1 / 21

Huayang Guo 1,2 , Ming Wu 1 , Lidong Zhou 1 , Gang Hu 1,2 , Junfeng Yang 2 , Lintao Zhang 1 1 Microsoft Research Asia 2

Practical Software Model Checking via Dynamic Interface Reduction. Huayang Guo 1,2 , Ming Wu 1 , Lidong Zhou 1 , Gang Hu 1,2 , Junfeng Yang 2 , Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University. Building reliable distributed systems is hard Machine failure Message lost

kiril
Download Presentation

Huayang Guo 1,2 , Ming Wu 1 , Lidong Zhou 1 , Gang Hu 1,2 , Junfeng Yang 2 , Lintao Zhang 1 1 Microsoft Research Asia 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Software Model Checking via Dynamic Interface Reduction Huayang Guo1,2, Ming Wu1, Lidong Zhou1, Gang Hu1,2, Junfeng Yang2, Lintao Zhang1 1Microsoft Research Asia 2Columbia University

  2. Building reliable distributed systems is hard • Machine failure • Message lost • Message reorder • Thread interleaving • Non-determinism leads to tricky bugs Crash Async I/O Thr1 Thr2

  3. Implementation-level software model checkers • MaceMC (NSDI’07), MoDist (NSDI’09) • Directly check implementations • No need to construct abstract model beforehand State Space Explorer Crash Async I/O … Thr1 Thr2

  4. State space explosion • MPS: Product-level Paxos • Never fully explored 3 nodes • 34 years for MoDist …

  5. Dynamic Interface Reduction (DIR) • Effective • 34 years  18 hours (Fully explored MPS-3) • Exponential Reduction: • 100K : 1 states for MPS and Berkeley DB w/ replication • Automatic, no manual efforts required • Provably sound and complete • Easy to integrate with legacy MCs • DeMeter: DIR with MoDist and MaceMC • MC specific modifications: ≤ 1k loc

  6. Outline • Insight • Challenges • Dynamic Interface Reduction • Evaluation • Related work • Conclusion

  7. Insight • Distributed systems: componentized • Local non-determinism isolated • Empirically, 99.9% do not propagate (Berkeley DB) • Previous work: • Check components together • |m1|*|m2|*|m3| • DIR: • Check components separately • |m1|+|m2|+|m3| Async I/O m1 Interface behavior m2 Thr1 Thr3 Thr2 Thr4 m3

  8. Challenges and Solutions • How to discover/construct interface behavior of component? • Manually or statically construct interface process • Impractical for complex software system • How to guarantee • Completeness: find all bugs • Soundness: no false positives • Our solution: • Dynamically discover interface behaviors • Combine discovered interface behaviors • Track dependencies

  9. DIR Overview Global Explorer Explore global interface behaviors Interface behavior Interface behavior Interface behavior Interface behavior Interface behavior Interface behavior Local Explorers Component3 Component2 Component1 Explore local states Explore local states Explore local states

  10. Example Primary Secondary Client ClientPrimary/Secondary //Main thread //Checkpoint thread if (Choose(2)==0){ while (n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Send(P,2); total+=n; Unlock(); } else { Unlock(); Send(P,1); if (isPrimary) Send(P,3); Send(S,n); } } Ckpt Sum

  11. Produce initial global trace Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum -- Produce initial global trace. Global explorer

  12. Construct message trace Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum -- Bold statements form the message trace. Global explorer

  13. Project message trace Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Secondary Primary Client Pri.Recv(Cli, 1) Sec.Recv(Pri, 1) Cli.Send(Pri, 1) Pri.Send(Sec, 1) Sec.Recv(Pri, 2) Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Send(Sec, 2) -- Project global message trace to components. Global explorer

  14. Local explorer for Primary Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Local explorer for Primary Pri.Recv(Cli, 1) Pri.Recv(Cli, 1) Pri.Recv(Cli, 1) Pri.Sum Pri.Sum Pri.Ckpt Pri.Sum Pri.Ckpt Pri.Send(Sec, 1) Pri.Send(Sec, 1) Pri.Send(Sec, 1) Pri.Recv(Cli, 2) Pri.Recv(Cli, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Sum Pri.Sum Pri.Ckpt Global explorer Pri.Send(Sec, 2) Pri.Send(Sec, 2) Pri.Send(Sec, 2)

  15. Local explorer for Client Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Local explorer for Client Cli.Choose(2) = 0 Cli.Choose(2) = 1 Cli.Send(Pri, 1) Cli.Send(Pri, 1) Cli.Send(Pri, 2) Cli.Send(Pri, 3) Branching Trace Global explorer

  16. Composition Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum Existing global message trace: Branching local message trace: == Cli.Send(Pri, 1) Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Cli.Send(Pri, 3) Cli.Send(Pri, 2) Pri.Recv(Cli, 2) dependence Pri.Send(Sec, 2) Global explorer Sec.Recv(Pri, 2)

  17. Composition Client(Cli)Primary/Secondary(Pri/Sec) //Main thread//Checkpoint thread if (Choose(2)==0){ while(n=Recv()) { Lock(); Send(P,1); Lock(); Log(total); Ckpt Send(P,2); total+=n; Sum Unlock(); } else { Unlock(); Send(P,1); if(isPrimary) Send(P,3); Send(S,n); } } Cli.Choose(2) = 0 Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Ckpt Pri.Sum Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Sec.Ckpt Sec.Sum Cli.Send(Pri, 2) Pri.Recv(Cli, 2) Pri.Sum Pri.Send(Sec, 2) Sec.Recv(Pri, 2) Sec.Sum New global message trace: Cli.Send(Pri, 1) Pri.Recv(Cli, 1) Pri.Send(Sec, 1) Sec.Recv(Pri, 1) Cli.Send(Pri, 3) Global explorer

  18. Evaluation • Experiment Setup • DeMeter-MoDist: • MPS, an deployed product implementation of Paxos • Berkeley DB (BDB) • DeMeter-MaceMC: • Chord, peer-to-peer DHT implementation

  19. Evaluation • Effectiveness of Dynamic Interface Reduction • App-n : n is the number of distributed nodes • Reduction Ratio: |Mw/o DIR| / |Mw DIR| x1000 x1000 x100

  20. Related Work • Compositional model checking • E.M.Clarke et. al. (Symposium on Logic in Computer Science 1989) • Partial-order reduction • C.Flanagan and P.Godefroid (POPL’05) • Model checking network system • R.Guerraoui and M.Yabandeh (NSDI’11)

  21. Conclusion • Distributed systems  componentized • Local non-determinism does not propagate • Dynamic interface reduction • Effective, automatic, easy • Provably sound and complete • DeMeter– enable DIR for legacy MCs

More Related