Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin."— Presentation transcript:

1 Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin IBM T.J. Watson Research Center

2 Verification Challenge Unbounded dynamically-allocated concurrent data structure Non blocking stack [Treiber, '86] Non blocking queue [Michael and Scott, PODC’96] … Challenge: automatically prove linearizability concurrent data structure T1T1 T2T2 TnTn...

3 Linearizability [Herlihy and Wing, TOPLAS'90] Linearizable data structure –Sequential specification defines legal sequential executions –Concurrent operations allowed to be interleaved –Operations appear to execute atomically External observer gets the illusion that each operation takes effect instantaneously at some point between its invocation and its response time push(4) pop():4push(7) push(4) pop():4 push(7) Last In First Out concurrent LIFO stack T1T1 T2T2

4 Main Contributions A conservative automatic algorithm for verifying linearizability –Unbounded linked concurrent data structures –Fixed (arbitrary) number of threads –Implementation and experimental results A novel shape abstraction that allows comparison between mutable linked data structures

5 Our Approach Construct for every concurrent execution an “equivalent” sequential execution –Simultaneously manipulate 2 data structures Concurrent data structure (manipulated by interleaved operations) Sequential data structure (manipulated by atomic operations) –Executable sequential specification concurrent stack T1T1 T2T2 sequential stack T1T1 T2T2

6 Our Approach Construct for every concurrent execution an “equivalent” sequential execution –Compare results of matching operations time push(4) pop():4push(7) push(4)pop():4push(7) concurrent stack T1T1 T2T2 sequential stack T1T1 T2T2

7 Comparison under abstraction of unbounded state systems may be possible when the difference between the systems is bounded Why Is It Challenging?Main Observation Show that the observable behavior along every concurrent execution trace is equivalent to that of a corresponding sequential execution trace Comparison between two unbounded heaps over an unbounded number of traces of unbounded length Comparison under abstraction

8 Outline How to construct the sequential executions? How to compare unbounded heaps under abstraction?

9 Outline How to construct the sequential execution? Inspired by Flanagan, SPIN’04 How to compare unbounded heaps under abstraction?

10 Fixed Linearization Points Every operation has a (user-specified) fixed linearization point –A statement at which the operation appears to take effect Show that these linearization points are correct for every concurrent execution User may specify –Several (alternative) linearization points –Certain types of conditional linearization points

11 Verification of Fixed Linearization Points Compare each concurrent execution to a specific sequential execution Show that every (terminating) concurrent operation returns the same result as its sequential counterpart linearization point operation Concurrent Execution Sequential Execution compare results... linearization point Conjoined Execution compare results

12 Treiber's Non-Blocking Stack 1 3 4 Top

13 Push Operation if (S  Top == t) S  Top = x; evaluate to true; else evaluate to false; 1 3 4 Top t 7 x void push (Stack  S, data_type v) { Node  x = alloc(sizeof(Node)); x  d = v; do { Node  t = S  Top; x  n = t; } while ( ! CAS(&S  Top, t, x) ); }

14 Pop Operation 1 3 4 Top s 7 t return 7 data_type pop (Stack  S) { do { Node  t = S  Top; if (t == NULL) return EMPTY; Node  s = t  n; } while ( ! CAS(&S  Top, t, s) ); data_type r = t  d; return r; }

15 Example: Conjoined Execution (1) 1 3 Top 1 3 74 x x t t 4 x B: push(7) A: push(4) Concurrent Stack Sequential Stack Linearization Point T1T1 T2T2

16 Example: Conjoined Execution (2) 1 3 1 3 74 x t Top 4 failed CAS t 7 x 7 Top x Concurrent Stack Sequential Stack Linearization Point B: push(7) A: push(4) T1T1 T2T2

17 Example: Conjoined Execution (3) 1 3 1 3 4 Top 4 s 7 7 t s t matching return values A: pop() Concurrent Stack Sequential Stack Linearization Point B: push(7) A: push(4) T1T1 T2T2

18 Conjoined Execution Concurrent Stack Sequential Stack 1 3 1 3 4 linearization point Top 1 3 1 3 4 1 3 1 3 4 1 3 1 3 4 4 1 3 1 3 4 4 Throughout conjoined execution, two stacks remain almost isomorphic Atomic Operation

19 Outline How to construct the sequential execution? How to compare unbounded heaps under abstraction? Delta Abstraction

