1 / 25

Verifying Atomicity via Data Independence

Verifying Atomicity via Data Independence. Ohad Shacham Yahoo Labs, Israel Eran Yahav Technion, Israel Guy Gueta Yahoo Labs, Israel Alex Aiken Stanford University, USA Nathan Bronson Stanford University, USA Mooly Sagiv Tel Aviv University, Israel Martin Vechev ETH, Zurich.

whitney
Download Presentation

Verifying Atomicity via Data Independence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying Atomicity via Data Independence Ohad ShachamYahoo Labs, Israel Eran Yahav Technion, Israel Guy Gueta Yahoo Labs, Israel Alex Aiken Stanford University, USA Nathan Bronson Stanford University, USA Mooly Sagiv Tel Aviv University, Israel Martin Vechev ETH, Zurich

  2. Concurrent Data Structures Writing highly concurrent data structures is complicated Modern programming languages provide efficient concurrent collections with atomic operations … … … … … … .. … …

  3. TOMCAT Motivating Example TOMCAT 5.* TOMCAT 6.* attr = new HashMap(); … Attribute removeAttribute(String name){ Attribute val = null; synchronized(attr) { found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } } return val; } attr = new ConcurrentHashMap(); … Attribute removeAttribute(String name){ Attribute val = null; /* synchronized(attr) { */ found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } /* } */ return val; } Invariant: removeAttribute(name) returns the value it removes from attr or null

  4. removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”); o

  5. Violation Detection • Testing Atomicity of Composed Concurrent Operation – OOPSLA’12 • Use library influence specification for POR • Many violations we found in real applications • Many were already fixed

  6. Challenge Verifying the atomicity of composed operations … … … … … … … …

  7. Challenges in Verification • What do we want to check? • Specifying software correctness • Scalability of static checking • Large programs • Many sources of unboundedness • Inputs • # threads • # operations

  8. Challenges in Verification • What do we want to check? • Specifying software correctness • Scalability of static checking • Large programs • Many sources of unboundedness • Inputs • # threads • # operations

  9. Linearizability • Check that composed operations are Linearizable [Herlihy & Wing, TOPLAS’90] • Returns the same result as some sequential run

  10. removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.put(“A”, o); attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; attr.remove(“A”); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { return val; attr.put(“A”, o); removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”); attr.remove(“A”); Linearizability null o o null null o null null null o o null

  11. Challenges in Verification • What do we want to check? • Specifying software correctness • Scalability of static checking • Large programs • Many sources of unboundedness • Inputs • # threads • # operations

  12. Modular Checking Generates simple traces Modularity Enables Env control Base linearizability Restrict generated traces

  13. Modular Checking removeAttribute(“A”) { Attribute val = null; found = attr.containsKey(“A”) ; if (found) { val = attr.get(“A”); attr.remove(“A”); } return val; attr.put(“A”, o); attr.remove(“A”);

  14. Challenges in Verification • What do we want to check? • Specifying software correctness • Scalability of static checking • Large programs • Many sources of unboundedness • Inputs • # threads • # operations

  15. Modular Checking RA(“A”) g(“B”) p(“R”) RA(“F”) d(“R”) d(“R”) …

  16. Modular Checking RA(“A”) g(“B”) p(“R”) d(“R”) d(“R”) …

  17. Modular Checking RA(“A”) p(“A”) d(“A”) d(“A”)

  18. Data Independence [Wolper, POPL’86] Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Attribute removeAttribute(String name) { Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; } Program behaves the same for all Inputs

  19. Data Independence for CCC • Wolper’s definition is too restrictive for real life CCC • We defined a data independence of linearizability for CCC A CCC is linearizable for a single input iff it is linearizable for every input

  20. Data Independence Syntactic Rules • Data Independence detection is in general undecidable • Syntactic rules that imply a program as data-independent Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val; }

  21. Verifying Data Independent Operations Single Mutation Data independent Verified using single input CO adds one value Influence Map elements are bounded

  22. Verifying data independent operations • Small model reduction • Decidable when the local state is bounded • Explore all possible executions using: • One input key and finite number of values • Influenced based environment uses single value • Employ SPIN

  23. Summary Writing concurrent data structures is hard Employing atomic library operations is error prone Modular linearizability checking Leverage influence Leverage data independence Prove the linearizability of several composed operations Simple and efficient technique

More Related