verifying commit-atomicity using model checking

Verifying Commit-Atomicity Using Model Checking

Cormac FlanaganUniversity of California,Santa Cruz

Cormac Flanagan

Verifying Commit-Atomicity Using Model Checking 2

Model Checking of Software Models

// filesystem.c

void create(..) { ...}void unlink(..) { ... }

// filesystem.c


Specificationfor

filesystem.c

Specificationfor

filesystem.c

Model

Checker

filesystemmodel

filesystemmodel

ModelConstruction

Cormac Flanagan


Model Checking of Software

// filesystem.c


// filesystem.c


Specificationfor

filesystem.c

Specificationfor

filesystem.c

Model

Checker

Cormac Flanagan


Experience with Calvin Software Checker

// filesystem.c


// filesystem.c


Specificationfor

filesystem.c

Specificationfor

filesystem.c

expr

esse

d in

term

s of

concretestate

Calvin

theoremproving

x

Cormac Flanagan


Experience with Calvin Software Checker

// filesystem.c


// filesystem.c


Specificationfor

filesystem.c

Specificationfor

filesystem.c

concretestate

Calvin

theoremproving

abstractstate

AbstractionInvariant

?x

Cormac Flanagan


The Need for Atomicity

// filesystem.c


// filesystem.c


// filesystem.c


// filesystem.c


Sequential case:code inspection &testing mostly ok

Cormac Flanagan


The Need for Atomicity

// filesystem.c

atomic void create(..) { ...}atomic void unlink(..) { ... }

// filesystem.c

atomic void create(..) { ...}atomic void unlink(..) { ... }

// filesystem.c


// filesystem.c


Sequential case:code inspection &testing ok

Atomicity

Checker

Cormac Flanagan


Atomicity

Serialized execution of inc()X

oY

oacq(L)

ot=x

ox=t+1

orel(L)

oZ

o o

atomic void inc() { acq(L); int t = x; x = t+1; rel(L);}

Cormac Flanagan


Atomicity

Serialized execution of inc()

Non-serialized executions of inc()

inc() is atomic if, for every non-serialized execution, there is a serialized execution with the same overall behavior

X o

Y o

acq(L) o

t=x o

x=t+1 o

rel(L) o

Z o o

acq(L) o

X o

t=x o

Y o

x=t+1 o

Z o

rel(L) o o

acq(L) o

t=x o

X o

Y o

x=t+1 o

rel(L) o

Z o o

Cormac Flanagan


Verifying Atomicity via Reduction [Lipton 75]acq(L)

S1

X S2

t=x S3

Y S4

x=t+1 S5

Z S6

rel(L) S7

S0

Cormac Flanagan


Verifying Atomicity via Reduction

acq(L) S1

X S2

t=x S3

Y S4

x=t+1 S5

Z S6

rel(L) S7

S0

acq(L) S1

X S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

Cormac Flanagan



acq(L) S1

X S2

t=x S3

Y S4

x=t+1 S5

Z S6

rel(L) S7

S0

acq(L) S1

X S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

X T1

acq(L) S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

Cormac Flanagan



acq(L) S1

X S2

t=x S3

Y S4

x=t+1 S5

Z S6

rel(L) S7

S0

acq(L) S1

X S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

X T1

acq(L) S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

X T1

Y T2

acq(L) T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

Cormac Flanagan



X T1

Y T2

acq(L) T3

t=x S4

x=t+1 S5

rel(L) T6

Z S7

S0

acq(L) S1

X S2

t=x S3

Y S4

x=t+1 S5

Z S6

rel(L) S7

S0

acq(L) S1

X S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

X T1

acq(L) S2

Y T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

X T1

Y T2

acq(L) T3

t=x S4

x=t+1 S5

Z S6

rel(L) S7

S0

Cormac Flanagan


Applications of Reduction for Atomicity

Type systems for concurrency– extended Java’s type system to verify atomicity– atomicity violations in standard libraries

