Ji-liang LUO,Hui SHAO,Wei-min WU,Hong-ye SU

DOI: https://doi.org/10.7641/CTA.2017.60929

2018-01-01

Abstract:More and more control elements are incorporated into a single system by the information technology such as internet of things.Consequently,the scale of a control system increases quickly,and the control specification becomes more and more complicated.Any logic mistake that violates a given control specification may lead to a serious industrial failure and even security issue.Besides,there is a"state space explosion"for discrete event systems.These make a challenge for designing and debugging programs running in programmable logic controllers(PLCs)or field programmable gate arrays (FPGAs).The supervisory control theory of discrete event systems is to implement a given complicated logic specification by formal methods. The specification such as interlock,sequence,mutual exclusion,and language is expressed by a Petri net or automata.It is in turn translated into codes that can be executed by a PLC or FPGA.This paper surveys these formal methods for synthesis of logical controller,which are to shorten the costed time for control programs,to ease the reuse of them,and to increase the safety and reliability of them.

Jiliang Luo,Weimin Wu,Hongye Su,Jian Chu

2006-01-01

Abstract:This paper addresses supervisor synthesis for discrete event systems modeled by controlled Petri nets. The considered control problem is to enforce a conjunction of generalized mutual exclusion constraint-, on a controlled Petri net where the influence uncontrollable subnets are joint-free nets. The properties of jointfree nets are proposed. The necessary and sufficient condition of the existence of the maximally permissive (optimal) supervisor is then obtained utilizing these properties. Furthermore, an algorithm is proposed to design the optimal supervisor with a complexity of polynomial times. The theoretic results are illustrated by an example of synthesizing the optimal supervisor for a manufacturing system.

Feihua Lu,Weimin Wu,Hongye Su,Jian Chu

DOI: https://doi.org/10.1002/asjc.194

IF: 2.4

2010-01-01

Asian Journal of Control

Abstract:The non-blocking property of discrete event systems can formulate many practical and important properties of manufacturing systems, such as deadlock freeness, liveness and reversibility. But it is difficult to guarantee non-blocking control. This paper presents a hybrid approach to decentralized control of discrete event systems. More generalized constraints are considered in this approach, which gives a graphical way of designing coordinators to keep the non-blocking property of the closed-loop system with decentralized supervisors. This approach also guarantees that the closed-loop system is maximally permissive.

Yu Ru,Weimin Wu,Hongye Su,Jian Chu

DOI: https://doi.org/10.1109/wcica.2004.1340774

2004-01-01

Abstract:Due to the introduction of uncontrollable transitions in the supervisory control of discrete event systems modeled by controlled Petri nets, a disjunction of several linear inequalities is needed to express the admissible markings. In this paper, we propose a two level hierarchical control synthesis method to deal with this kind of OR logic constraints. In the method, the constraint function plays an important role not only in the construction of the low level monitor but also in the determination of the control policy. The obtained supervisor is maximally permissive and the online computation has the complexity of polynomial times. An example is used to illustrate the proposed synthesis algorithm.

s u hongye,weimin,wu jian chu

2005-01-01

ACTA AUTOMATICA SINICA

Abstract:A quite great progress of the supervisory control theory for discrete event systems (DES) has been made in the past nearly twenty years, and now, automata, formal language and Petri nets become the main research tools. This paper focus on the Petri nets based supervisory control theory of DES. Firstly, we review the research results in this field, and claim that there generally exists a problem in Petri nets based supervisory control theory of DES, that is, the deadlock caused by the controller introduced to enforce the given specification occurs in the closed-loop systems, especially the deadlock occurs in the closed-loop system in which the original plant is live. Finally, a possible research direction is presented for the solution of this problem.

