Comparison Under Abstraction for Verifying Linearizability

1
Comparison Under Abstractionfor Verifying
Linearizability
Daphna Amit Noam Rinetzky Mooly Sagiv
Tom Reps
Eran Yahav
Tel Aviv University
University of Wisconsin
IBM T.J. Watson Research Center
2
Verification Challenge
T2
T1
Tn
...
concurrent data structure

• Unbounded dynamically-allocated concurrent data
  structure
  
• Non blocking stack Treiber, '86
• Non blocking queue Michael and Scott, PODC96
• Challenge automatically prove linearizability

3
Linearizability Herlihy and Wing, TOPLAS'90

• Linearizable data structure
• Sequential specification defines legal sequential
  executions
  
• Concurrent operations allowed to be interleaved
• Operations appear to execute atomically
• External observer gets the illusion that each
  operation takes effect instantaneously at some
  point between its invocation and its response
  

First Out
Last In
4
Main Contributions

• A conservative automatic algorithm for verifying
  linearizability
  
• Unbounded linked concurrent data structures
• Fixed (arbitrary) number of threads
• Implementation and experimental results
• A novel shape abstraction that allows comparison
  between mutable linked data structures

5
Our Approach

• Construct for every concurrent execution an
  equivalent sequential execution
  
• Simultaneously manipulate 2 data structures
• Concurrent data structure (manipulated by
  interleaved operations)
  
• Sequential data structure (manipulated by atomic
  operations)
  
• Executable sequential specification

6
Our Approach

• Construct for every concurrent execution an
  equivalent sequential execution
  
• Compare results of matching operations

7
Why Is It Challenging?
Main Observation
Show that the observable behavior along every
concurrent execution trace is equivalent to that
of a corresponding sequential execution trace
8
Outline

• How to construct the sequential executions?
• How to compare unbounded heaps under
  abstraction?
  

9
Outline

• How to construct the sequential execution?
• Inspired by Flanagan, SPIN04
• How to compare unbounded heaps under
  abstraction?
  

10
Fixed Linearization Points

• Every operation has a (user-specified) fixed
  linearization point
  
• A statement at which the operation appears to
  take effect
  
• Show that these linearization points are correct
  for every concurrent execution
  
• User may specify
• Several (alternative) linearization points
• Certain types of conditional linearization
  points
  

11
Verification of Fixed Linearization Points

• Compare each concurrent execution to a specific
  sequential execution
  
• Show that every (terminating) concurrent
  operation returns the same result as its
  sequential counterpart
  

linearizationpoint
Concurrent Execution
...
linearizationpoint
compare results
Conjoined Execution
compare results
Sequential Execution
12
Treiber's Non-Blocking Stack
3
1
4
Top
13
Push Operation
void push (Stack ?S, data_type v)
Node ?x alloc(sizeof(Node))
x?d v do Node
?t S?Top x?n t w
hile ( ! CAS(S?Top, t, x
) )
3
1
4
if (S?Top t) S?Top x evaluate to true
else evaluate to false
14
Pop Operation
data_type pop (Stack ?S) do
Node ?t S?Top
if (t NULL)
return EMPTY
Node ?s t?n
while ( !
CAS(S?Top, t, s) )
data_type r t?d re
turn r
3
1
4
7
return 7
15
Example Conjoined Execution (1)
T1
T2
3
3
B push(7)
A push(4)
t
1
Top
Top
1
t
4
7
4
Top
Top
x
x
x
Linearization Point
ConcurrentStack
SequentialStack
16
Example Conjoined Execution (2)
T1
T2
3
3
B push(7)
A push(4)
1
1
t
4
7
4
Top
Top
failed CAS
t
x
7
7
Top
Top
x
x
Linearization Point
ConcurrentStack
SequentialStack
17
Example Conjoined Execution (3)
T1
T2
3
3
B push(7)
A push(4)
A pop()
1
1
4
4
Top
Top
s
s
7
7
Top
Top
t
t
matching return values
Linearization Point
ConcurrentStack
SequentialStack
18
Conjoined Execution
3
3
3
3
linearization point
1
1
Top
Top
1
1
Top
Top
Throughout conjoined execution, two stacks remain
almost isomorphic
4
4
ConcurrentStack
SequentialStack
3
3
3
3
3
3
Top
1
1
1
Top
1
1
1
4
4
4
4
4
Top
Top
Top
Top
Atomic Operation
19
Outline

• How to construct the sequential execution?
• How to compare unbounded heaps under
  abstraction?
  
