1 / 25

ICFEM 2008

Model Checking Linearizability via Refinement. Yang LIU , Wei CHEN, Yanhong A. LIU, and Jun SUN. ICFEM 2008. 1. PAT: Process Analysis Toolkit. PAT is a self-contained environment for system specification, visualized simulation and automated verification. http://www.patroot.com. 2.

hanzila
Download Presentation

ICFEM 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking Linearizability via Refinement Yang LIU, Wei CHEN, Yanhong A. LIU, and Jun SUN ICFEM 2008 1

  2. PAT: Process Analysis Toolkit PAT is a self-contained environment for system specification, visualized simulation and automated verification. http://www.patroot.com 2

  3. Summary about PAT • Main Features • MC fairness enhanced systems (vs Spin) • Process Counter Abstraction • Refinement checking (vs FDR) • MC Real-time systems (vs Uppaal) • Applications • MC Self-stablizing population protocol model • Verification of linearizability (this talk) • Web service conformance checking • June 2007 to Nov 2009 • C#, 1 million LOC • Visual Studio like GUI • 500+ downloads, 100+ organization, 29 countries/regions • 3 Modules: CSP, RTS and WS • 50+ build-in examples 3

  4. On-going and future Works • New modules • UML, security, sensor network and privacy?? • Symbolic representation techniques, e.g. BDD • Reduction and abstraction techniques • Probabilistic model checking techniques

  5. Outline Motivations and Overview Background Shared Memory Model Linearizability Definitions Linearizability as Refinement Relations Verification of Linearizability Experiments Related Work Conclusion and Future Work FM 2009 5

  6. Motivations Concurrent objects (shared queue, stacks) are hard to design correctly Exclusive access (correctness) vs. Maximum interleaving (performance) Esp. lock-free & wait-free ones Linearizability [HW90] is an accepted correctness criterion for shared objects. A shared object is linearizable if each operation on the object can be understood as occurring instantaneously at some point, (a.k.a. linearization point) Automatic verification of linearizability is challenging Rely on the knowledge of linearization points Linearization points are hard to be statically determined FM 2009 6

  7. Overview of Our Approach • Define linearizability based on refinement relations • An event-based modeling language • Semantics based on LTS • Verify linearizability using refinement checking algorithms • Create linearizable specifications • Refinement between abstract specification and concrete implementation models • Tool: Process Analysis Toolkit (PAT) • A toolkit for automatically analyzing event-based concurrent systems including refinement checking • Substantial Experiments: Stack, Queue, K-valued Register Mailbox[DISC’08], SNZI[PODC’07]. FM 2009 7

  8. Outline Motivations and Overview Background Shared Memory Model Linearizability Definitions Linearizability as Refinement Relations Verification of Linearizability Experiments Related Work Conclusion and Future Work FM 2009 8

  9. Shared Memory Model • A shared memory model M, • O = (o1,…,ok) denotes the set of k shared objects, • P = (p1,…,pn) denotes the set of n processes accessing the objects. • O support a set of operations: pairs of invocations and matching responses. • The behaviour of M • the set of all possible sequences (trace) of invocations and responses together with the initial states of the objects. p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,2) p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1) FM 2009 9

  10. Linearizability • σ is linearizable if there exists a sequential permutation πof σsuch that • 1) for each object oi, π|oiis a legal sequential history (i.e. πrespects the sequential specification of the objects), and • 2) if op1 <σ op2, then op1 <π op2 (i.e., πrespects the run-time ordering of operations). • Examples p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,2) p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1) p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,2) p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1) p0: Winv(x,1) Wres(x) Rinv(y) Rres(y,0) p1: Winv(y,2) Wres(y) Rinv(x) Rres(x,1) FM 2009 10

  11. Stack Example High-level Linearizability vs. Low-Level Linearizability

  12. Outline Motivations and Overview Background Shared Memory Model Linearizability Definitions Linearizability as Refinement Relations Verification of Linearizability Experiments Related Work Conclusion and Future Work FM 2009 12

  13. Create Specification Model • Event-base formalism (e.g. CSP) • Specify each operation op of a shared object o on a process piusing three atomic steps: • the invocation action inv(op)i, • the linearization action lin(op)i, and (Invisible event) • the response action res(op, resp)i. • Is linearizable! FM 2009 13

  14. Create Implementation • Consider the implementment of object o. • The visible events of impl are also those inv(op)i's and res(op, resp)i's. • Is linearizable? FM 2009 14

  15. Linearizability as Refinement FM 2009 15

  16. Refinement Checking Algorithm • On-the-fly verification algorithm (DFS) • Optimizations: • Partial Order Reduction • ||| is the main source of state space explosion • Explore only a subset of enabled transitions and yet preserve soundness. • Symmetry Reduction • Ignore the orders of similar processes • E.g. reader ||| writer1 ||| writer2 == reader ||| writer2 ||| writer1 • Process Counter Abstraction 16

  17. Experiments TASE 2009 17

  18. Related Works • Manual proving • Herlihy and Wing ACM Transaction 90 • Vafeiadis et. al. use rely-guarantee PPoPP’06 • Using theorem provers • Doherty et. al. use simulation between I/O automata modeling the specification and implementation. FORTE'04 • Static analysis • Wang and Stoller present a static analysis that verifies linearizability for an unbounded number of threads. PPoPP’05 • Model checking • Amit et al. presented a shape difference abstraction that tracks the difference between two heaps. CAV’07 • Manevich et al. SAS’08 and Berdine et al. CAV’08 extended it to handle larger number and unbounded number of threads, respectively. • Vafeiadis further improved this solution to allow linearization points in different threads. VMCAI’09 • Vechev and Yahav use trace analysis. PLDI'08 FM 2009 18

  19. Conclusion Specify and verify linearizability using refinement relation Show that refinement checking algorithm behind PAT allows verifying concurrent algorithms without the knowledge of linearization points fully automatically effective reduction technique Formally verify Mailbox and SNZI algorithms for the first time FM 2009 19

  20. On-going and future works Deal with infamous state explosion problem Combine different state space reduction techniques and parameterized refinement checking for infinite number of processes FM 2009 20

  21. Thank You ICFEM 2008 21

  22. Modeling Language • Shared Variables and Arrays • Synchronization primitives in nonblocking algorithms • compare and swap (CAS) and • load linked (LL)/store-conditional (SC). FM 2009 22

  23. Semantics • System State : a pair (P,V) • P is the current process expression, and • V is the current valuation of the shared variables represented as a mapping from names to values. FM 2009 23

  24. Refinement • Lim= (Sim, initim,Tim) be a LTS for an implementation. • Lsp= (Ssp, initsp,Tsp) be a LTS for a specification. • Lim refines Lsp, iff traces(Lim) ⊆ traces(Lsp). FM 2009 24

  25. Back up • Support Synchronization Primitives • Compare and Swap • Load-linked/ Store-Conditional

More Related