Application of Deadlock Risk Evaluation of Architectural Models

Software architectural evaluation is a key discipline used to identify, at early stages of a real-time system (RTS) development, the problems that may arise during its operation. Typical mechanisms supporting concurrency, such as semaphores, mutexes or monitors, usually lead to concurrency problems in execution time that are difficult to be identified, reproduced and solved. For this reason, it is crucial to understand the root causes of these problems and to provide support to identify and mitigate them at early stages of the system lifecycle. This paper aims to present the results of a research work oriented to the development of the tool called ‘Deadlock Risk Evaluation of Architectural Models’ (DREAM) to assess deadlock risk in architectural models of an RTS. A particular architectural style, Pipelines of Processes in Object-Oriented Architectures–UML (PPOOA) was used to represent platform-independent models of an RTS architecture supported by the PPOOA –Visio tool. We validated the technique presented here by using several case studies related to RTS development and comparing our results with those from other deadlock detection approaches, supported by different tools. Here we present two of these case studies, one related to avionics and the other to planetary exploration robotics. Copyright © 2011 John Wiley & Sons, Ltd

A Reactive and Cycle-True IP Emulator for MPSoC Exploration

The design of MultiProcessor Systems-on-Chip (MPSoC) emphasizes intellectual-property (IP)-based communication-centric approaches. Therefore, for the optimization of the MPSoC interconnect, the designer must develop traffic models that realistically capture the application behavior as executing on the IP core. In this paper, we introduce a Reactive IP Emulator (RIPE) that enables an effective emulation of the IP-core behavior in multiple environments, including bitand cycle-true simulation. The RIPE is built as a multithreaded abstract instruction-set processor, and it can generate reactive traffic patterns. We compare the RIPE models with cycle-true functional simulation of complex application behavior (tasksynchronization, multitasking, and input/output operations). Our results demonstrate high-accuracy and significant speedups. Furthermore, via a case study, we show the potential use of the RIPE in a design-space-exploration context

Predicting Errors in Concurrent Systems

Die Verbreitung von Multikernprozessoren hat die parallele Programmierung allgegenwärtig gemacht. Parallele Programmierung ist schwierig, da sie die Entwicklung auf Grund vielfacher Kontrollflüsse und Nicht-Determinismus fehleranfällig macht. Zusätzlich gibt es neue Arten von Fehlern, wie z.B. Wettläufe, Verklemmungen oder Reihenfolgeverletzung. Diese Fehler sind wegen der großen Anzahl von möglichen Verschränkungen schwer zu finden. Dynamische Analyseansätze führen das Programm aus und untersuchen die beobachtete Ausführung. Dynamische Analyse ist präzise, da sie eine tatsächliche Ausführung mit realen Werten und Zuständen beobachtet. Diese Ansätze erzeugen falsch Negative, wegen nicht erforschter Wege und Verschränkungen. Die unterschiedlichen Verschränkungen treten mit unterschiedlicher Häufigkeit auf, wegen externer Faktoren, wie z.B. Compiler, Prozessor oder Arbeitslast. In dieser Arbeit präsentieren wir einen Ansatz, der Fehler aus einer einzigen Spur eines parallelen Programms vorhersagt. Wir berechnen off-line alternative Verschränkungen, um den Zeitmessungseffekt der beobachteten Ausführung zu reduzieren. Wir bauen ein Modell mit Hilfe einer Prozessalgebra, das die Reihenfolge der Spur verallgemeinert; es extrapoliert mögliche Verschränkungen. Im Modell wird nach verschiedenen Nebenläufigkeitsfehlern gesucht. Ein vorhergesagter Fehler wird von einer Verschränkung begleitet, die in dem Programm erzwungen wird, um den Fehler zu reproduzieren. Der Ansatz wurde für Verklemmungs- und Wettlauferkennung im Vergleich zu anderen dynamischen Ansätzen evaluiert. Die Verringerung von falschen Warnungen bewegt sich im Bereich von 50% bis 86%, mit gleicher oder höherer Präzision. Das vorgestellte Werkzeug und sein Modell sind anpassbar für andere Reihenfolgeverletzungen. Diese Fehler erfordern eine Spezifikation, die die relevanten Ereignisse im Programm definiert und die gültigen oder ungültigen Ordnungen beschreibt. Wir zeigen dieses Vorgehen an sieben Anwendungsbeispielen

A model-based approach for the specification and refinement of streaming applications