Stephane Lafortune,Yin Wang

2009-01-01

Abstract:Software reliability is an increasingly pressing concern as the multicore revolution forces parallel programming upon the average programmer. Many existing approaches to software failure are ad hoc, based on best-practice heuristics. Often these approaches impose onerous burdens on developers, entail high runtime performance overheads, or offer no help for unmodified legacy code. We demonstrate that discrete control theory can be applied to software failure avoidance problems. Discrete control theory is a branch of control engineering that addresses the control of systems with discrete state spaces and event-driven dynamics. Typical modeling formalisms used in discrete control theory include automata and Petri nets, which are well suited for modeling software systems. In order to use discrete control theory for software failure avoidance problems, formal models of computer programs must first be constructed. Next, control logic must be synthesized from the model and given behavioral specifications. Finally, the control logic must be embedded into the execution engine or the program itself. At runtime, the provably correct control logic guarantees that the given failure-avoidance specifications are enforced. This thesis employs the above methodology in two different application domains: failure avoidance in information technology automation workflows and deadlock avoidance in multithreaded C programs. In the first application, we model workflows using finite-state automata and synthesize controllers for safety and nonblocking specifications expressed as regular languages using an automata-based discrete control technique, called Supervisory Control. The second application addresses the problem of deadlock avoidance in multithreaded C programs that use lock primitives. We exploit compiler technology to model programs as Petri nets and establish a correspondence between deadlock avoidance in the program and the absence of reachable empty siphons in its Petri net model. The technique of Supervision Based on Place Invariants is then used to synthesize the desired control logic, which is implemented using source-to-source translation. Empirical evidence confirms that the algorithmic techniques of Discrete Control Theory employed scale to programs of practical size in both application domains. Furthermore, comprehensive experiments in the deadlock avoidance problem demonstrate tolerable runtime overhead, no more than 18%, for a benchmark and several real-world C programs.

Qingkai Shi,Jeff Huang,Zhenyu Chen,Baowen Xu

DOI: https://doi.org/10.1109/tse.2015.2477820

IF: 7.4

2016-01-01

IEEE Transactions on Software Engineering

Abstract:Atomicity is a fundamental property to guarantee the isolation of a work unit (i.e., a sequence of related events in a thread) from concurrent threads. However, ensuring atomicity is often very challenging due to complex thread interactions. We present an approach to help developers verify whether such work units, which have triggered bugs due to certain violations of atomicity, are sufficiently synchronized or not by locks introduced for fixing the bugs. A key feature of our approach is that it combines the fortes of both bug-driven and change-aware techniques, which enables it to effectively verify synchronizations by testing only a minimal set of suspicious atomicity violations without any knowledge on the to-be-isolated work units, thus being more efficient and practical than other approaches. Besides, unlike existing approaches, our approach effectively utilizes all the inferred execution traces even they may not be completely feasible, such that the verification algorithm can converge much faster. We demonstrate via extensive evaluation that our approach is much more effective and efficient than the state-of-the-arts. Besides, we show that although there have existed sound automatic fixing techniques for atomicity violations, our approach is still necessary and useful for quality assurance of concurrent programs, because the assumption behind our approach is much weaker. We have also investigated one of the largest bug databases and found that insufficient synchronizations are common and difficult to be found in software development.

Ruixue Li,Bin Yu,Xu Lu,Lei Ke,Jiawei Chen,Zixuan Yuan,Jingxian Wang,Cong Tian,Yansong Dong

DOI: https://doi.org/10.1145/3691620.3695325

2024-01-01

Abstract:Interrupt-driven programs are widely used in safety-critical fields like aerospace and embedded systems. However, the unpredictable interleaving of Interrupt Service Routines (ISRs) can lead to concurrency bugs, particularly atomicity violations when ISRs preempt atomic sequences of instructions. To address this, we propose a dynamic approach for detecting atomicity violations in interrupt-driven programs. Extensive experiments demonstrate that our method is more precise and efficient than related approaches.

Yin Wang,Terence Kelly,Manjunath Kudlur,Scott Mahlke,Stephane Lafortune

DOI: https://doi.org/10.1109/wodes.2008.4605961

2008-01-01

Abstract:Ensuring deadlock-free execution of concurrent programs is a notoriously difficult problem, but an increasingly important one as multicore processors compel performance-conscious software developers to parallelize applications. We propose and validate a novel methodology for dynamically controlling the execution of concurrent software in order to provably avoid deadlocks. The methodology is based on supervisory control of discrete event systems modeled by Petri nets. Specifically, we synthesize feedback controllers for concurrent programs based on the theory of supervision based on place invariants and implement the controllers online to guarantee deadlock avoidance. We describe a full implementation of this methodology and report initial experimental results demonstrating its effectiveness and scalability.

