Citation Context

...980s. This section briefly reviews the specific methods that Gadara employs; see Cassandras & Lafortune for a comprehensive graduatelevel introduction to DCT [5]. Finite-state automata and Petri nets =-=[32]-=- are two common modeling formalisms used in DCT, and they are well suited for studying deadlock and other logical correctness properties of discrete event dynamic systems. Given a model of a system in...

Citation Context

...s body of theory developed since the mid-1980s. This section briefly reviews the specific methods that Gadara employs; see Cassandras & Lafortune for a comprehensive graduatelevel introduction to DCT =-=[5]-=-. Finite-state automata and Petri nets [32] are two common modeling formalisms used in DCT, and they are well suited for studying deadlock and other logical correctness properties of discrete event dy...

Citation Context

...bout. In our experience, a person with little or no knowledge of a large real program such as OpenLDAP can correctly annotate a function in a few minutes. A first pass of Gadara uses lockset analysis =-=[40]-=- to identify ambiguous functions, which are not numerous even in large programs. After the programmer annotates these, Gadara’s second pass exploits the annotations to reduce false positives. We have ...

Citation Context

...k-acquisition ordering is straightforward in principle but can be remarkably difficult to apply in practice. Static deadlock detection via program analysis has made impressive strides in recent years =-=[9,11]-=-, but spurious warnings can be numerous and the cost of manually repairing genuine deadlock bugs remains high. Dynamic deadlock detection may identify the problem too late, when recovery is awkward or...

Citation Context

...’s “Banker’s Algorithm” dynamically avoids resource deadlocks by postponing requests, thereby constraining a set of processes to a safe region from which it is possible for all processes to terminate =-=[7, 13, 22]-=- (mutex deadlocks call for different treatment because, unlike units of resources, mutexes are not fungible). Holt [16,17] improved the efficiency of the original algorithm and introduced a graphical ...

Citation Context

...k-acquisition ordering is straightforward in principle but can be remarkably difficult to apply in practice. Static deadlock detection via program analysis has made impressive strides in recent years =-=[9,11]-=-, but spurious warnings can be numerous and the cost of manually repairing genuine deadlock bugs remains high. Dynamic deadlock detection may identify the problem too late, when recovery is awkward or...

Citation Context

...ed response times under light load. The STM results in the last row of the table seem baffling. The optimistic concurrency of TM seems wellsuited to the PUBSUB server’s data structures and algorithms =-=[25]-=-. PUBSUB-STM should match the performance of the deadlock-free mutex variant under heavy load, and should achieve faster response times under light load. The Gadarized variant should (hopefully) perfo...

Citation Context

...lication, PUBSUB, to facilitate fault-injection experiments and comparisons with STM. At a high level, the main logic of the server resembles the “listener pattern” popularized by Miller [29] and Lee =-=[26]-=- to exemplify a simple, useful, and widespread programming pattern that is remarkably troublesome under concurrency. Our PUBSUB server supports three operations: clients may subscribe to channels, pub...

Citation Context

... the details of Gadara’s phases, we review elements of DCT crucial to Gadara’s operation. 3 Discrete Control Theory Prior research has applied feedback control techniques to computer systems problems =-=[14]-=-. However, this research applied classical control to time-driven systems modeled with continuous variables evolving according to differential or difference equations. Classical control cannot model l...

Citation Context

...me is permitted to execute the code above. This approach guarantees deadlock avoidance, but may be deemed unnecessary by programmers: In practice, most real deadlock bugs involve different lock types =-=[9, 28]-=-, since it is relatively easy to ensure correct lock ordering within the same lock type. The programmer may therefore choose to disable Gadara’s deadlock avoidance for deadlocks involving a single loc...

Citation Context

...ks, e.g., due to repeatedly locking a nonrecursive mutex; Gadara issues warnings about such deadlocks. Another limitation inherent to the domain involves the undecidability of general static analysis =-=[23]-=-. It is well known that no method exists for statically determining with certainty any non-trivial dynamic/behavioral property of a program, including deadlock susceptibility. However, most real-world...

Citation Context

...e-grained locking. Deadlock in lockbased programs is difficult to reason about because locks are not composable: Deadlock-free lock-based software components may interact to deadlock a larger program =-=[44]-=-. Deadlock-freedom is a global program property that is difficult to reason about and difficult to coordinate across independently developed software modules. Non-composability therefore undermines th...

