verifying commit-atomicity using model checking
Post on 07-Jan-2016
44 Views
Preview:
DESCRIPTION
TRANSCRIPT
Verifying Commit-Atomicity Using Model Checking
Cormac FlanaganUniversity of California,Santa Cruz
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 2
Model Checking of Software Models
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
Specificationfor
filesystem.c
Specificationfor
filesystem.c
Model
Checker
filesystemmodel
filesystemmodel
ModelConstruction
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 3
Model Checking of Software
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
Specificationfor
filesystem.c
Specificationfor
filesystem.c
Model
Checker
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 4
Experience with Calvin Software Checker
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
Specificationfor
filesystem.c
Specificationfor
filesystem.c
expr
esse
d in
term
s of
concretestate
Calvin
theoremproving
x
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 5
Experience with Calvin Software Checker
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
Specificationfor
filesystem.c
Specificationfor
filesystem.c
concretestate
Calvin
theoremproving
abstractstate
AbstractionInvariant
?x
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 6
The Need for Atomicity
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
Sequential case:code inspection &testing mostly ok
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 7
The Need for Atomicity
// filesystem.c
atomic void create(..) { ...}atomic void unlink(..) { ... }
// filesystem.c
atomic void create(..) { ...}atomic void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
// filesystem.c
void create(..) { ...}void unlink(..) { ... }
Sequential case:code inspection &testing ok
Atomicity
Checker
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 8
Atomicity
Serialized execution of inc()X
oY
oacq(L)
ot=x
ox=t+1
orel(L)
oZ
o o
atomic void inc() { acq(L); int t = x; x = t+1; rel(L);}
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 9
Atomicity
Serialized execution of inc()
Non-serialized executions of inc()
inc() is atomic if, for every non-serialized execution, there is a serialized execution with the same overall behavior
X o
Y o
acq(L) o
t=x o
x=t+1 o
rel(L) o
Z o o
acq(L) o
X o
t=x o
Y o
x=t+1 o
Z o
rel(L) o o
acq(L) o
t=x o
X o
Y o
x=t+1 o
rel(L) o
Z o o
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 10
Verifying Atomicity via Reduction [Lipton 75]acq(L)
S1
X S2
t=x S3
Y S4
x=t+1 S5
Z S6
rel(L) S7
S0
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 11
Verifying Atomicity via Reduction
acq(L) S1
X S2
t=x S3
Y S4
x=t+1 S5
Z S6
rel(L) S7
S0
acq(L) S1
X S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 12
Verifying Atomicity via Reduction
acq(L) S1
X S2
t=x S3
Y S4
x=t+1 S5
Z S6
rel(L) S7
S0
acq(L) S1
X S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
X T1
acq(L) S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 13
Verifying Atomicity via Reduction
acq(L) S1
X S2
t=x S3
Y S4
x=t+1 S5
Z S6
rel(L) S7
S0
acq(L) S1
X S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
X T1
acq(L) S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
X T1
Y T2
acq(L) T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 14
Verifying Atomicity via Reduction
X T1
Y T2
acq(L) T3
t=x S4
x=t+1 S5
rel(L) T6
Z S7
S0
acq(L) S1
X S2
t=x S3
Y S4
x=t+1 S5
Z S6
rel(L) S7
S0
acq(L) S1
X S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
X T1
acq(L) S2
Y T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
X T1
Y T2
acq(L) T3
t=x S4
x=t+1 S5
Z S6
rel(L) S7
S0
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 15
Applications of Reduction for Atomicity
Type systems for concurrency– extended Java’s type system to verify atomicity– atomicity violations in standard libraries
Dynamic checkers– atomicity widespread in Java programs
Model checking– Bogor
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 16
public class StringBuffer { private int count;
public synchronized int length() { return count; } public synchronized void getChars(...) { ... }
atomic public synchronized void append(StringBuffer sb){
int len = sb.length(); ... ... ... sb.getChars(...,len,...); ... }}
Example Violation: java.lang.StringBuffer
sb.length() acquires lock on sb, gets length, and releases lock
use of stale len may yield StringIndexOutOfBoundsExceptioninside getChars(...)