Jingwen Zhao,Yanxia Wu,Yun Feng,Jibin Dong,Changting Shi

DOI: https://doi.org/10.1002/smr.2725

2024-01-01

Abstract:Atomicity violation bugs are a frequent problem in concurrency. Because of the unpredictable nature of thread interleaving, most current methods are unable to differentiate between harmful and benign atomicity violations. This makes it challenging to determine the existence of an actual bug. This paper presents a method for detecting atomicity violation bugs in programs based on user interaction. First, UserTrack matches access interleaving patterns to identify all potential violations. We then verify the programmer's atomicity intent between two logical access operations on the same thread and filter out some candidates. Finally, a user interaction mechanism checks the paths that do not produce atomicity violations when threads are interleaved. Our method focuses on a small number of interesting states and interleavings, while allowing the programmer to impose constraints on thread interleavings and explore all executions that satisfy these constraints. We continuously gather information through user feedback results and detect atomicity violation bugs that truly go against the programmer's intent. We evaluated the method using benchmark tests, which demonstrated the effectiveness of UserTrack in detecting atomicity violations. This method verifies the atomicity intent between nonserializable interleaving and logical access operations, allows programmers to impose constraints on thread interleaving, and explores all executions that satisfy these constraints and continuously gain information through user feedback to identify atomicity violation bugs that truly violate the programmer's intent. image

Yin Wang,Stephane Lafortune,Terence Kelly,Manjunath Kudlur,Scott Mahlke

DOI: https://doi.org/10.1145/1594834.1480913

2009-01-01

ACM SIGPLAN Notices

Abstract:Deadlock in multithreaded programs is an increasingly important problem as ubiquitous multicore architectures force parallelization upon an ever wider range of software. This paper presents a theoretical foundation for dynamic deadlock avoidance in concurrent programs that employ conventional mutual exclusion and synchronization primitives (e.g., multithreaded C/Pthreads programs). Beginning with control flow graphs extracted from program source code, we construct a formal model of the program and then apply Discrete Control Theory to automatically synthesize deadlock-avoidance control logic that is implemented by program instrumentation. At run time, the control logic avoids deadlocks by postponing lock acquisitions. Discrete Control Theory guarantees that the program instrumented with our synthesized control logic cannot deadlock. Our method furthermore guarantees that the control logic is maximally permissive: it postpones lock acquisitions only when necessary to prevent deadlocks, and therefore permits maximal runtime concurrency. Our prototype for C/Pthreads scales to real software including Apache, OpenLDAP, and two kinds of benchmarks, automatically avoiding both injected and naturally occurring deadlocks while imposing modest runtime overheads.

Bin Yu,Cong Tian,Hengrui Xing,Zuchao Yang,Jie Su,Xu Lu,Jiyu Yang,Liang Zhao,Xiaofeng Li,Zhenhua Duan

DOI: https://doi.org/10.1145/3611643.3616276

2023-01-01

Abstract:Interrupt-driven programs have been widely used in safety-critical areas such as aerospace and embedded systems. However, uncertain interleaving execution of interrupt service routines (ISRs) usually causes concurrency bugs. Specifically, when one or more ISRs attempt to preempt a sequence of instructions which are expected to be atomic, a kind of concurrency bugs namely atomicity violation may occur, and it is challenging to find this kind of bugs precisely and efficiently. In this paper, we propose a static approach for detecting atomicity violations in interrupt-driven programs. First, the program model is constructed with interruption points being selected to determine the possibly influenced ISRs. After that, reachability computation is conducted to build up a whole abstract reachability tree, and a delayed ISR-triggering strategy is employed to reduce the state space. Meanwhile, unserializable interleaving patterns are recognized to achieve the goal of atomicity violation detection. The approach has been implemented as a configurable tool namely CPA4AV. Extensive experiments show that CPA4AV is much more precise than the relative tools available with little extra time overhead. In addition, more complex situations can be dealt with CPA4AV.

