Atomizer - University of California, Santa Cruz

Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz Model Checking of Software Models Specification for filesystem.c Model Checker filesystem model // filesystem.c void create(..) { ... } void unlink(..) { ... } Cormac Flanagan   Model Construction Verifying Commit-Atomicity Using Model Checking 2 Model Checking of Software Specification for filesystem.c Model Checker // filesystem.c   void create(..) { ... } void unlink(..) { ... } Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 3 Experience with Calvin Software Checker x Specification for filesystem.c theorem proving // filesystem.c concrete state Cormac Flanagan Calvin   void create(..) { ... } void unlink(..) { ... } Verifying Commit-Atomicity Using Model Checking 4 Experience with Calvin Software Checker abstract state x Abstraction Invariant ? Specification for filesystem.c theorem proving // filesystem.c concrete state Cormac Flanagan Calvin   void create(..) { ... } void unlink(..) { ... } Verifying Commit-Atomicity Using Model Checking 5 The Need for Atomicity Sequential case: code inspection & testing mostly ok // filesystem.c void create(..) { ... } void unlink(..) { ... } // filesystem.c void create(..) { ... } void unlink(..) { ... } Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 6 The Need for Atomicity Sequential case: code inspection & testing ok // filesystem.c void create(..) { ... } void unlink(..) { ... } // filesystem.c atomic void create(..) { ... } atomic void unlink(..) { ... } Cormac Flanagan Verifying Commit-Atomicity Using Model Checking Atomicity Checker   7 Atomicity  Serialized execution of inc() o X o Y o acq(L) o t=x o x=t+1 o rel(L) o Z o atomic void inc() { acq(L); int t = x; x = t+1; rel(L); } Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 8 Atomicity  Serialized execution of inc() X o o Y o acq(L) o t=x o x=t+1 o rel(L) o Z o o rel(L) o o Z o  Non-serialized executions of inc() o acq(L) o acq(L) o X o t=x o t=x o X o Y o Y o x=t+1 o x=t+1 o Z o rel(L)  inc() is atomic if, for every non-serialized execution, there is a serialized execution with the same overall behavior Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 9 Verifying Atomicity via Reduction [Lipton 75] S0 acq(L) S1 Cormac Flanagan X S2 t=x S3 Y S4 x=t+1 S5 Verifying Commit-Atomicity Using Model Checking Z S6 rel(L) 10 S7 Verifying Atomicity via Reduction S0 S0 acq(L) acq(L) S1 S1 Cormac Flanagan X X S2 S2 t=x Y S3 T3 Y t=x S4 S4 x=t+1 x=t+1 S5 S5 Verifying Commit-Atomicity Using Model Checking Z Z S6 S6 rel(L) rel(L) 11 S7 S7 Verifying Atomicity via Reduction S0 S0 S0 acq(L) acq(L) X S1 S1 T1 Cormac Flanagan X X acq(L) S2 S2 S2 t=x Y Y S3 T3 T3 Y t=x t=x S4 S4 S4 x=t+1 x=t+1 x=t+1 S5 S5 S5 Verifying Commit-Atomicity Using Model Checking Z Z Z S6 S6 S6 rel(L) rel(L) rel(L) 12 S7 S7 S7 Verifying Atomicity via Reduction S0 S0 S0 S0 acq(L) acq(L) X X S1 S1 T1 T1 Cormac Flanagan X X acq(L) Y S2 S2 S2 T2 t=x Y Y acq(L) S3 T3 T3 T3 Y t=x t=x t=x S4 S4 S4 S4 x=t+1 x=t+1 x=t+1 x=t+1 S5 S5 S5 S5 Verifying Commit-Atomicity Using Model Checking Z Z Z Z S6 S6 S6 S6 rel(L) rel(L) rel(L) rel(L) 13 S7 S7 S7 S7 Verifying Atomicity via Reduction S0 S0 S0 S0 S0 acq(L) acq(L) X X X S1 S1 T1 T1 T1 Cormac Flanagan X X acq(L) Y Y S2 S2 S2 T2 T2 t=x Y Y acq(L) acq(L) S3 T3 T3 T3 T3 Y t=x t=x t=x t=x S4 S4 S4 S4 S4 x=t+1 x=t+1 x=t+1 x=t+1 x=t+1 S5 S5 S5 S5 S5 Verifying Commit-Atomicity Using Model Checking Z Z Z Z rel(L) S6 S6 S6 S6 T6 rel(L) rel(L) rel(L) rel(L) Z S7 S7 S7 S7 S7 14 Applications of Reduction for Atomicity  Type systems for concurrency – extended Java’s type system to verify atomicity – atomicity violations in standard libraries  Dynamic checkers – atomicity widespread in Java programs  Model checking – Bogor Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 15 Example Violation: java.lang.StringBuffer public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) { ... } atomic public synchronized void append(StringBuffer sb){ int len = sb.length(); ... ... ... sb.getChars(...,len,...); ... } } Cormac Flanagan sb.length() acquires lock on sb, gets length, and releases lock other threads can change sb use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) Verifying Commit-Atomicity Using Model Checking 16 Limitations of Reduction S0 begin atomic r:=1 S1 L=0 S0 T1 S2 begin atomic boolean L; assume r==1 L=0 T2 assume r!