1 / 38

Comparison Under Abstraction for Verifying Linearizability

Comparison Under Abstraction for Verifying Linearizability. Daphna Amit Noam Rinetzky Mooly Sagiv. Tom Reps. Eran Yahav. Tel Aviv University. University of Wisconsin. IBM T.J. Watson Research Center. Verification Challenge. T 2. T n. T 1.

reuben
Télécharger la présentation

Comparison Under Abstraction for Verifying Linearizability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comparison Under Abstractionfor Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom Reps Eran Yahav Tel Aviv University University of Wisconsin IBM T.J. Watson Research Center

  2. Verification Challenge T2 Tn T1 • Unbounded dynamically-allocated concurrent data structure • Non blocking stack [Treiber, '86] • Non blocking queue [Michael and Scott, PODC’96] • … • Challenge: automatically prove linearizability ... concurrent data structure

  3. push(4) pop():4 push(7) push(4) pop():4 push(7) concurrent LIFO stack T1 time T2 Linearizability [Herlihy and Wing, TOPLAS'90] • Linearizable data structure • Sequential specification defines legal sequential executions • Concurrent operations allowed to be interleaved • Operations appear to execute atomically • External observer gets the illusion that each operation takes effectinstantaneouslyat some point between its invocation and its response First Out Last In

  4. Main Contributions • A conservative automatic algorithm for verifying linearizability • Unbounded linked concurrent data structures • Fixed (arbitrary) number of threads • Implementation and experimental results • A novel shape abstraction that allows comparison between mutable linked data structures

  5. concurrent stack T1 T2 sequential stack T1 T2 Our Approach • Construct for every concurrent execution an “equivalent” sequential execution • Simultaneously manipulate 2 data structures • Concurrent data structure (manipulated by interleaved operations) • Sequential data structure (manipulated by atomic operations) • Executable sequential specification

  6. push(4) pop():4 push(7) push(4) pop():4 push(7) concurrent stack T1 T2 time sequential stack T1 T2 Our Approach • Construct for every concurrent execution an “equivalent” sequential execution • Compare results of matching operations

  7. Comparison under abstraction of unbounded state systems may be possible when the difference between the systems is bounded Comparison between two unbounded heaps over an unbounded number of traces of unbounded length Comparison under abstraction Why Is It Challenging? Main Observation Show that the observable behavior along every concurrent execution trace is equivalent to that of a corresponding sequential execution trace

  8. Outline • How to construct the sequential executions? • How to compare unbounded heaps under abstraction?

  9. Outline • How to construct the sequential execution? Inspired by Flanagan, SPIN’04 • How to compare unbounded heaps under abstraction?

  10. Fixed Linearization Points • Every operation has a (user-specified) fixed linearization point • A statement at which the operation appears to take effect • Show that these linearization points are correct for every concurrent execution • User may specify • Several (alternative) linearization points • Certain types of conditional linearization points

  11. operation Verification of Fixed Linearization Points • Compare each concurrent execution to a specific sequential execution • Show that every (terminating) concurrent operation returns the same result as its sequential counterpart linearizationpoint Concurrent Execution ... linearizationpoint compare results Conjoined Execution compare results Sequential Execution

  12. Treiber's Non-Blocking Stack 3 1 4 Top

  13. Top t 7 Top x Push Operation void push(Stack S, data_type v){ Node x = alloc(sizeof(Node)); xd = v; do { Node t = STop; xn = t; } while (! CAS(&STop, t, x) ); } 3 1 4 if (STop == t) STop = x; evaluate to true;else evaluate to false;

  14. Top s Top t Pop Operation data_type pop (Stack S) { do { Node t = STop; if (t == NULL) return EMPTY; Node s = tn; } while ( ! CAS(&STop, t, s) ); data_type r = td; return r; } 3 1 4 7 return 7

  15. Example: Conjoined Execution (1) T1 T2 3 3 B: push(7) A: push(4) t Top Top 1 1 t 4 7 4 Top Top x x x Linearization Point ConcurrentStack SequentialStack

  16. Example: Conjoined Execution (2) T1 T2 3 3 B: push(7) A: push(4) 1 1 t 4 7 4 Top Top failed CAS t x 7 7 Top Top x x Linearization Point ConcurrentStack SequentialStack

  17. Example: Conjoined Execution (3) T1 T2 3 3 B: push(7) A: push(4) A: pop() 1 1 4 4 Top Top s s 7 7 Top Top t t Linearization Point matching return values ConcurrentStack SequentialStack