other threads can change sb
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 17
Limitations of Reduction
r:=1
T1
assumer=1
T2
L=0
T3 S4
assumer!=1
S5 S6 S7 S0
beginatomic
CAS(L,0,r)succeeds
endatomic
L=0
S4
r:=1
S1 S2 S3 S0
assumer==1
beginatomic
assumer!=1
S6 S7
endatomic
S5
CAS(L,0,r)succeeds
boolean L; // lock, 0 if not held
atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); }}
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 18
Limitations of Reduction
boolean L; // lock, 0 if not held
atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); }}
r:=1
T1
assumer=1
T2
L=0
T3
CAS(L,0,r)succeeds
T4
assumer!=1
T5 T6 S9 S0
beginatomic
endatomic
L=0r:=1
S1 S2 S3
CAS(L,0,r)fails
S4 S0
assumer==1
beginatomic
S5
assumer==1
S6
assumer!=1
S8 S9
endatomic
CAS(L,0,r)succeeds
S7
9 instructions
7 instructions
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 19
Commit-Atomic
Run normal and serial executions of program concurrently, on separate stores
Normal execution runs as normal– threads execute atomic blocks– each atomic block has commit point
Serial execution– runs on separate shadow store– when normal execution commits an atomic block,
serial execution runs entire atomic block serially Check two executions yield same behavior
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 20
Commit-Atomic
commitatomic block
...
...
Normal execution
Serial execution
comparestates
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 21
Preliminary Evaluation
Some small benchmarks– Bluetooth device driver• atomicity violation due to error
– Busy-waiting lock acquire• acquire1: 1 line of code in critical section• acquire100: 100 lines of code in critical
section
Hand translated to PROMELA code– Two versions, with and without commit-
atomic
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 22
Performance: Bluetooth device driver
Bluetooth driver benchmark
10
100
1000
10000
100000
1000000
2 3 4 5 6
Number of Threads
Siz
e o
f s
tate
sp
ac
e
Normal
Commit-Atomic
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 23
Performance: acquire1 and acquire100
Busy-waiting lock acquire
100
1000
10000
100000
1000000
2 3 4 5 6 7
Number of threads
Siz
e o
f sta
te s
pace
acquire1: normal
acquire1: commit-atomic
acquire100: normal
acquire100: commit-atomic
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 24
Related Work
Reduction – [Lipton 75, Lamport-Schneider 89, ...]
– type systems [Flanagan-Qadeer 03]
– model checking [Stoller-Cohen 03, Flanagan-Qadeer 03, Hatcliff et al 04]
– dynamic checking [Flanagan-Freund 04]
– procedure summaries [Qadeer et al 04]
Atomicity a canonical concept– Strict serializability in databases
– Linearizability for concurrent objects
– Languages: Monitors, Argus [Liskov et al 87], Avalon [Eppinger et al 91]
View consistency– [Artho-Biere-Havelund 03, von Praun-Gross 03]
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 25
Summary
Atomicity– concise, semantically deep partial specification
Reduction– lightweight technique for verifying atomicity
Commit-Atomicity– more general technique
Future work– combine reduction and commit-atomic– generalizing atomicity• temporal logics for determinism?
Cormac Flanagan
Verifying Commit-Atomicity Using Model Checking 26
Future Work: Logics for Determinism?
Software checking: exploits redundancy– between program and types– between program and specification– between different traces of the same program
Do we need temporal logics for determinism?– that is, a logic where we could specify that
some traces behave like other traces– express many properties like “atomic”
Verifying Commit-Atomicity Using Model Checking
Cormac FlanaganUniversity of California,Santa Cruz
top related