=1 CAS(L,0,r) succeeds assume r!=1 S4 S3 assume r=1 r:=1 CAS(L,0,r) succeeds T3 S4 S5 S5 S6 end atomic end atomic S6 S7 // lock, 0 if not held atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); } } Cormac Flanagan Verifying Commit-Atomicity Using Model Checking S7 17 Limitations of Reduction S0 begin atomic r:=1 S1 S2 assume r==1 CAS(L,0,r) fails S4 S3 assume r==1 L=0 S5 CAS(L,0,r) assume r!=1 succeeds S6 S7 end atomic S8 S9 9 instructions L=0 S0 T1 begin atomic r:=1 T2 T3 assume r=1 CAS(L,0,r) assume r!=1 succeeds T4 T5 T6 end atomic S9 7 instructions boolean L; // lock, 0 if not held atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); } } Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 18 Commit-Atomic  Run normal and serial executions of program concurrently, on separate stores  Normal execution runs as normal – threads execute atomic blocks – each atomic block has commit point  Serial execution – runs on separate shadow store – when normal execution commits an atomic block, serial execution runs entire atomic block serially  Check two executions yield same behavior Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 19 Commit-Atomic Normal execution atomic block commit ... compare states ... Serial execution Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 20 Preliminary Evaluation  Some small benchmarks – Bluetooth device driver • atomicity violation due to error – Busy-waiting lock acquire • acquire1: 1 line of code in critical section • acquire100: 100 lines of code in critical section  Hand translated to PROMELA code – Two versions, with and without commit-atomic Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 21 Performance: Bluetooth device driver Bluetooth driver benchmark 1000000 Size of state space 100000 10000 Normal Commit-Atomic 1000 100 10 2 3 4 5 6 Number of Threads Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 22 Performance: acquire1 and acquire100 Busy-waiting lock acquire 1000000 Size of state space 100000 acquire1: normal acquire1: commit-atomic 10000 acquire100: normal acquire100: commit-atomic 1000 100 2 3 4 5 6 7 Number of threads Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 23 Related Work  Reduction – [Lipton 75, Lamport-Schneider 89, ...] – type systems [Flanagan-Qadeer 03] – model checking [Stoller-Cohen 03, Flanagan-Qadeer 03, Hatcliff et al 04] – dynamic checking [Flanagan-Freund 04] – procedure summaries [Qadeer et al 04]  Atomicity a canonical concept – Strict serializability in databases – Linearizability for concurrent objects – Languages: Monitors, Argus [Liskov et al 87], Avalon [Eppinger et al 91]  View consistency – [Artho-Biere-Havelund 03, von Praun-Gross 03] Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 24 Summary  Atomicity – concise, semantically deep partial specification  Reduction – lightweight technique for verifying atomicity  Commit-Atomicity – more general technique  Future work – combine reduction and commit-atomic – generalizing atomicity • temporal logics for determinism? Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 25 Future Work: Logics for Determinism?  Software checking: exploits redundancy – between program and types – between program and specification – between different traces of the same program  Do we need temporal logics for determinism? – that is, a logic where we could specify that some traces behave like other traces – express many properties like “atomic” Cormac Flanagan Verifying Commit-Atomicity Using Model Checking 26 Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz

Atomizer - University of California, Santa Cruz

Related documents

Products

Support

Atomizer - University of California, Santa Cruz

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib