Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hongjin Liang and Xinyu Feng

Published byAbdiel Swarbrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Hongjin Liang and Xinyu Feng"— Presentation transcript:

1 Modular Verification of Linearizability with Non-Fixed Linearization Points
Hongjin Liang and Xinyu Feng Univ. of Science and Technology of China (USTC)

2 This talk: correctness of concurrent objects
Modern languages provide concurrent objects (libraries) to help program for multicore systems. void push(int v) { } int pop() { push(7); x = pop(); push(6); Concurrent objects Client code java.util.concurrent This talk: correctness of concurrent objects

3 Example: Treiber’s Non-Blocking Stack
Top v1 next vk next How to specify/prove correctness? t next v x 4 while(!b){ t := Top; x.next := t; b := cas(&Top, t, x); 8 } push(int v): 1 local b:=false, x, t; 2 x := new Node(); 3 x.data := v;

4 Linearizability Standard correctness criterion for objects O
[Herlihy & Wing’90] Standard correctness criterion for objects O All concurrent executions of O are “equivalent” to some sequential ones

5 Linearization point (LP)
Linearizability of Object O A concurrent execution of O: Thread 1: Thread 2: ret push(7) push(6) ret (7) pop() Linearization point (LP) Sequential execution time push(6), ret, push(7), ret, pop(), ret(7)

6 Is Treiber’s stack linearizable?
v1 next vk Top push(v): 1 local b:=false, x, t; 2 x := new Node(v); 3 while (!b) { 4 t := top; 5 x.next = t; 6 b = cas(&top, t, x); 7 } Not update the shared list “Fixed”: statically located in impl code Line 6: the only command that changes the list LP

7 Challenges in Verifying Linearizability
Non-fixed LPs Future-dependent LPs (e.g. lazy set, pair snapshot) LP is at a prior access, but only if a later validation succeeds  Need info from unpredictable future ? Helping (e.g. HSY elimination-backoff stack) t1 finishes t2’s opr  t2’s LP is in the code of t1  Break thread-modularity ? No program logic with formal soundness

8 Our Contributions A program logic for linearizability
Support non-fixed LPs Formal meta-theory: a new simulation A light instrumentation mechanism to help verification Verified 12 well-known algorithms Some are used in java.util.concurrent

9 lin LP Treiber’s stack O Abstract stack S Stk = v1 :: v2 :: … :: vk …
next vk Top Stk = v1 :: v2 :: … :: vk push(v): 1 local b:=false, x, t; 2 x := new Node(v); 3 while (!b) { 4 t := top; 5 x.next = t; 6 b = cas(&top, t, x); 7 } PUSH(v): Stk := v::Stk; LP

10 ? lin LP Treiber’s stack O Abstract stack S … Stk = v ::
Top next next Stk = v :: v1 :: v2 :: … :: vk v1 vk v Abstract opr PUSH(v) not done Proved it’s LP LP b := cas(&Top, t, x); if (b) linself; > 7 } < push(v): Execute abstract opr simultaneously 1 local b:=false, x, t; 2 x := new Node(v); 3 while (!b) { 4 t := Top; 5 x.next := t; Atomic block - { [PUSH(v)]  … } { []  … } Abstract opr is done

11 Basic Approach to Verify O lin S
Inspired by [Vafeiadis’ Thesis] Instrument(O) = C with linself at LPs Verify C in program logic with rules for linself New assertions [S] and [] Ensure O’s LP step corresp. to S’s single step  Not support non-fixed LPs Future-dependent LPs Helping

12 Challenge 1: Future-Dependent LP
Example: Pair Snapshot [Qadeer et al. MSR-TR ] t2: write(i, d) t1: readPair(i, j) m 1 k write(i, d) updates m[i] to a new value d readPair(i, j) intends to return snapshot of m[i] and m[j]

13 know: m[i] = (a,v) at line 4
Pair Snapshot [Qadeer et al. MSR-TR ] readPair(int i, j){ 1 local s:=false, a, b, v, w; 2 while (!s) { 3 <a := m[i].d; v := m[i].v>; 4 <b := m[j].d; w := m[j].v>; 5 <if (v = m[i].v) s := true>; 6 } 7 return (a, b); } write(int i, d){ 8 <m[i].d := d; m[i].v++>; } LP if line 5 succeeds m 1 k  Future-dependent LP Not supported by linself d know: m[i] = (a,v) at line 4 v version number Where is the LP ? Line 4? But line 5 may fail, m[i] and m[j] may be re-read

14 speculate at potential LP, keep both result and original
Solution: Try-Commit readPair(int i, j){ 1 local s:=false, a, b, v, w; 2 while (!s) { 3 <a := m[i].d; v := m[i].v;> 4 <b := m[j].d; w := m[j].v; 5 <if (v = m[i].v) { s:= true; 6 } 7 return (a, b); } speculate at potential LP, keep both result and original - { m[i] = (a, v)  [RP, (i,j)]  … } [RP, (i,j)] > trylinself; - { m[i] = (a, v)  ( [, (a,b)] )  … } } > commit( [, (a,b)] ); - { s  [, (a,b)]  s  … }

15 Challenge 2: Helping A push and a pop cancel each other
Example: Elimination Stack [Hendler et al. SPAA’04] Elimination Array L t1: push(v) v1 next vk Top t2 POP t2: pop() Find t2 is doing pop! Thread descriptor A push and a pop cancel each other

16 Challenge 2: Helping A push and a pop cancel each other
Example: Elimination Stack [Hendler et al. SPAA’04] Elimination Array L t1: push(v) v1 next vk Top t2 ret v t2: pop() When t2 comes, its job is done (helped by t1!). A push and a pop cancel each other