Embedded systems can be found in a wide range of applications. Depending on the application, embedded systems must meet a wide range of constraints. Thus, designing and programming embedded systems is a challenging task. Here, model-based design flows can be a solution. This thesis proposes novel approaches for the specification and refinement of streaming applications. To this end, it focuses on dataflow models. As key result, the proposed dataflow model provides for a seamless model-based design flow from system level to the instruction/logic level for a wide range of streaming applications

Formal verification of concurrent programs

Interactive theorem proving provides a general approach to modeling and verification of both finite-state and infinite-state systems but requires significant human efforts to deal with many tedious proofs. On the other hand, model-checking is limited to some application domain with small finite-state space. A natural thought for this problem is to integrate these two approaches. To keep the consistency of the integration and ensure the correctness of verification, we suggest to use type theory based theorem provers (e.g. Lego) as the platform for the integration and build a model-checker to do parts of the verification automatically. We formalise a verification system of both CCS and an imperative language in the proof development system Lego which can be used to verify both finite-state and infinite-state problems. Then a model-checker, LegoMC, is implemented to generate Lego proof terras for finite-state problems automatically. Therefore people can use Lego to verify a general problem with some of its finite sub-problems verified by LegoMC. On the other hand, this integration extends the power of model-checking to verify more complicated and infinite-state models as well. The development of automatic techniques and the integration of different reasoning methods would directly benefit the verification community. It is expected that further extension and development of this verification environment would be able to handle real life systems. On the other hand, the research gives us some experiences about how to automate proofs in interactive theorem provers and therefore will improve the usability and applicability of the theorem proving technology

Causality-based verification

Program verification is one of the central research topics in computer science since its inception – we can consider the field to be initiated as early as in 1949, with Alan Turing’s pioneering paper “Checking a Large Routine.” Yet, we are still far from the dream of automatically proving every computer program correct. Two aspects make this problem particularly challenging: concurrent program execution on parallel processors, and large, or even infinite, state spaces of data-manipulating programs. Nowadays, with concurrency entering everywhere, from smartphones to aircrafts, proving the correctness of infinite-state concurrent programs becomes increasingly more important: we do want to be sure that the program that controls the airplane we are flying in is correct. In this thesis we propose a new approach to the verification of infinitestate concurrent programs. We call it causality-based, because it captures in an automatic proof system the “cause-effect” reasoning principles, which are often used informally in manual correctness proofs. While traditionally automatic methods are based on the state space exploration, our method is based on a new concurrency model, called concurrent traces, which are the abstractions of the history of a concurrent program to some key events and the relationships between them. Causality-based proof rules relate concurrent traces with each other, by formally tracking what are the necessary consequences (the “effects”) from a particular analysis situation (the “cause”). The full correctness proof is then a composition of such primitive proof steps. We study the syntactic and language-based properties of concurrent traces, and characterize the complexity of such operations as emptiness checking and language inclusion. Regarding the program correctness, we develop proof systems for the broad classes of safety and liveness properties, and provide algorithms for the automatic construction of correctness proofs. We demonstrate that for practically relevant classes of programs, such as multi-threaded programs with binary semaphores, the constructed proofs are of polynomial size, and can be also checked in polynomial time. The methods of the thesis have been implemented in Arctor, the first scalable termination prover for concurrent programs, which is able to handle programs with hundreds of non-trivial threads.Die Programmverifikation ist seit den Anfängen der Informatik eines ihrer zentralen Forschungsfelder. Als Beginn dieser Forschungsrichtung kann bereits das Jahr 1949 betrachtet werden, in dem Alan Turings bahnbrechende Arbeit “Checking a Large Routine” erschien. Der Traum, die Korrektheit von Programmen stets automatisch beweisen zu können, ist aber auch heute noch weit davon entfernt, Realität zu sein. Es gibt zwei Aspekte, die dieses Problem zu einer solch großen Herausforderung machen: die nebenläufige Ausführung von Programmen auf Parallelrechnern, und die großen, oder sogar unendlichen, Zustandsräume von datenverarbeitenden Programmen. Nebenläufige Programme werden in immer mehr Anwendungsbereichen, von Handys bis zur Luftfahrt, eingesetzt. Automatische Korrektheitsbeweise werden daher immer wichtiger: wenn wir mit dem Flugzeug reisen, möchten wir sicher sein, dass das Programm, das das Flugzeug steuert, auch tatsachlich korrekt ist. In dieser Arbeit schlagen wir einen neuen Ansatz für die Verifikation von nebenläufigen Programmen mit unendlichem Zustandsraum vor. Wir nennen den Ansatz “kausalitätsbasiert”, weil er im Rahmen eines automatischen Beweissystems die “Ursache-Wirkung”-Beziehungen erfasst, die sonst eher informell in manuellen Korrektheitsbeweisen benutzt werden. Anders als traditionelle automatische Methoden, die den Zustandsraums explorieren, baut unser Ansatz auf einem neuen nebenläufigen Berechnungsmodell, dem der “nebenläufigen Spuren”, auf. Eine nebenläufige Spur ist eine Abstraktion der Vergangenheit eines nebenläufigen Programms im Hinblick auf bestimmte Schlüsselereignisse und die Beziehungen zwischen diesen Ereignissen. Kausalitätsbasierte Beweis-regeln setzen nebenläufige Spuren zueinander in Bezug, indem die Konsequenzen (die “Wirkungen”) einer bestimmten analytischen Situation (der “Ursache”) auf eine formale Art und Weise verfolgt werden. Der vollständige Korrektheitsbeweis setzt sich dann aus solchen einfachen Beweisschritten zusammen. Wir untersuchen die syntaktischen und sprachtheoretischen Eigenschaften von nebenläufigen Spuren, und charakterisieren die Komplexität von Operationen wie den Tests auf leere Sprache und Sprachinklusion. Wir entwickeln Beweissysteme zum Nachweis der Programmkorrektheit für die allgemeinen Klassen der Sicherheits- und Lebendigkeitseigenschaften, und stellen Algorithmen vor, die solche Beweise automatisch konstruieren. Für aus praktischer Sicht relevante Klassen von Programmen, wie Multi-Thread Programme mit binären Semaphoren, zeigen wir, dass die konstruierten Beweise polynomiell groß sind und auch in polynomieller Zeit geprüft werden können. Die in der Arbeit vorgestellten Methoden wurden im Verifikationswerkzeug Arctor implementiert. Arctor is der erste skalierbare Terminierungsbeweiser für nebenläufige Programme. Arctor kann Programme mit Hunderten nicht-trivialer Threads verarbeiten