Terence Kelly,Yin Wang,Stephane Lafortune,Scott Mahlke

DOI: https://doi.org/10.1109/mc.2009.391

2009-01-01

Computer

Abstract:In the multicore era, concurrency bugs threaten to reduce programmer productivity, impair software safety, and erode end-user value. Control engineering can eliminate concurrency bugs by constraining software behavior, preventing runtime failures, and offloading onerous burdens from human programmers onto automatically synthesized control logic.

Yin Wang,Terence Kelly,Stéphane Lafortune

2006-01-01

Abstract:Information technology (IT) administration is increasingly automated. Workflows—concurrent programs written in very-high-level languages—are an increasingly popular IT automation technology. Like multithreaded programming, workflow programming is notoriously difficult and error prone. Concurrency, resource contention, race conditions, and similar issues lead to subtle bugs that can survive testing undetected. Static workflow analysis provides a reliable offline way to validate IT administrative actions before they are performed [2], complementary to dynamic validation and post-mortem root cause localization. Static analysis, however, merely detects defects; repair remains manual, time-consuming, error-prone, and costly. Manuallycorrected workflows are less natural, less readable, and less efficient than the flawed originals. This paper shows how discrete control theory can allow safe execution of unmodified flawed workflows by dynamically avoiding undesirable execution states, e.g., states that violate dependability requirements. By externally enforcing compliance with some dependability requirements, our approach allows programmers to write straightforward workflows instead of perfect ones; by partially decoupling workflow software from dependability requirements, it reduces the need to alter the former when the latter change. Classical control theory has recently been applied to several performance-related IT problems [1]. Discrete control employs very different methods and modeling formalisms [3] and is better suited to safety and dependability problems. Discrete control has been applied in domains ranging from manufacturing to telecommunications. However it has never before been implemented for any IT automation or CS systems problem.

antoine butez,stephane lafortune,yin wang

DOI: https://doi.org/10.3182/20140824-6-za-1003.00646

2014-01-01

IFAC Proceedings Volumes

Abstract:Abstract We consider the solution of supervisory control problems for discrete event systems modeled by automata or bounded Petri nets where the specification is expressed as a regular sublanguage of the system language and where the supervisor is restricted to be state-partition-based with respect to original system state space, i.e., the state space of the automaton or the set of reachable markings of the Petri net. State-partition-based supervisors are completely characterized by a partition of the original system state space into legal and illegal states: transitions between legal states are always enabled while transitions from legal to illegal states are always disabled. We present a general algorithm that calculates all state-partition-based supervisors that result in safe and non-blocking controlled languages. The algorithm uses a vertex-cover-type algorithm on the representation of the supremal controllable sublanguage in order to obtain the desired partitions. This work is motivated by the application of discrete event control techniques to the avoidance of classes of concurrency bugs in multithreaded programs. State-partition-based supervisors are especially advantageous in that application as they allow more concurrency at run-time. More generally, this class of supervisors is required when the representation of the supervisor must be based on the system's original state space; this occurs for memoryless supervisors in automaton-based control or in supervision based on place invariants in Petri-net-based control, for instance.

Hongwei Liao,Yin Wang,Jason Stanley,Stéphane Lafortune,Spyros A. Reveliotis,Terence Kelly,Scott A. Mahlke

DOI: https://doi.org/10.1109/TCST.2012.2226034

2013-01-01

Abstract:Computer hardware is moving from uniprocessor to multicore architectures. One problem arising in this evolution is that only parallel software can exploit the full performance potential of multicore architectures, and parallel software is far harder to write than conventional serial software. One important class of failures arising in parallel software is circular-wait deadlock in multithreaded programs. In our ongoing Gadara project, we use a special class of Petri nets, called Gadara nets, to systematically model multithreaded programs with lock allocation and release operations. In this paper, we propose an efficient optimal control synthesis methodology for ordinary Gadara nets that exploits the structural properties of Gadara nets via siphon analysis. Optimality in this context refers to the elimination of deadlocks in the program with minimally restrictive control logic. We formally establish a set of important properties of the proposed control synthesis methodology, and show that our algorithms never synthesize redundant control logic. We conduct experiments to evaluate the efficiency and scalability of the proposed methodology, and discuss the application of our results to real-world concurrent software.