20 Starting Point: Canonical Abstraction [ SRW'02 ] 1 34 x 7 n n n x n n summary node

21 Concretization 1 34 x 7 n n n n 8 x 5 3 92 x 3 n n n 7 n x n n summary node

22 Comparison of Responses Under Abstraction 1 3 4 7 Top 1 3 4 7 ? ? ?=?= Abstract Domain Separate abstractions will not do Concrete Domain Concurrent Stack Sequential Stack Concurrent Stack Sequential Stack 9 5 3 Top 3 3 6 11 Top

23 Main Idea 1 3 1 3 4 4 Top t 7 x Concurrent Stack Sequential Stack track precisely abstract away Isomorphic Sub-graphs Maintain a mapping between memory layouts of concurrent and sequential data structures

24 Recording Isomorphism Using Correlation Relation 1 3 1 3 4 4 7 7 Top All nodes are correlated Correlated nodes are similar (successors also correlated or both null) Nodes pointed-to by Top are correlated

25 Isomorphism Under Delta Abstraction 1 3 1 3 4 4 7 7 Top similar duo-object

26 Isomorphism Under Delta Abstraction 7 7 Top similar 3 3 1 1 4 4 duo-object similar summary duo-object Top similar Isomorphism Under Bounded Delta Abstraction

27 Constructing the Correlation Relation Incrementally constructed during execution Nodes allocated by matching push operations are correlated Correlated nodes have equal data values –Show that matching pops return data values of correlated nodes

28 Conjoined Execution Under Abstraction (1) Top x x t t x B: push(7) A: push(4) Concurrent Stack Sequential Stack Linearization Point similar T1T1 T2T2

29 Conjoined Execution Under Abstraction (2) x t Top failed CAS t x Top x Concurrent Stack Sequential Stack Linearization Point similar B: push(7) A: push(4) T1T1 T2T2

30 Conjoined Execution Under Abstraction (3) Top matching return values Concurrent Stack Sequential Stack similar Partial isomorphism can be maintained under abstraction since the difference between the memory layouts is bounded A: pop() B: push(7) A: push(4) Bounded difference may be at an unbounded distance from the root T1T1 T2T2

31 Experimental Results [1] Treiber, '86 [2] Michael and Scott, PODC’96 [3] Doherty et al., FORTE'04 [4] Vafeiadis et al., PPoPP'06 3 2 2 4 2 3 2 2 4 2 20,000 250 16,000 250,000

32 Related Methods Manual –Rely-guarantee reasoning [Vafeiadis et al., PPoPP'06] Semi-automatic –Proving simulation relation between I/O Automata using PVS [Doherty et al., FORTE'04] Automatic –Proving atomicity of procedures [Wang and Stoller, PPoPP'05]  More general

33 Limitations User-specified guess of fixed linearization points User-specified fixed correlation rule Fixed number of threads –Arbitrary in theory –Small in practice (scalability) Assuming memory is garbage collected Future Work

34 Summary A conservative automatic algorithm for verifying linearizability of unbounded linked concurrent data structures –Sequential specification –Conjoined executions Delta abstraction: A novel heap abstraction –Maintains an isomorphism between mutable linked data structures under abstraction Implementation and experimental results –Non blocking stack [Treiber, '86] –Non blocking queue [Michael and Scott, PODC’96] [Doherty et al., FORTE'04] –2 lock queue [Michael and Scott, PODC’96 ] –Set with fine grained locking [Vafeiadis et al., PPoPP'06 ]

35 Main Observation Comparison under abstraction of unbounded state systems may be possible when the difference between the systems is bounded

36 The End MSc Thesis: www.cs.tau.ac.il/~amitdaph

37

38 Stack's Most-General Client void client (Stack  S) { do { if (?) push(S, rand()); else pop(S); } while ( 1 ); }

Download ppt "Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan.

Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan.
Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.

Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.

Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.

Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Scalable and Lock-Free Concurrent Dictionaries

Scalable and Lock-Free Concurrent Dictionaries
PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.

PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.
Sequential reductions for verifying serializability Hagit Attiya Technion & EPFL G. RamalingamMSR India Noam Rinetzky University of London.

Sequential reductions for verifying serializability Hagit Attiya Technion & EPFL G. RamalingamMSR India Noam Rinetzky University of London.
A Mile-High View of Concurrent Algorithms Hagit Attiya Technion.

A Mile-High View of Concurrent Algorithms Hagit Attiya Technion.
1 Lecture 07 – Shape Analysis Eran Yahav. Previously  LFP computation and join-over-all-paths  Inter-procedural analysis  call-string approach  functional.

1 Lecture 07 – Shape Analysis Eran Yahav. Previously  LFP computation and join-over-all-paths  Inter-procedural analysis  call-string approach  functional.

Similar presentations

Ads by Google