Specification and verification of synchronisation classes in Java:A practical approach

Digital services are becoming an essential part of our daily lives. To provide these services, efficient software plays an important role. Concurrent programming is a technique that developers can exploit to gain more performance. In a concurrent program several threads of execution simultaneously are being executed. Sometimes they have to compete to access shared resources, like memory. This race of accessing shared memories can cause unexpected errors. Programmers use synchronisation constructs to tame the concurrency and control the accesses. In order to develop reliable concurrent software, the correctness of these synchronisation constructs is crucial. In this thesis we use a program logic, called permission-based Separation Logic, to statically reason about the correctness of synchronisation constructs. The logic has the power to reason about correct ownership of threads regarding shared memory. A correctly functioning synchroniser is responsible for exchanging a correct permission when a thread requests access to the shared memory. We use our VERCORS verification tool-set to verify the correctness of various synchronisation constructs. In Chapter 1 we discuss the scope of the thesis. All the required technical background about permission-based Separation Logic and synchronisation classes is explained in Chapter 2. In Chapter 3 we discuss how threads' start and join as minimum synchronisation points can be verified. To verify correctness of the synchronisation classes we have to first specify expected behaviour of the classes. This is covered in Chapter 4. In this chapter we present a unified approach to abstractly describe the common behaviour of synchronisers. Using our specifications, one is able to reason about the correctness of the client programs that access the shared state through the synchronisers. The atomic classes of java.util.concurrent are the core element of every synchronisation construct implementation. In Chapter 5 and Chapter 6 we propose a specification for atomic classes. Using this contract, we verified the implementation of synchronisation constructs w.r.t to their specifications from Chapter 4. In our proposed contract the specification of the atomic classes is parameterized with the protocols and resource invariants. Based on the context, the parameters can be defined. In Chapter 7 we propose a verification stack where each layer of stack verifies one particular aspect of a specified concurrent program in which atomic operations are the main synchronisation constructs. We demonstrate how to verify that a non-blocking data structure is data-race free and well connected. Based on the result of the verification from the lower layers, upper layers can reason about the functional properties of the concurrent data structure. In Chapter 8 we present a sound specification and verification technique to reason about data race freedom and functional correctness of GPU kernels that use atomic operations as synchronisation mechanism. Finally, Chapter 9 concludes the thesis with future directions