Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang

Published byEmerald Lane Modified over 5 years ago

Similar presentations

Presentation on theme: "Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang"— Presentation transcript:

1 Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang
Reasoning about Optimistic Concurrency Using a Program Logic for History Ming Fu USTC & Yale Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang

2 What is Optimistic Concurrency?
Increments the shared variable x atomically: Optimistic Concurrency Ensuring data consistency by conflict detection More efficient than coarse-grained lock-based synchronization Complex, error-prone and hard to verify Pessimistic Optimistic lock x; x++; unlock x; int t; do { t = x; }while (!CAS(&x, t, t+1))

3 An Optimistic Non-blocking Stack
Top n Next n Next pop( ){ local done, next, t; done = false; while (!done) { t = Top; if (t==null) return null; next = t.Next; done = CAS(&Top, t, next); } return t; push(x){ local done, t; done = false; while(!done) { x.Next = t; done = CAS(&Top, t, x); return true; Bug#1: t might be a dangling pointer Bug#2: ABA problem leads to corrupted stacks

4 ABA Problem T1 and T2 do pops and pushes, interleaved as follows: T2:
a = pop(); c = pop(); push(a); Top B C next (removed) Top Top T1: pop() { read t read next interrupt resume CAS succeeds stack corrupted t t A A next C B B next C (removed) Timeline

5 Fix Bugs with Hazard Pointers [Michael04]
pop( ){ local done, next, t, t1; done = false; while (!done) { t = Top; if (t==null) return null; HP[tid] = t; t1 := Top; if (t == t1){ next = t.Next; done = CAS(&Top, t, next); } retireNode(t); HP[tid] = null; return t; push(x) local done, t; done = false; while(!done) { x.Next := t; done = CAS(&Top, t, x); return true; retireNode(t): local i, t; i := 1; while(i<=th_num){ if (i != tid){ t’ := HP[i]; if (t’!= t) i:= i+1; }else i:= i+1; }

6 pop( ){ local done, next, t, t1; done = false; while (!done) { t = Top; if (t==null) return null; HP[tid] = t; t1 := Top; if (t == t1){ next = t.Next; done = CAS(&Top, t, next); } retireNode(t); HP[tid] = null; return t; nodes on stack removed nodes pointed by hazard pointers reclaimable nodes HP 1 2 Top removed by 3 hazard to 3 3 tid A A A hazard to 5 4 5 C hazard to 7 6 B 7

7 Verifying Stacks with Hazard Pointers using CSL [Matthew POPL07]
History variables HP’[tid] and auxiliary codes are used for representing some temporal properties pop(){ 03 while (!done){ . . . <HP[tid] = t; HP’[tid] = Req >; <if (Top != t) continue; else HP’[tid] = Tail(t.Next) >; <next = t.Next; if (HP’[tid] != Tail(next)) HP’[tid] = Left>; <done = CAS(&Top, t, next)>; 10 } 11 } } An indirect approach to specifying historical events

8 A Program Logic for History (HLRG)
Introduces past tense temporal operators into Rely-Guarantee Reasoning! HLRG gives us the following benefit: No history variables

9 Extensions in HLRG Program Traces Trace-based Operational Semantics
Trace assertions p, q, R, G::= P | Id | p q | …

10 p q p q q q q Time p holds over the historical trace
q holds ever since

11 p = (p true) \/ p Time s0 s1 s2 s3 s4 s5 s6 p p was once true in the history, including the current trace.

12 ... p = ( p) p p p Time p holds at every step in the history s0 s1 s2

13 Rely-Guarantee Reasoning [Jones'83]
Basic judgment: R,G┝ {p} C {q} R: invariant of environment’s transitions G: invariant of the thread’s transitions p: precondition q: postcondition R/G cannot express directly the temporal properties about the subtle interaction between threads !

14 Frame Time & Invariants Rules
Basic judgment: R,G┝ {p} C {q} R/G, p, q are trace assertions (R, G)┝ {p r} C {q r} (FrameT) (R, G)┝ {p} C {q} Knowledge about history can be added when necessary! (R, G)┝ {p} C {q I’} (Inv) (R, G)┝ {p I} C {q} (R G) (I I’) Derived invariants I and I’ can be used for free!

15 point to A and CAS succeeds
Verification of pop nodes on stack removed nodes pointed by hazard pointers reclaimable nodes Shared Resources Shared = Top * Stack * RN*HP HP 1 Temporal property for each node In RN 2 removed by 3 remove(A, tid) : 3 A A HP[tid] & Top point to A and CAS succeeds Top Ishazard to 5 4 HP[tid] points to A 5 C Ishazard to 7 6 Removed by a thread t in the history and pointed by the hazard pointer of thread tid ever since B 7

16 For all other tid’ , Ishazard(A, tid’)
Verification of pop nodes on stack removed nodes pointed by hazard pointers reclaimable nodes Shared Resources Ishazard(A, tid) : HP HP[tid] & Top point to A (HP[tid] points to A) and not (tid updates Top) 1 2 removed by 3 3 retireNode(A) A A Top Ishazard to 5 4 hazardfree(A, tid) : 5 C Ishazard to 7 For all other tid’ , Ishazard(A, tid’) 6 remove(A, tid) B 7

17 Applying Inv Rule in the proof
pop( ){ if (t == t1){ {Ishazard(t,tid)} {Ishazard(t,tid) * t |-> _, _} next = t.Next; done = CAS(&Top, t, next); } retireNode(t); HP[tid] = null; return t; (R \/ G) Apply Inv rule with Invariants INV1 for avoiding Bug#1: for all t, tid, ishazard(t, tid) /\ t ≠ null => t Є Stack \/ t Є RN see CONCUR’10 paper for details!

18 Conclusion A Program Logic for History (HLRG)
R-G reasoning + past tense temporal assertions Specifying historical events directly without using history variables modular verification (frame rules over space and time) Verifying the correctness of Michael’s non-blocking stacks

19 Thank you! Questions?

Download ppt "Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang"

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.

An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Maged M. Michael, “Hazard Pointers: Safe Memory Reclamation for Lock- Free Objects” Presentation Robert T. Bauer.

Maged M. Michael, “Hazard Pointers: Safe Memory Reclamation for Lock- Free Objects” Presentation Robert T. Bauer.
Scalable Synchronous Queues By William N. Scherer III, Doug Lea, and Michael L. Scott Presented by Ran Isenberg.

Scalable Synchronous Queues By William N. Scherer III, Doug Lea, and Michael L. Scott Presented by Ran Isenberg.
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.
© 2004 Goodrich, Tamassia Linked Lists1. © 2004 Goodrich, Tamassia Linked Lists2 Singly Linked List (§ 4.4.1) A singly linked list is a concrete data.

© 2004 Goodrich, Tamassia Linked Lists1. © 2004 Goodrich, Tamassia Linked Lists2 Singly Linked List (§ 4.4.1) A singly linked list is a concrete data.
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

Similar presentations

Ads by Google