17 Challenge 2: Helping t1 & t2’s LPs: t1 updates L[t2]
Example: Elimination Stack [Hendler et al. SPAA’04] Elimination Array L t1: push(v) t1 & t2’s LPs: t1 updates L[t2] t2 ret v t2: pop() Need to linearize a thread other than self A push and a pop cancel each other

18 set L[t2] from “POP” to “ret v”
Solution: lin(t) t1: push(v) Elimination Array L t2: pop() t2 POP push(v): set L[t2] from “POP” to “ret v” < if (b) { lin(t1); lin(t2); } > b := cas(&L[t2], q, p); t1 & t2’s LPs

19 Solution: lin(t) ret v Elimination Array L t1: push(v) push(v):
Abstraction of L. t2 ret v POP t2: pop() - { …  (L(t2) = POP)  t1 (PUSH, v)  t2 POP  … } < if (b) { lin(t1); lin(t2); } > b := cas(&L[t2], q, p); - { b  …  (L(t2) = ret v)  …  b  … } t1   t2 (, v)

20 Our Approach to Verify O lin S
Instrument(O) = C with auxiliary cmds at LPs linself for fixed LPs try-commit for future-dependent LPs lin(t) for helping Assertions to describe abstract code & states p, q ::= … | t  S | t   | p  q | p  q Verify C in our program logic Extend an existing logic with rules for aux cmds

21 Our Logic for O lin S More rules and soundness are in the paper …
┝ {p  (t  S)} lin(t) {q * (t  )} ┝ {p} S {q} ┝ {p  (cid  S)} trylinself {( p * (cid  S) )  ( q * (cid  ) )} ┝ {p} S {q} ┝ {p  q} commit(p) {p} More rules and soundness are in the paper

22 Verified Algorithms Objects Fut. LP Helping Java Pkg (JUC)
Treiber stack HSY stack MS two-lock queue MS lock-free queue DGLM queue Lock-coupling list Optimistic list Heller et al lazy list Harris-Michael lock-free list Pair snapshot CCAS RDCSS

23 Conclusion A program logic for linearizability
A light instrumentation mechanism to help verification linself for fixed LPs lin(t) for helping try-commit for future-dependent LPs Verified 12 well-known algorithms

24 Backup Slides

25 Prophecy Variables Our Try-Commit
readPair(int i, j){ 1 local s:=false, a, b, v, w; 2 while (!s) { 3 <a := m[i].d; v := m[i].v;> 4 <b := m[j].d; w := m[j].v; 4’ if (o) linself; > 5 <if (v = m[i].v) { s := true; 6’ o =: true; } > 7 } 8 return (a, b); } No semantics for Hoare-style reasoning readPair(int i, j){ 1 local s:=false, a, b, v, w; 2 while (!s) { 3 <a := m[i].d; v := m[i].v;> 4 <b := m[j].d; w := m[j].v; 4’ trylinself; > 5 <if (v = m[i].v) { s:= true; 6’ commit(cid  (, (a,b))); } > 7 } 8 return (a, b); } Formal semantics based on set of speculations

26 Related Work Vafeiadis Turon et al. (concurrent work)
PhD Thesis : extensions of RGSep No soundness for linearizability Fut. LPs : prophecy variables without semantics [CAV’10] : automatic tool Non-fixed LPs for read-only methods only Turon et al. (concurrent work) [POPL’13] : Logical relation, no program logic [ICFP’13] : Logic, no instrumentation

27 State Model & Semantics
Concrete state:  Auxiliary state:  (set of speculations)  = {(U, ), (U’, ’), …} U = {t1  S or , …, tn  S or } : abstract state (trylinself, (, {(U, )}))  (, {(U, ), (U’, ’)}) (S, )  ’ U(cid) = S U’ = U{cid  } (commit(p), (, ))  (, ’) ’ sat p ’  

Download ppt "Hongjin Liang and Xinyu Feng"

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan.

Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan.
Software Transactional Objects Guy Eddon Maurice Herlihy TRAMP 2007.

Software Transactional Objects Guy Eddon Maurice Herlihy TRAMP 2007.
The many faces of TM Tim Harris. Granularity Distributed, large-scale atomic actions Composable shared memory data structures Leaf shared memory data.

The many faces of TM Tim Harris. Granularity Distributed, large-scale atomic actions Composable shared memory data structures Leaf shared memory data.
Time-based Transactional Memory with Scalable Time Bases Torvald Riegel, Christof Fetzer, Pascal Felber Presented By: Michael Gendelman.

Time-based Transactional Memory with Scalable Time Bases Torvald Riegel, Christof Fetzer, Pascal Felber Presented By: Michael Gendelman.
Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.

Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.
Fast and Lock-Free Concurrent Priority Queues for Multi-Thread Systems Håkan Sundell Philippas Tsigas.

Fast and Lock-Free Concurrent Priority Queues for Multi-Thread Systems Håkan Sundell Philippas Tsigas.
Wait-Free Linked-Lists Shahar Timnat, Anastasia Braginsky, Alex Kogan, Erez Petrank Technion, Israel Presented by Shahar Timnat 469-+

Wait-Free Linked-Lists Shahar Timnat, Anastasia Braginsky, Alex Kogan, Erez Petrank Technion, Israel Presented by Shahar Timnat 469-+
IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.

IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.
Wait-Free Queues with Multiple Enqueuers and Dequeuers

Wait-Free Queues with Multiple Enqueuers and Dequeuers
QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.
Concurrent programming for dummies (and smart people too) Tim Harris & Keir Fraser.

Concurrent programming for dummies (and smart people too) Tim Harris & Keir Fraser.
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.

Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Similar presentations

Ads by Google