Citation Context

...subscribe application, PUBSUB, to facilitate fault-injection experiments and comparisons with STM. At a high level, the main logic of the server resembles the “listener pattern” popularized by Miller =-=[29]-=- and Lee [26] to exemplify a simple, useful, and widespread programming pattern that is remarkably troublesome under concurrency. Our PUBSUB server supports three operations: clients may subscribe to ...

Citation Context

...to a safe region from which it is possible for all processes to terminate [7, 13, 22] (mutex deadlocks call for different treatment because, unlike units of resources, mutexes are not fungible). Holt =-=[16,17]-=- improved the efficiency of the original algorithm and introduced a graphical understanding of its operation. While the classic Banker’s Algorithm is sometimes used in real-time computing, its usefuln...

Citation Context

... enumeration of the state space (the C1 U1 C2 U2 284 8th USENIX Symposium on Operating Systems Design and Implementation USENIX Associationset of all markings reachable from a given initial marking) =-=[15]-=-. This is a key advantage of Petri nets over automata, which by construction enumerate the entire state space and thus do not scale to large systems. In a Petri net, state information is distributed a...

Citation Context

...hot replies (the latter are supposed to be atomic); we saw no suspicious replies in our tests. The client emulator generates open-arrival requests, which allows us to control server load more readily =-=[41]-=-, by using separate threads to issue requests and read replies. We test three variants of the PUBSUB server under two conditions: in heavy-load tests, clients issue requests as rapidly as possible; li...

Citation Context

...t employ linear algebraic manipulations of matrix representations [32]. In turn, these techniques underlie the control synthesis methodology known as Supervision Based on Place Invariants (SBPI); see =-=[19,31]-=- and references therein. Gadara uses SBPI for control logic synthesis. In SBPI, the control synthesis problem is posed in terms of a set of linear inequalities on the marking of the Petri net. SBPI st...

Citation Context

...’s “Banker’s Algorithm” dynamically avoids resource deadlocks by postponing requests, thereby constraining a set of processes to a safe region from which it is possible for all processes to terminate =-=[7, 13, 22]-=- (mutex deadlocks call for different treatment because, unlike units of resources, mutexes are not fungible). Holt [16,17] improved the efficiency of the original algorithm and introduced a graphical ...

Citation Context

...formance problem lies in the interaction between I/O and the semantics of atomic { } blocks. At best, it is very difficult for a TM system to permit concurrency among atomic sections that perform I/O =-=[42, 49]-=-. The Intel STM prototype permits I/O within atomic blocks, but it marks such blocks as “irrevocable” and serializes their execution [18]. Like many modern server and client applications [3], PUBSUB p...

Citation Context

... it is straightforward to inject deadlock faults by perturbing this order. We replaced locks with atomic { } blocks to obtain a variant suitable for the Intel C/C++ compiler’s prototype STM extension =-=[18, 34]-=-. We ran our benchmark tests in the test environment depicted Server at right. The server is an HP Compaq dc7800 CMT with 8 GB RAM and a dual-core Intel 2.66 GHz CPU running 64bit SMP Linux kernel 2.6...

Citation Context

...’s “Banker’s Algorithm” dynamically avoids resource deadlocks by postponing requests, thereby constraining a set of processes to a safe region from which it is possible for all processes to terminate =-=[7, 13, 22]-=- (mutex deadlocks call for different treatment because, unlike units of resources, mutexes are not fungible). Holt [16,17] improved the efficiency of the original algorithm and introduced a graphical ...

Citation Context

... conditions [38], but irrevocable actions such as I/O may preclude rollback. Dynamic detection of potential deadlocks (inconsistent lock acquisition ordering) can complement static deadlock detection =-=[1, 2]-=-. Dijkstra’s “Banker’s Algorithm” dynamically avoids resource deadlocks by postponing requests, thereby constraining a set of processes to a safe region from which it is possible for all processes to ...

Citation Context

...nential in the number of distinct lock types held by any thread at any instant; better worstcase performance is unlikely because MPC logic synthesis is NP-hard even in our special class of Petri nets =-=[39]-=-. In practice, however, Gadara’s entire control logic synthesis phase typically terminates after a single iteration. For a real program like OpenLDAP slapd, it is more than an order of magnitude faste...