• Delta Abstraction

20
Starting Point Canonical Abstraction SRW'02
n
n
n

1
3
4
7
x
21
Concretization
22
Comparison of Responses Under Abstraction

• Abstract Domain
• Separate abstractions will not do

Concrete Domain
?
?
?
Top
Top
ConcurrentStack
SequentialStack
ConcurrentStack
SequentialStack
23
Main Idea
3
3
Isomorphic Sub-graphs
abstract away
1
1
4
4
Top
t
track precisely
7
Top
x
ConcurrentStack
SequentialStack
24
Recording Isomorphism Using Correlation Relation
3
3
1
1
4
4
7
7
Top
Top

• All nodes are correlated
• Correlated nodes are similar (successors also
  correlated or both null)
  
• Nodes pointed-to by Top are correlated

25
Isomorphism Under Delta Abstraction
similar
3
3
similar
1
1
duo-object
similar
4
4
similar
7
7
Top
Top
26
Isomorphism Under Delta Abstraction
Isomorphism Under Bounded Delta Abstraction
27
Constructing the Correlation Relation

• Incrementally constructed during execution
• Nodes allocated by matching push operations are
  correlated
  
• Correlated nodes have equal data values
• Show that matching pops return data values of
  correlated nodes
  

28
Conjoined Execution Under Abstraction (1)
T1
T2
B push(7)
A push(4)
t
Top
Top
t
similar
Top
Top
x
x
x
Linearization Point
ConcurrentStack
SequentialStack
29
Conjoined Execution Under Abstraction (2)
T1
T2
B push(7)
A push(4)
t
similar
Top
Top
failed CAS
t
x
similar
Top
Top
x
x
Linearization Point
ConcurrentStack
SequentialStack
30
Conjoined Execution Under Abstraction (3)
T1
T2
Partial isomorphism can be maintained under
abstraction since the difference between the
memory layouts is bounded
B push(7)
A push(4)
A pop()
Bounded difference may be at an unbounded
distance from the root
similar
Top
Top
matching return values
ConcurrentStack
SequentialStack
31
Experimental Results
16,000
250,000
2
2
2
4
3
2
2
4
3
2
20,000
250
3 Doherty et al., FORTE'04 4 Vafeiadis et a
l., PPoPP'06
1 Treiber, '86 2 Michael and Scott, PODC96
32
Related Methods

• Manual
• Rely-guarantee reasoning Vafeiadis et al.,
  PPoPP'06
  
• Semi-automatic
• Proving simulation relation between I/O Automata
  using PVSDoherty et al., FORTE'04
  
• Automatic
• Proving atomicity of procedures Wang and
  Stoller, PPoPP'05
  
• ? More general

33
Limitations
Future Work

• User-specified guess of fixed linearization
  points
  
• User-specified fixed correlation rule
• Fixed number of threads
• Arbitrary in theory
• Small in practice (scalability)
• Assuming memory is garbage collected

34
Summary

• A conservative automatic algorithm for verifying
  linearizability of unbounded linked concurrent
  data structures
  
• Sequential specification
• Conjoined executions
• Delta abstraction A novel heap abstraction
• Maintains an isomorphism between mutable linked
  data structures under abstraction
  
• Implementation and experimental results
• Non blocking stack Treiber, '86
• Non blocking queue Michael and Scott, PODC96
  Doherty et al., FORTE'04
  
• 2 lock queue Michael and Scott, PODC96
• Set with fine grained locking Vafeiadis et al.,
  PPoPP'06
  

35
Main Observation
36
The End
MSc Thesis www.cs.tau.ac.il/amitdaph
37
(No Transcript)
38
Stack's Most-General Client
void client (Stack ?S) do if (?
) push(S, rand()) else pop(S)
while ( 1 )