFast
Scalable
•Model checkers•Proof of correctness•DARPA project
•Bug finders•Detect buffer overflows,NPD•False positives/negatives•Product: CodeSonar
Can give toengineering
team
Requiresspecial
expertise
•Enforce Best practices•NASA/JPL SBIR Phase II
![Page 6: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/6.jpg)
Sequential Code
Want to consider all inputs
Step 1
Step 2
Step 3
4
144
…
5
342
Step 1
Step 2
Step 3
6
452
Step 1
Step 2
Step 3
![Page 7: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/7.jpg)
Why concurrency is hard
Concurrent code: want to consider all inputs +all interleavings
4
144
Extra burden for the writer & the verifier
Step 1
Step 2
Step 3
Step 1
Step 2
Step 3
4
145
Step 1
Step 2
Step 3
Step 1
Step 2
Step 3
4
143
Step 1
Step 2
Step 3
Step 1
Step 2
Step 3
![Page 8: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/8.jpg)
Multi-core verification inherits a lot• Verification community has long focused on concurrency
problems› Classical problems: dining philosophers› Protocol verification› Cache-coherence
• Multi-core verification inherits long list of tricks/techniques› Partial-order reduction› Exploiting symmetry
• In State
• In Threads
![Page 9: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/9.jpg)
What’s new with multi-core?
• Urgency› Software developers have no choice now› Performance has to come from keeping more cores busy
• Focus on performance / ease of porting› Shared memory more important than message passing
• Game developers hitting this already› Sony Playstation 3 : 8 cores› Tom Leonard, VALVE:
• High-level concurrency primitives too slow– Mutex, semaphores, etc
• Extensive reliance on lock-free algorithms
![Page 10: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/10.jpg)
Bridging the Gap
Single-core application
Multi-core application
Slow Correct
Lock-free synchronization
Model checkingfor multi-core
![Page 11: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/11.jpg)
Lock-Free Algorithms
Queue data structure
Synchronization data structures
(locks, semaphores)
Compare-and-swapinstructions
TraditionalConcurrent Queue
Queue data structure
Compare-and-swapinstructions
Lock-freeConcurrent Queue
4 44
![Page 12: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/12.jpg)
Relaxed Memory Models
• Multicore systems do not respect sequential consistency
?? ?? 4 4
??
![Page 13: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/13.jpg)
Consequences
• Relaxed memory models› “Proven” algorithms fail on multi-core system› Impact not well understood
• Generally› Multi-threaded code works on single core, but not multi-core› Multi-core parallelism much finer grain› Multi-threaded code works faster on quad core when you turn 3
cores off
• Safer (& sometimes faster) to turn cores off
![Page 14: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/14.jpg)
GrammaTech’s DARPA project
Lock-free data structure
+ harness
Serial model
All possible serialexecutions
Relaxed memory modelAll possible relaxed
executions
All possible serialexecutions
All possible relaxedexecutions
SMT Solver
Equal: OK
Not equal:counterexample
![Page 15: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/15.jpg)
•Enforce Best practices•NASA/JPL SBIR Phase II
•Bug finders•Detect buffer overflows,NPD•False positives/negatives•Product: CodeSonar
Software Analysis: What is neededRigorous Complete
Exhaustive
Easy to applyFast
Scalable
•Model checkers•Proof of correctness•DARPA project
Make aware of concurrency,with minimal
impact on scalability
What are the best practices for multicore?
New languages,
abstractions, memory models that help
verification
Better understanding of multi-core-
specific issues
![Page 16: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/16.jpg)
Conclusion
• Verification for multi-core inherits from long tradition of concurrent verification
• These techniques need to be adapted for the concrete problems of multi-core
› Tight coupling of CPUs› High-performance use of shared memory› Discrepancy between source POV and memory op POV not well
understood
![Page 17: © 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY 14850 Tel: 607-273-7340 E-mail: info@grammatech.com Verifying.](https://reader035.fdocuments.us/reader035/viewer/2022062716/56649dc55503460f94ab9305/html5/thumbnails/17.jpg)
The End
• Acknowledgements:› Thomas Reps (GrammaTech + U Wisconsin)› Sebastian Burckhardt (Microsoft Research)
• Questions?