verifying atomicity via data independence
DESCRIPTION
Verifying Atomicity via Data Independence. Ohad Shacham Yahoo Labs, Israel Eran Yahav Technion, Israel Guy Gueta Yahoo Labs, Israel Alex Aiken Stanford University, USA Nathan Bronson Stanford University, USA Mooly Sagiv Tel Aviv University, Israel Martin Vechev ETH, Zurich. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/1.jpg)
Verifying Atomicity via Data Independence
Ohad Shacham Yahoo Labs, Israel
Eran Yahav Technion, Israel
Guy Gueta Yahoo Labs, Israel
Alex Aiken Stanford University, USA
Nathan Bronson Stanford University, USA
Mooly Sagiv Tel Aviv University, Israel
Martin Vechev ETH, Zurich
![Page 2: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/2.jpg)
Concurrent Data Structures
• Writing highly concurrent data structures is complicated• Modern programming languages provide efficient
concurrent collections with atomic operations
.
.
…
……
…
…
………
![Page 3: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/3.jpg)
TOMCAT Motivating Example
attr = new HashMap();…
Attribute removeAttribute(String name){ Attribute val = null; synchronized(attr) { found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } } return val;}
TOMCAT 5*.TOMCAT 6*.
Invariant: removeAttribute(name) returns the value it removes from attr or null
attr = new ConcurrentHashMap();…
Attribute removeAttribute(String name){ Attribute val = null; /* synchronized(attr) { */ found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } /* } */ return val;}
![Page 4: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/4.jpg)
removeAttribute(“A”) {Attribute val = null;
found = attr.containsKey(“A”); if (found) {
val = attr.get(“A”);
attr.remove(“A”); } return val;
attr.put(“A”, o);
attr.remove(“A”);
o
![Page 5: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/5.jpg)
Violation Detection
• Testing Atomicity of Composed Concurrent Operation – OOPSLA’12
• Use library influence specification for POR• Many violations we found in real applications• Many were already fixed
![Page 6: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/6.jpg)
Challenge
Verifying the atomicity of composed operations
…
……
…
…
………
![Page 7: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/7.jpg)
Challenges in Verification
• What do we want to check?– Specifying software correctness
• Scalability of static checking– Large programs
• Many sources of unboundedness– Inputs– # threads– # operations
![Page 8: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/8.jpg)
Challenges in Verification
• What do we want to check?– Specifying software correctness
• Scalability of static checking– Large programs
• Many sources of unboundedness– Inputs– # threads– # operations
![Page 9: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/9.jpg)
Linearizability
• Check that composed operations are Linearizable [Herlihy & Wing, TOPLAS’90]– Returns the same result as some sequential run
![Page 10: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/10.jpg)
Linearizability removeAttribute(“A”) {
Attribute val = null;
found = attr.containsKey(“A”); if (found) {
val = attr.get(“A”);
attr.remove(“A”); } return val;
attr.put(“A”, o);
attr.remove(“A”);
attr.put(“A”, o);
attr.remove(“A”);
removeAttribute(“A”) {Attribute val = null;
found = attr.containsKey(“A”); if (found) { return val;
removeAttribute(“A”) {Attribute val = null;
found = attr.containsKey(“A”); if (found) { return val; attr.put(“A”, o);
attr.remove(“A”);
attr.put(“A”, o);
attr.remove(“A”);
removeAttribute(“A”) {Attribute val = null;
found = attr.containsKey(“A”) ; if (found) {
val = attr.get(“A”); attr.remove(“A”);
} return val;
o
o
null
null
o
null
null
o
null
null
o
null
![Page 11: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/11.jpg)
Challenges in Verification
• What do we want to check?– Specifying software correctness
• Scalability of static checking– Large programs
• Many sources of unboundedness– Inputs– # threads– # operations
![Page 12: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/12.jpg)
Modular Checking
ModularityGenerates simple traces
Base linearizability Restrict generated traces
Enables Env control
![Page 13: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/13.jpg)
removeAttribute(“A”) {Attribute val = null;
found = attr.containsKey(“A”); if (found) {
val = attr.get(“A”);
attr.remove(“A”); } return val;
attr.put(“A”, o);
attr.remove(“A”);
Modular Checking
![Page 14: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/14.jpg)
Challenges in Verification
• What do we want to check?– Specifying software correctness
• Scalability of static checking– Large programs
• Many sources of unboundedness– Inputs– # threads– # operations
![Page 15: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/15.jpg)
Modular Checking
RA(“A”)
RA(“F”)
p(“R”)
d(“R”)
d(“R”)
g(“B”)
…
![Page 16: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/16.jpg)
Modular Checking
RA(“A”)
p(“R”)
d(“R”)
d(“R”)
g(“B”)
…
![Page 17: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/17.jpg)
Modular Checking
RA(“A”)p(“A”)
d(“A”)
d(“A”)
![Page 18: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/18.jpg)
Data Independence [Wolper, POPL’86]
Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val;}
Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val;}
Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val;}
Attribute removeAttribute(String name) { Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val;}
Program behaves the same for all Inputs
![Page 19: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/19.jpg)
Data Independence for CCC
• Wolper’s definition is too restrictive for real life CCC
• We defined a data independence of linearizability for CCC
A CCC is linearizable for a single input iff it is linearizable for every input
![Page 20: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/20.jpg)
Data Independence Syntactic Rules
• Data Independence detection is in general undecidable• Syntactic rules that imply a program as data-independent
Attribute removeAttribute(String name){ Attribute val = null; found = attr.containsKey(name) ; if (found) { val = attr.get(name); attr.remove(name); } return val;}
![Page 21: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/21.jpg)
Verifying Data Independent Operations
Data independent Verified using single input
Influence CO adds one value
Map elements are bounded
Single Mutation
![Page 22: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/22.jpg)
Verifying data independent operations
• Small model reduction• Decidable when the local state is bounded• Explore all possible executions using:
– One input key and finite number of values– Influenced based environment uses single value
• Employ SPIN
![Page 23: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/23.jpg)
![Page 24: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/24.jpg)
![Page 25: Verifying Atomicity via Data Independence](https://reader036.vdocuments.net/reader036/viewer/2022070411/5681475f550346895db49ed7/html5/thumbnails/25.jpg)
Summary
• Writing concurrent data structures is hard• Employing atomic library operations is error prone• Modular linearizability checking• Leverage influence• Leverage data independence
• Prove the linearizability of several composed operations• Simple and efficient technique