380 likes | 544 Views
Comparison Under Abstraction for Verifying Linearizability. Daphna Amit Noam Rinetzky Mooly Sagiv. Tom Reps. Eran Yahav. Tel Aviv University. University of Wisconsin. IBM T.J. Watson Research Center. Verification Challenge. T 2. T n. T 1.
E N D
Comparison Under Abstractionfor Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom Reps Eran Yahav Tel Aviv University University of Wisconsin IBM T.J. Watson Research Center
Verification Challenge T2 Tn T1 • Unbounded dynamically-allocated concurrent data structure • Non blocking stack [Treiber, '86] • Non blocking queue [Michael and Scott, PODC’96] • … • Challenge: automatically prove linearizability ... concurrent data structure
push(4) pop():4 push(7) push(4) pop():4 push(7) concurrent LIFO stack T1 time T2 Linearizability [Herlihy and Wing, TOPLAS'90] • Linearizable data structure • Sequential specification defines legal sequential executions • Concurrent operations allowed to be interleaved • Operations appear to execute atomically • External observer gets the illusion that each operation takes effectinstantaneouslyat some point between its invocation and its response First Out Last In
Main Contributions • A conservative automatic algorithm for verifying linearizability • Unbounded linked concurrent data structures • Fixed (arbitrary) number of threads • Implementation and experimental results • A novel shape abstraction that allows comparison between mutable linked data structures
concurrent stack T1 T2 sequential stack T1 T2 Our Approach • Construct for every concurrent execution an “equivalent” sequential execution • Simultaneously manipulate 2 data structures • Concurrent data structure (manipulated by interleaved operations) • Sequential data structure (manipulated by atomic operations) • Executable sequential specification
push(4) pop():4 push(7) push(4) pop():4 push(7) concurrent stack T1 T2 time sequential stack T1 T2 Our Approach • Construct for every concurrent execution an “equivalent” sequential execution • Compare results of matching operations
Comparison under abstraction of unbounded state systems may be possible when the difference between the systems is bounded Comparison between two unbounded heaps over an unbounded number of traces of unbounded length Comparison under abstraction Why Is It Challenging? Main Observation Show that the observable behavior along every concurrent execution trace is equivalent to that of a corresponding sequential execution trace
Outline • How to construct the sequential executions? • How to compare unbounded heaps under abstraction?
Outline • How to construct the sequential execution? Inspired by Flanagan, SPIN’04 • How to compare unbounded heaps under abstraction?
Fixed Linearization Points • Every operation has a (user-specified) fixed linearization point • A statement at which the operation appears to take effect • Show that these linearization points are correct for every concurrent execution • User may specify • Several (alternative) linearization points • Certain types of conditional linearization points
operation Verification of Fixed Linearization Points • Compare each concurrent execution to a specific sequential execution • Show that every (terminating) concurrent operation returns the same result as its sequential counterpart linearizationpoint Concurrent Execution ... linearizationpoint compare results Conjoined Execution compare results Sequential Execution
Treiber's Non-Blocking Stack 3 1 4 Top
Top t 7 Top x Push Operation void push(Stack S, data_type v){ Node x = alloc(sizeof(Node)); xd = v; do { Node t = STop; xn = t; } while (! CAS(&STop, t, x) ); } 3 1 4 if (STop == t) STop = x; evaluate to true;else evaluate to false;
Top s Top t Pop Operation data_type pop (Stack S) { do { Node t = STop; if (t == NULL) return EMPTY; Node s = tn; } while ( ! CAS(&STop, t, s) ); data_type r = td; return r; } 3 1 4 7 return 7
Example: Conjoined Execution (1) T1 T2 3 3 B: push(7) A: push(4) t Top Top 1 1 t 4 7 4 Top Top x x x Linearization Point ConcurrentStack SequentialStack
Example: Conjoined Execution (2) T1 T2 3 3 B: push(7) A: push(4) 1 1 t 4 7 4 Top Top failed CAS t x 7 7 Top Top x x Linearization Point ConcurrentStack SequentialStack
