Noam Rinetzky Lecture 14: Shape Domains & Interprocedural Analysis
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom...
-
date post
22-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom...
![Page 1: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/1.jpg)
Comparison Under Abstractionfor Verifying Linearizability
Daphna Amit
Noam Rinetzky
Mooly Sagiv
Tom Reps Eran Yahav
Tel Aviv University University of Wisconsin IBM T.J. Watson Research Center
![Page 2: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/2.jpg)
Verification Challenge
• Unbounded dynamically-allocated concurrent data structure• Non blocking stack [Treiber, '86]• Non blocking queue [Michael and Scott, PODC’96]• …
• Challenge: automatically prove linearizability
concurrentdata structure
T1 T2 Tn
...
![Page 3: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/3.jpg)
Linearizability [Herlihy and Wing, TOPLAS'90]
• Linearizable data structure – Sequential specification defines legal sequential executions
– Concurrent operations allowed to be interleaved
– Operations appear to execute atomically• External observer gets the illusion that each operation takes effect
instantaneously at some point between its invocation and its response
time
push(4)
pop():4push(7)
push(4)
pop():4push(7)
Last In First Out
concurrent LIFO stack
T1
T2
![Page 4: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/4.jpg)
Main Contributions
• A conservative automatic algorithm for verifying linearizability – Unbounded linked concurrent data structures– Fixed (arbitrary) number of threads– Implementation and experimental results
• A novel shape abstraction that allows comparison between mutable linked data structures
![Page 5: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/5.jpg)
Our Approach
• Construct for every concurrent execution an “equivalent” sequential execution– Simultaneously manipulate 2 data structures
• Concurrent data structure (manipulated by interleaved operations)• Sequential data structure (manipulated by atomic operations)
– Executable sequential specification
concurrentstack
T1
T2
sequentialstack
T1
T2
![Page 6: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/6.jpg)
Our Approach
• Construct for every concurrent execution an “equivalent” sequential execution– Compare results of matching operations
time
push(4)
pop():4push(7)
push(4) pop():4push(7)
concurrentstack
T1
T2
sequentialstack
T1
T2
![Page 7: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/7.jpg)
Comparison under abstraction of unbounded state systems may be
possible when the difference between the systems is bounded
Why Is It Challenging?Main Observation
Show that the observable behavior along every concurrent execution trace is equivalent to that of
a corresponding sequential execution trace
Comparison between two unbounded heaps over an unbounded number of traces
of unbounded length
Comparison under abstraction
![Page 8: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/8.jpg)
Outline
• How to construct the sequential executions?
• How to compare unbounded heaps under abstraction?
![Page 9: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/9.jpg)
Outline
• How to construct the sequential execution?
Inspired by Flanagan, SPIN’04
• How to compare unbounded heaps under abstraction?
![Page 10: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/10.jpg)
Fixed Linearization Points
• Every operation has a (user-specified) fixed linearization point– A statement at which the operation appears to take effect
• Show that these linearization points are correct for every concurrent execution
• User may specify– Several (alternative) linearization points
– Certain types of conditional linearization points
![Page 11: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/11.jpg)
Verification of Fixed Linearization Points
• Compare each concurrent execution to a specific sequential execution
• Show that every (terminating) concurrent operation returns the same result as its sequential counterpart
linearizationpoint
operationConcurrent
Execution
Sequential
Execution
compare results
...
linearizationpoint
Conjoined
Execution
compare results
![Page 12: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/12.jpg)
Treiber's Non-Blocking Stack
1
3
4Top
![Page 13: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/13.jpg)
Push Operation
if (STop == t) STop = x; evaluate to true;else evaluate to false;
1
3
4Top
t
7
x
Top
void push (Stack S, data_type v) { Node x = alloc(sizeof(Node)); xd = v; do { Node t = STop; xn = t; } while ( ! CAS(&STop, t, x) );}
![Page 14: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/14.jpg)
Pop Operation
1
3
4Top
s
7Top
t
return 7
data_type pop (Stack S) { do { Node t = STop; if (t == NULL) return EMPTY; Node s = tn; } while ( ! CAS(&STop, t, s) ); data_type r = td; return r;}
![Page 15: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/15.jpg)
Example: Conjoined Execution (1)
1
3
Top 1
3
Top
7 4
x x
t
t
Top 4
x
Top
B: push(7)
A: push(4)
ConcurrentStack
SequentialStack
Linearization Point
T1 T2
![Page 16: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/16.jpg)
Example: Conjoined Execution (2)
1
3
1
3
7 4
x
t
Top 4 Topfailed CAS
t
7
x
7 TopTop
x
ConcurrentStack
SequentialStack
Linearization Point
B: push(7)
A: push(4)
T1 T2
![Page 17: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/17.jpg)
Example: Conjoined Execution (3)
1
3
1
3
4Top 4 Top
s
7 7 TopTop
t
s
t
matching return values
A: pop()
ConcurrentStack
SequentialStack
Linearization Point
B: push(7)
A: push(4)
T1 T2
![Page 18: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/18.jpg)
Conjoined Execution
ConcurrentStack
SequentialStack
1
3
1
3
4
linearization
point
Top 1
3
1
3
4
Top
1
3
1
3
4Top
1
3
1
3
4Top 4
1
3
1
3
4Top 4
Top Top
Top Top
Top
Throughout conjoined execution,
two stacks remain almost isomorphic
Atomic Operation
![Page 19: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/19.jpg)
Outline
• How to construct the sequential execution?
• How to compare unbounded heaps under abstraction?