  18. Conjoined Execution 3 3 3 3 linearization point 1 Top 1 Top 1 1 Top Top Throughout conjoined execution, two stacks remain almost isomorphic 4 4 ConcurrentStack SequentialStack 3 3 3 3 3 3 Top Top 1 1 1 1 1 1 4 Top 4 4 4 4 Top Top Top Atomic Operation

  19. Outline • How to construct the sequential execution? • How to compare unbounded heaps under abstraction? Delta Abstraction

  20. n n summary node x Starting Point: Canonical Abstraction [ SRW'02 ] n n n 7 4 1 3 x

  21. n n n 7 4 1 3 x n 5 8 x n n n n 3 2 3 9 7 x n n summary node x Concretization

  22. 3 3 3 9 1 1 3 4 6 4 5 3 7 11 7 Top Top Top Top Comparison of Responses Under Abstraction Concrete Domain • Abstract Domain • Separate abstractions will not do ?= ? ? Top Top ConcurrentStack SequentialStack ConcurrentStack SequentialStack

  23. Maintain a mappingbetween memory layoutsof concurrent and sequential data structures Main Idea 3 3 Isomorphic Sub-graphs abstract away 1 1 4 4 Top t track precisely 7 Top x ConcurrentStack SequentialStack

  24. Recording Isomorphism Using Correlation Relation 3 3 1 1 4 4 7 7 Top Top • All nodes are correlated • Correlated nodes are similar (successors also correlated or both null) • Nodes pointed-to by Top are correlated

  25. Isomorphism Under Delta Abstraction similar 3 3 similar 1 1 duo-object similar 4 4 similar 7 7 Top Top

  26. similar 3 3 similar 1 1 summary duo-object duo-object similar similar 4 4 similar 7 7 Top Top similar Top Top Isomorphism Under Bounded Delta Abstraction Isomorphism Under Delta Abstraction

  27. Constructing the Correlation Relation • Incrementally constructed during execution • Nodes allocated by matching push operations are correlated • Correlated nodes have equal data values • Show that matching pops return data values of correlated nodes

  28. similar similar Conjoined Execution Under Abstraction(1) T1 T2 B: push(7) A: push(4) t Top Top t similar Top Top x x x Linearization Point ConcurrentStack SequentialStack

  29. similar similar Conjoined Execution Under Abstraction (2) T1 T2 B: push(7) A: push(4) t similar Top Top failed CAS t x similar Top Top x x Linearization Point ConcurrentStack SequentialStack

  30. similar similar Conjoined Execution Under Abstraction (3) T1 T2 Partial isomorphism can be maintained under abstraction since the difference between the memory layouts is bounded B: push(7) A: push(4) A: pop() Bounded difference may be at an unbounded distance from the root similar Top Top matching return values ConcurrentStack SequentialStack

  31. Experimental Results 250,000 16,000 2 2 2 4 3 2 2 4 3 2 20,000 250 [3] Doherty et al., FORTE'04 [4] Vafeiadis et al., PPoPP'06 [1] Treiber, '86 [2] Michael and Scott, PODC’96

  32. Related Methods • Manual • Rely-guarantee reasoning [Vafeiadis et al., PPoPP'06] • Semi-automatic • Proving simulation relation between I/O Automata using PVS[Doherty et al., FORTE'04] • Automatic • Proving atomicity of procedures [Wang and Stoller, PPoPP'05]  More general

  33. Future Work Limitations • User-specified guess of fixed linearization points • User-specified fixed correlation rule • Fixed number of threads • Arbitrary in theory • Small in practice (scalability) • Assuming memory is garbage collected

  34. Summary • A conservative automatic algorithm for verifying linearizability of unbounded linked concurrent data structures • Sequential specification • Conjoined executions • Delta abstraction: A novel heap abstraction • Maintains an isomorphism between mutable linked data structures under abstraction • Implementation and experimental results • Non blocking stack [Treiber, '86] • Non blocking queue [Michael and Scott, PODC’96] [Doherty et al., FORTE'04] • 2 lock queue [Michael and Scott, PODC’96 ] • Set with fine grained locking [Vafeiadis et al., PPoPP'06 ]

  35. Comparison under abstraction of unbounded state systems may be possible when the difference between the systems is bounded Main Observation

  36. The End MSc Thesis: www.cs.tau.ac.il/~amitdaph

  37. Stack's Most-General Client void client (Stack S) { do { if (?) push(S, rand()); else pop(S); } while ( 1 ); }

More Related