Example: Conjoined Execution (3) T1 T2 3 3 B: push(7) A: push(4) A: pop() 1 1 4 4 Top Top s s 7 7 Top Top t t Linearization Point matching return values ConcurrentStack SequentialStack
Conjoined Execution 3 3 3 3 linearization point 1 Top 1 Top 1 1 Top Top Throughout conjoined execution, two stacks remain almost isomorphic 4 4 ConcurrentStack SequentialStack 3 3 3 3 3 3 Top Top 1 1 1 1 1 1 4 Top 4 4 4 4 Top Top Top Atomic Operation
Outline • How to construct the sequential execution? • How to compare unbounded heaps under abstraction? Delta Abstraction
n n summary node x Starting Point: Canonical Abstraction [ SRW'02 ] n n n 7 4 1 3 x
n n n 7 4 1 3 x n 5 8 x n n n n 3 2 3 9 7 x n n summary node x Concretization
3 3 3 9 1 1 3 4 6 4 5 3 7 11 7 Top Top Top Top Comparison of Responses Under Abstraction Concrete Domain • Abstract Domain • Separate abstractions will not do ?= ? ? Top Top ConcurrentStack SequentialStack ConcurrentStack SequentialStack
Maintain a mappingbetween memory layoutsof concurrent and sequential data structures Main Idea 3 3 Isomorphic Sub-graphs abstract away 1 1 4 4 Top t track precisely 7 Top x ConcurrentStack SequentialStack
Recording Isomorphism Using Correlation Relation 3 3 1 1 4 4 7 7 Top Top • All nodes are correlated • Correlated nodes are similar (successors also correlated or both null) • Nodes pointed-to by Top are correlated
Isomorphism Under Delta Abstraction similar 3 3 similar 1 1 duo-object similar 4 4 similar 7 7 Top Top
similar 3 3 similar 1 1 summary duo-object duo-object similar similar 4 4 similar 7 7 Top Top similar Top Top Isomorphism Under Bounded Delta Abstraction Isomorphism Under Delta Abstraction
Constructing the Correlation Relation • Incrementally constructed during execution • Nodes allocated by matching push operations are correlated • Correlated nodes have equal data values • Show that matching pops return data values of correlated nodes
similar similar Conjoined Execution Under Abstraction(1) T1 T2 B: push(7) A: push(4) t Top Top t similar Top Top x x x Linearization Point ConcurrentStack SequentialStack
similar similar Conjoined Execution Under Abstraction (2) T1 T2 B: push(7) A: push(4) t similar Top Top failed CAS t x similar Top Top x x Linearization Point ConcurrentStack SequentialStack
similar similar Conjoined Execution Under Abstraction (3) T1 T2 Partial isomorphism can be maintained under abstraction since the difference between the memory layouts is bounded B: push(7) A: push(4) A: pop() Bounded difference may be at an unbounded distance from the root similar Top Top matching return values ConcurrentStack SequentialStack
Experimental Results 250,000 16,000 2 2 2 4 3 2 2 4 3 2 20,000 250 [3] Doherty et al., FORTE'04 [4] Vafeiadis et al., PPoPP'06 [1] Treiber, '86 [2] Michael and Scott, PODC’96
Related Methods • Manual • Rely-guarantee reasoning [Vafeiadis et al., PPoPP'06] • Semi-automatic • Proving simulation relation between I/O Automata using PVS[Doherty et al., FORTE'04] • Automatic • Proving atomicity of procedures [Wang and Stoller, PPoPP'05] More general
Future Work Limitations • User-specified guess of fixed linearization points • User-specified fixed correlation rule • Fixed number of threads • Arbitrary in theory • Small in practice (scalability) • Assuming memory is garbage collected
Summary • A conservative automatic algorithm for verifying linearizability of unbounded linked concurrent data structures • Sequential specification • Conjoined executions • Delta abstraction: A novel heap abstraction • Maintains an isomorphism between mutable linked data structures under abstraction • Implementation and experimental results • Non blocking stack [Treiber, '86] • Non blocking queue [Michael and Scott, PODC’96] [Doherty et al., FORTE'04] • 2 lock queue [Michael and Scott, PODC’96 ] • Set with fine grained locking [Vafeiadis et al., PPoPP'06 ]
Comparison under abstraction of unbounded state systems may be possible when the difference between the systems is bounded Main Observation
The End MSc Thesis: www.cs.tau.ac.il/~amitdaph
Stack's Most-General Client void client (Stack S) { do { if (?) push(S, rand()); else pop(S); } while ( 1 ); }