Delta Abstraction
![Page 20: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/20.jpg)
Starting Point: Canonical Abstraction [ SRW'02 ]
1 34x 7 nnn
xn
n
summary node
![Page 21: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/21.jpg)
Concretization
1 34x 7 nnn
n8x 5
3 92x 3 nnn
7n
xn
n
summary node
![Page 22: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/22.jpg)
Comparison of Responses Under Abstraction
1
3
4
7 Top
1
3
4
7Top ? ? TopTop
?=
Abstract Domain
• Separate abstractions will not do
Concrete Domain
Concurrent
Stack
Sequential
Stack
Concurrent
Stack
Sequential
Stack
9
5
3Top
3
3
6
11 Top
![Page 23: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/23.jpg)
Main Idea
1
3
1
3
4 4 Top
t
7
x
Top
ConcurrentStack
SequentialStack
track precisely
abstract awayIsomorphic Sub-graphsMaintain a mapping
between memory layouts of concurrent and
sequential data structures
![Page 24: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/24.jpg)
Recording Isomorphism Using Correlation Relation
1
3
1
3
4 4
7 7 TopTop
• All nodes are correlated
• Correlated nodes are similar (successors also correlated or both null)
• Nodes pointed-to by Top are correlated
![Page 25: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/25.jpg)
Isomorphism Under Delta Abstraction
1
3
1
3
4 4
7 7 TopTopsimilar
similar
similar
similar
duo-object
![Page 26: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/26.jpg)
Isomorphism Under Delta Abstraction
7 7 TopTopsimilar
3 3similar
1 1similar
4 4similar
duo-object
similar
summary duo-object
TopTopsimilar
Isomorphism Under Bounded Delta Abstraction
![Page 27: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/27.jpg)
Constructing the Correlation Relation
• Incrementally constructed during execution
• Nodes allocated by matching push operations are correlated
• Correlated nodes have equal data values
– Show that matching pops return data values of correlated nodes
![Page 28: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/28.jpg)
Conjoined Execution Under Abstraction (1)
Top Top
x x
t
t
Top
x
Top
B: push(7)
A: push(4)
ConcurrentStack
SequentialStack
Linearization Point
similar
similar
similarT1 T2
![Page 29: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/29.jpg)
Conjoined Execution Under Abstraction (2)
x
t
Top Topfailed CAS
t
x
TopTop
x
ConcurrentStack
SequentialStack
Linearization Point
similar
similar
similar
similarB: push(7)
A: push(4)
T1 T2
![Page 30: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/30.jpg)
Conjoined Execution Under Abstraction (3)
TopTop
matching return values
ConcurrentStack
SequentialStack
similar
similar
similar
Partial isomorphism
can be maintained under abstraction
since the difference
between the memory layouts
is bounded
A: pop()
B: push(7)
A: push(4)
Bounded difference may be at an unbounded
distance from the root
T1 T2
![Page 31: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/31.jpg)
Experimental Results
[1] Treiber, '86
[2] Michael and Scott, PODC’96
Verification (Time)
0
2000
4000
6000
8000
10000
12000
14000
16000
[1] [2] NBQ [3] [2] 2LQ [4]
Benchmark
Sec
on
ds
Verification (Space)
0
50000
100000
150000
200000
250000
[1] [2] NBQ [3] [2] 2LQ [4]
Benchmark
# o
f S
tate
s
Falsification (Time)
0
50
100
150
200
250
[1] [1] [2]NBQ
[2]NBQ
[2]2LQ
[2]2LQ
[4]
Benchmark
Sec
on
ds
Falsification (Space)
02000400060008000
100001200014000160001800020000
[1] [1] [2]NBQ
[2]NBQ
[2]2LQ
[2]2LQ
[4]
Benchmark
# o
f S
tate
s
[3] Doherty et al., FORTE'04
[4] Vafeiadis et al., PPoPP'06
32
2 4
2
3
2
2
4
2
20,000250
16,000 250,000
![Page 32: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/32.jpg)
Related Methods
• Manual – Rely-guarantee reasoning [Vafeiadis et al., PPoPP'06]
• Semi-automatic
– Proving simulation relation between I/O Automata using PVS[Doherty et al., FORTE'04]
• Automatic– Proving atomicity of procedures [Wang and Stoller, PPoPP'05]
More general
![Page 33: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/33.jpg)
Limitations
• User-specified guess of fixed linearization points
• User-specified fixed correlation rule
• Fixed number of threads– Arbitrary in theory
– Small in practice (scalability)
• Assuming memory is garbage collected
Future Work
![Page 34: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/34.jpg)
Summary
• A conservative automatic algorithm for verifying linearizability of unbounded linked concurrent data structures– Sequential specification
– Conjoined executions
• Delta abstraction: A novel heap abstraction – Maintains an isomorphism between mutable linked data structures under
abstraction
• Implementation and experimental results– Non blocking stack [Treiber, '86]
– Non blocking queue [Michael and Scott, PODC’96] [Doherty et al., FORTE'04]
– 2 lock queue [Michael and Scott, PODC’96 ]
– Set with fine grained locking [Vafeiadis et al., PPoPP'06 ]
![Page 35: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/35.jpg)
Main Observation
Comparison under abstraction of unbounded state systems
may be possible when the difference between the systems
is bounded
![Page 36: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/36.jpg)
The EndMSc Thesis: www.cs.tau.ac.il/~amitdaph
![Page 37: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/37.jpg)
![Page 38: Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.](https://reader030.fdocuments.in/reader030/viewer/2022032523/56649d785503460f94a5b654/html5/thumbnails/38.jpg)
Stack's Most-General Client
void client (Stack S) { do {
if (?) push(S, rand());else pop(S);
} while ( 1 );}