Dynamic checkers– atomicity widespread in Java programs

Model checking– Bogor

Cormac Flanagan


public class StringBuffer { private int count;

public synchronized int length() { return count; } public synchronized void getChars(...) { ... }

atomic public synchronized void append(StringBuffer sb){

int len = sb.length(); ... ... ... sb.getChars(...,len,...); ... }}

Example Violation: java.lang.StringBuffer

sb.length() acquires lock on sb, gets length, and releases lock

use of stale len may yield StringIndexOutOfBoundsExceptioninside getChars(...)

other threads can change sb

Cormac Flanagan


Limitations of Reduction

r:=1

T1

assumer=1

T2

L=0

T3 S4

assumer!=1

S5 S6 S7 S0

beginatomic

CAS(L,0,r)succeeds

endatomic

L=0

S4

r:=1

S1 S2 S3 S0

assumer==1

beginatomic

assumer!=1

S6 S7

endatomic

S5

CAS(L,0,r)succeeds

boolean L; // lock, 0 if not held

atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); }}

Cormac Flanagan


Limitations of Reduction

boolean L; // lock, 0 if not held

atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); }}

r:=1

T1

assumer=1

T2

L=0

T3

CAS(L,0,r)succeeds

T4

assumer!=1

T5 T6 S9 S0

beginatomic

endatomic

L=0r:=1

S1 S2 S3

CAS(L,0,r)fails

S4 S0

assumer==1

beginatomic

S5

assumer==1

S6

assumer!=1

S8 S9

endatomic

CAS(L,0,r)succeeds

S7

9 instructions

7 instructions

Cormac Flanagan


Commit-Atomic

Run normal and serial executions of program concurrently, on separate stores

Normal execution runs as normal– threads execute atomic blocks– each atomic block has commit point

Serial execution– runs on separate shadow store– when normal execution commits an atomic block,

serial execution runs entire atomic block serially Check two executions yield same behavior

Cormac Flanagan


Commit-Atomic

commitatomic block

...

...

Normal execution

Serial execution

comparestates

Cormac Flanagan


Preliminary Evaluation

Some small benchmarks– Bluetooth device driver• atomicity violation due to error

– Busy-waiting lock acquire• acquire1: 1 line of code in critical section• acquire100: 100 lines of code in critical

section

Hand translated to PROMELA code– Two versions, with and without commit-

atomic

Cormac Flanagan


Performance: Bluetooth device driver

Bluetooth driver benchmark

10

100

1000

10000

100000

1000000

2 3 4 5 6

Number of Threads

Siz

e o

f s

tate

sp

ac

e

Normal

Commit-Atomic

Cormac Flanagan


Performance: acquire1 and acquire100

Busy-waiting lock acquire

100

1000

10000

100000

1000000

2 3 4 5 6 7

Number of threads

Siz

e o

f sta

te s

pace

acquire1: normal

acquire1: commit-atomic

acquire100: normal

acquire100: commit-atomic

Cormac Flanagan


Related Work

Reduction – [Lipton 75, Lamport-Schneider 89, ...]

– type systems [Flanagan-Qadeer 03]

– model checking [Stoller-Cohen 03, Flanagan-Qadeer 03, Hatcliff et al 04]

– dynamic checking [Flanagan-Freund 04]

– procedure summaries [Qadeer et al 04]

Atomicity a canonical concept– Strict serializability in databases

– Linearizability for concurrent objects

– Languages: Monitors, Argus [Liskov et al 87], Avalon [Eppinger et al 91]

View consistency– [Artho-Biere-Havelund 03, von Praun-Gross 03]

Cormac Flanagan


Summary

Atomicity– concise, semantically deep partial specification

Reduction– lightweight technique for verifying atomicity

Commit-Atomicity– more general technique

Future work– combine reduction and commit-atomic– generalizing atomicity• temporal logics for determinism?

Cormac Flanagan


Future Work: Logics for Determinism?

Software checking: exploits redundancy– between program and types– between program and specification– between different traces of the same program

Do we need temporal logics for determinism?– that is, a logic where we could specify that

some traces behave like other traces– express many properties like “atomic”

Verifying Commit-Atomicity Using Model Checking

Cormac FlanaganUniversity of California,Santa Cruz

verifying commit-atomicity using model checking

Documents