Citation Context

...nappropriate for our domain [39, 45]. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication =-=[10, 12, 24, 30, 33, 50]-=-. Gadara differs in several respects. First, it both generates and exploits models of real programs with greater generality and fidelity. More importantly, Gadara’s online computations are much more e...

Citation Context

...ne, ensuring that no such deadlocks can occur at run time. We have developed strategies for siphon analysis that exploit the special structure of our Petri net models and employ recent results in DCT =-=[27]-=-. These strategies accelerate convergence of Gadara’s iterative algorithm while preserving the MPC property. In summary, siphon analysis and SBPI augment the program’s Petri net model with control pla...

Citation Context

...isitions are not globally serialized. Nir-Buchbinder et al. describe a two-stage “exhibiting/healing” scheme that prevents previously observed lock discipline violations from causing future deadlocks =-=[35]-=-. The “exhibiting” phase attempts to trigger lock discipline violations during testing by altering lock acquisition timing. “Healing” then addresses the potential deadlocks thus found by adding gate l...

Citation Context

... I/O [42, 49]. The Intel STM prototype permits I/O within atomic blocks, but it marks such blocks as “irrevocable” and serializes their execution [18]. Like many modern server and client applications =-=[3]-=-, PUBSUB performs I/O in critical sections (to ensure that snapshot replies are atomic), and this leads to serialization in the STM variant of PUBSUB. TM is widely touted as more convenient for the pr...

Citation Context

... conditions [38], but irrevocable actions such as I/O may preclude rollback. Dynamic detection of potential deadlocks (inconsistent lock acquisition ordering) can complement static deadlock detection =-=[1, 2]-=-. Dijkstra’s “Banker’s Algorithm” dynamically avoids resource deadlocks by postponing requests, thereby constraining a set of processes to a safe region from which it is possible for all processes to ...

Citation Context

...ven specifications. For Gadara, an example of an uncontrollable program is one that repeatedly acquires a nonrecursive mutex. Gadara achieves deadlock avoidance by combining SBPI with siphon analysis =-=[4]-=-. A siphon is a set of places that never regains a token if it becomes empty. If a Petri net arrives at a marking with an empty siphon, no transition reached by the siphon’s places can ever fire. We c...

Citation Context

...formance problem lies in the interaction between I/O and the semantics of atomic { } blocks. At best, it is very difficult for a TM system to permit concurrency among atomic sections that perform I/O =-=[42, 49]-=-. The Intel STM prototype permits I/O within atomic blocks, but it marks such blocks as “irrevocable” and serializes their execution [18]. Like many modern server and client applications [3], PUBSUB p...

Citation Context

...t employ linear algebraic manipulations of matrix representations [32]. In turn, these techniques underlie the control synthesis methodology known as Supervision Based on Place Invariants (SBPI); see =-=[19,31]-=- and references therein. Gadara uses SBPI for control logic synthesis. In SBPI, the control synthesis problem is posed in terms of a set of linear inequalities on the marking of the Petri net. SBPI st...

Citation Context

... separate verification step. Wallace et al. [46] proposed the use of DCT in IT automation for scheduling actions in workflow management. We proposed a failure-avoidance system for workflows using DCT =-=[48]-=-. However, these prior efforts assume severely restricted programming paradigms. Gadara moves beyond these limitations and handles multithreaded C programs. DCT has not previously been applied in comp...

Citation Context

...to a safe region from which it is possible for all processes to terminate [7, 13, 22] (mutex deadlocks call for different treatment because, unlike units of resources, mutexes are not fungible). Holt =-=[16,17]-=- improved the efficiency of the original algorithm and introduced a graphical understanding of its operation. While the classic Banker’s Algorithm is sometimes used in real-time computing, its usefuln...

Citation Context

... with the lock type. Translation To Petri Nets Translating the CFG into a Petri net follows the methodology described in Section 3. A detailed discussion of modeling Pthread functions can be found in =-=[21]-=-. Here, we focus on practical issues related to modeling real-world programs. We translate each function’s CFG into a Petri net in which each transition has a single input place and a single output pl...