Xiao-Hong SU,Zhen YU,Tian-Tian WANG,Pei-Jun MA

DOI: https://doi.org/10.11897/SP.J.1016.2015.02215

2015-01-01

Abstract:The prevalent multi-core architecture today makes real concurrency come true.In order to benefit from the concurrency power of hardware,concurrent programming is becoming more and more popular.However,out of inherent concurrency and non-determinism,concurrent programs are more likely to suffer from concurrency bugs,which are hard to detect,debug and repair.In this paper,we point out the trend that software development is turning toward concurrent model from sequential model.We reveal three characteristics respectively for concurrent programs and concurrency bugs and explore three challenges confronted by concurrency bug analysis.We then divide concurrency bugs into four categories,i.e.deadlock,data race,atomicity violation and order violation and investigate relations among them.For each category of concurrency bugs, we make analyses,comparisons and summarizations on previous researches about how to quickly expose,in time detect and efficiently avoid them.At last,we look into the research priorities in future from the following five aspects:smart and quick concurrency bugs exposure,common and accurate concurrency bug detection,deterministic replay support,collaborative design involving software and hardware and new concurrent programming model.

LY WANG,ZP JIANG,ZM WU

DOI: https://doi.org/10.1109/acc.1994.751920

1994-01-01

Abstract:We introduce a controlled Petri net to model the concurrent discrete event system. In the context of languages, the control problem of forbidden concurrent event string of discrete event systems is analyzed. Then the specification of a supervisor for a discrete event system is discussed in terms of a legal language and its supremal controllable sublanguage, which leads to a practical realization, i.e., dynamical supervision.

Pengfei Wang,Jens Krinke,Xu Zhou,Kai Lu

DOI: https://doi.org/10.1002/cpe.5160

2019-01-01

Abstract:SummaryConcurrency bugs, such as atomicity‐violation bugs, are difficult to detect due to the uncertainty of thread‐scheduling. It is particularly difficult to conduct a thorough bug fix when an atomicity‐violation bug can be triggered by different buggy interleavings. This paper proposes a prediction‐based approach to comprehensively detect atomicity‐violation bugs. A bug fix can be incomplete when the developer cannot have all the buggy interleavings. Based on the candidate interleavings, this approach can predict unmanifested atomicity‐violation bugs from a non‐buggy execution and comprehensively display all the buggy interleavings for the same bug to assist a thorough fix. We use a monitored execution to record execution traces and predict potential buggy interleavings based on the candidate interleavings identified from the trace. Then, we use controlled executions to verify the predicted buggy interleavings by controlling the thread‐scheduling. We implemented a prototype tool called AVPredictor and evaluated it with real‐world tests. Experiments show that AVPredictor can effectively find all the known atomicity‐violation bugs as well as a previously unknown bug together with all the buggy interleavings for each bug. The runtime overhead is 13x for the monitored execution and 18x for the controlled execution.

DongDong Deng,GuoLiang Jin,Marc de Kruijf,Ang Li,Ben Liblit,Shan Lu,ShanXiang Qi,JingLei Ren,Karthikeyan Sankaralingam,LinHai Song,YongWei Wu,MingXing Zhang,Wei Zhang,WeiMin Zheng

DOI: https://doi.org/10.1007/s11432-015-5315-9

2015-01-01

Science China Information Sciences

Abstract:Concurrency bugs are becoming widespread with the emerging ubiquity of multicore processors and multithreaded software. They manifest during production runs and lead to severe losses. Many effective concurrency-bug detection tools have been built. However, the dependability of multi-threaded software does not improve until these bugs are handled statically or dynamically. This article discusses our recent progresses on fixing, preventing, and recovering from concurrency bugs.