In earlier work, we developed a variant of permission-based separation logic that is particularly suited to reason about multithreaded Java programs with dynamic thread creation and termination, and reentrant locks. This talk discusses how within the context of the VerCors project, we extend this approach to make it suitable to specify and verify concurrent data structures.
In particular, we will discuss the following topics:. Finally, we will also present how permission-based separation logic is also suitable to reason about programs in a different concurrency setting, such as GPU kernels written in OpenCL. Download the presentation Verification of Concurrent Datastructures. Safety-Critical Java SCJ is a novel version of Java that addresses issues related to real-time programming and certification of safety-critical applications. We cater for the specification of timing requirements and their decomposition towards the structure of missions and event handlers of SCJ.
We also consider the integrated refinement of value-based specifications into class-based designs using SCJ scoped memory areas. Download the presentation Safety-Critical Java in Circus.
Verifying real-world software with contracts for concurrency — Universidade NOVA de Lisboa
Henri Poincare recognised the importance of two tools of human intellect: science and intuition. View other publications. Software Engineering Institute Blogs. Concurrency Concurrency exists in three major forms, each of which has its own impact on testing: External concurrency a. This SUT-external concurrency leads to a large number of ways that inputs from the actors and outputs to the actors can be interleaved with the behavior of the SUT.
Actual concurrency a. For example, multiple systems within a system of systems SoS operate concurrently and relatively independently. Similarly, multiple subsystems within the same system typically operate concurrently. Individual subsystems might contain multiple computers running concurrently, and individual computers may have multiple processors or use multicore processors, adding even more levels of actual concurrency. Virtual concurrency a. Virtual concurrency is common due to the use of programming language-level concurrency i.
Concurrency has four significant consequences that greatly increase the complexity and difficulty of both system and software engineering and testing: Communication. Because concurrently executing components are part of the same software application, system, or system of systems, there is communication between these components. This communication may either be direct and intentional e.
Unfortunately, the existence of such interference paths can result in the violation of the intended spatial and temporal isolation of these components, even when technologies such as virtualization and containerization are used to enforce that isolation. Communication between concurrently executing components typically requires the synchronization of their behavior.
However, the number of test cases increases rapidly with the number of concurrent components because the timing and order of the resulting interleaving of their execution can occur in many ways. Concurrency can almost always cause nondeterministic behavior in which the execution with the same inputs may lead to different outcomes, so that behavior becomes probabilistic, and the same test may produce different results.
This lack of determinism can produce Heisenbugs that are hard to uncover and reproduce. It also makes it hard to determine the underlying concurrency defect. Concurrency Defects. Systems and software typically have concurrency-related architecture, design, and implementation defects that result in concurrency-related faults and failures. Many developers and testers often have only a minimal understanding and appreciation for the following types of concurrency defects, as well as the associated failure conditions and events: Deadlock is the failure condition that exists when a concurrent component cannot proceed because it needs to obtain a resource e.
Thus, each deadlocked component is forced to wait for the other one to release the resource it needs. Occasionally, more than two concurrent components can form a deadlocked ring.
An introduction to compositional methods for concurrency and their application to real-time
Livelock is the failure condition that exists when a concurrent component repeatedly obtains a needed resource but never completes its execution before losing that resource e. Starvation is the failure condition that exists when a concurrent component is ready to execute, but is indefinitely delayed because other components have the necessary resources.
Suspension is the failure condition that exists when a concurrent component is forced to wait too long before it can access a shared resource i. Race Condition a. A race condition can occur if the correct ordering of the operations is not enforced or if shared resources are not protected from simultaneous access.
For example, one thread or process writes to an unprotected memory location, while another simultaneously accesses it, thereby corrupting the stored data. Priority Inversion is the failure condition that exists when a higher priority operation of one concurrent component is forced to wait on the execution of a lower priority operation of another concurrent operation.
Atomicity Violation is the failure event that occurs when the execution of one concurrent component interrupts another concurrent component's execution that must run to completion without disruption. The interruption could be caused by a higher-priority task or an unexpected message, exception, timeout, hardware interrupt, crash, or reboot.
The following three additional types of concurrency-related defects may overlap with the previous ones or each other: Isolation Failure is any failure event during which two concurrently executing components unexpectedly access a shared resource simultaneously via an interference path, thereby violating the components' spatial or temporal isolation.
These shared resources can be processor-internal e. Note that a temporal isolation failure can lead to the failure of hard-real-time requirements e. Synchronization Failure is any failure event involving the synchronization of two or more concurrently executing components. Examples include 1 unexpected message, 2 expected message that fails to arrive, arrives too early, arrives too late, or 3 multiple messages that arrive in an incorrect order. Lack of Tolerance is any concurrency-related fault or failure condition that is not mitigated by an appropriate fault or failure tolerance mechanism such as exception handling or redundancy with voting.
In practice, concurrency defects typically share the following properties: Concurrency defects tend to cause intermittent faults or failures that only occur rarely, often after prolonged execution.
- Free for All: Joe Papp, The Public, and the Greatest Theater Story Ever Told?
- Concurrency and Protocol Verification | TS | Data61.
- Numerical partial differential equations for environmental scientists and engineers : a first practical course!
- The Night and The Music.
Concurrency defects cause faults and failures that are hard to both reproduce and analyze to identify their root causes. The same test inputs may produce different test results due to the nondeterministic nature of concurrent systems and software. The fault or failure may not reoccur when the software under test executes in debug mode. Concurrency defects can cause violations of both functional requirements and quality e. For example, accidental violations of temporal isolation in real-time systems may cause a violation of response time, jitter, and latency requirements.
Concurrency defects are often not explicitly addressed during test planning e. The different types of concurrency defects are only rarely used to drive the selection of test cases specifically designed to uncover them. Correcting concurrency defects often require specialized rearchitecting or redesign rather than simple, software code changes. August This lack of awareness and use has many reasons: Many concurrency testing techniques do not scale well to match the size and complexity of current systems.
Because complexity increases exponentially as the number of concurrently-executing components increases, it is not practical to exhaustively test all possible interleavings and synchronization orders.
- SETTA - Keynotes;
- Chemical Kinetics and Inorganic Reaction Mechanisms.
- Automated Deduction - CADE-25: 25th International Conference on Automated Deduction, Berlin, Germany, August 1-7, 2015, Proceedings!
- Other VU-programmes for you?
This complexity could lead to enormous test suites, and some of the proposed approaches concentrate on minimizing test suite size without unduly decreasing test effectiveness. Still, most of the proposed approaches do not necessarily scale well to address today's large and complex software applications, systems, and systems of systems.
Most developers and testers are relatively unfamiliar with explicitly dealing with concurrency. They lack adequate training in concurrency, concurrency-related defects, and concurrency-related testing. Developers and testers tend to be comfortable using the testing techniques they are familiar with, even though these techniques were not designed for testing concurrent systems and software. For example, Junit is a popular Java testing unit testing framework and tool that does not support concurrency testing out-of-the-box.
Most of the concurrency testing techniques have been developed for testing software. There has been relatively little research into addressing concurrency at the subsystem, system, and system of systems levels.
According to literature surveys, the majority of concurrency testing techniques are academic proposals rather than mature methods that have been demonstrated to be effective under real-world circumstances.