Citation Context

...nappropriate for our domain [39, 45]. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication =-=[10, 12, 24, 30, 33, 50]-=-. Gadara differs in several respects. First, it both generates and exploits models of real programs with greater generality and fidelity. More importantly, Gadara’s online computations are much more e...

Citation Context

...ntroller (possibly obtained in an ad hoc or heuristic manner) satisfies the specifications. DCT control is correct by construction, obviating the need for a separate verification step. Wallace et al. =-=[46]-=- proposed the use of DCT in IT automation for scheduling actions in workflow management. We proposed a failure-avoidance system for workflows using DCT [48]. However, these prior efforts assume severe...

Citation Context

...nappropriate for our domain [39, 45]. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication =-=[10, 12, 24, 30, 33, 50]-=-. Gadara differs in several respects. First, it both generates and exploits models of real programs with greater generality and fidelity. More importantly, Gadara’s online computations are much more e...

Citation Context

...immunization” scheme that dynamically detects specific deadlocks, records the contexts in which they occur, and dynamically attempts to avoid recurrences of the same contexts in subsequent executions =-=[20]-=-. This approach dynamically performs lock-acquisition safety checks on an allocation graph; the computational complexity of these checks is linear, polynomial, and exponential in various problem size ...

Citation Context

...al application, the OpenLDAP directory server. Additional technical details on the Discrete Control Theory techniques underlying Gadara and experiments on randomly generated programs are available in =-=[47]-=-. The remainder of this paper is organized as follows: Section 2 provides an overview of our approach and Section 3 introduces elements of Discrete Control Theory central to Gadara. Section 4 describe...

Citation Context

...nappropriate for our domain [39, 45]. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication =-=[10, 12, 24, 30, 33, 50]-=-. Gadara differs in several respects. First, it both generates and exploits models of real programs with greater generality and fidelity. More importantly, Gadara’s online computations are much more e...

Citation Context

... program’s dynamic resource consumption that is difficult to specify. The Banker’s Algorithm has been applied to manufacturing systems under assumptions and system models inappropriate for our domain =-=[39, 45]-=-. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication [10, 12, 24, 30, 33, 50]. Gadara dif...

Citation Context

...nappropriate for our domain [39, 45]. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication =-=[10, 12, 24, 30, 33, 50]-=-. Gadara differs in several respects. First, it both generates and exploits models of real programs with greater generality and fidelity. More importantly, Gadara’s online computations are much more e...

Citation Context

...blem too late, when recovery is awkward or impossible; automated rollback and re-execution can help [38], but irrevocable actions such as I/O can preclude rollback. Variants of the Banker’s Algorithm =-=[8]-=- provide dynamic deadlock avoidance, but require more resource demand information than is often available and involve expensive runtime calculations. Fear of deadlock distorts software development and...

Citation Context

...s body of theory developed since the mid-1980s. This section briefly reviews the specific methods that Gadara employs; see Cassandras & Lafortune for a comprehensive graduatelevel introduction to DCT =-=[5]-=-. Finite-state automata and Petri nets [32] are two common modeling formalisms used in DCT, and they are well suited for studying deadlock and other logical correctness properties of discrete event dy...

Citation Context

...nappropriate for our domain [39, 45]. Generalizations of the Banker’s Algorithm address mutex deadlocks, and some can exploit (but do not provide) models of program behavior of varying sophistication =-=[10, 12, 24, 30, 33, 50]-=-. Gadara differs in several respects. First, it both generates and exploits models of real programs with greater generality and fidelity. More importantly, Gadara’s online computations are much more e...

Citation Context

...nually repairing genuine deadlock bugs remains high. Dynamic deadlock detection may identify the problem too late, when recovery is awkward or impossible; automated rollback and re-execution can help =-=[38]-=-, but irrevocable actions such as I/O can preclude rollback. Variants of the Banker’s Algorithm [8] provide dynamic deadlock avoidance, but require more resource demand information than is often avail...

Citation Context

...s program analysis techniques to identify potential deadlocks. Examples from the research literature include the Extended Static Checker (ESC) [11] and RacerX [9]; commercial tools are also available =-=[43]-=-. Adoption, however, is far from universal because spurious bug reports are common for real-world programs, and it can be difficult to separate the wheat from the chaff. Repair of real defects identif...