Comparison Under Abstractionfor Verifying Linearizability

Daphna Amit

Noam Rinetzky

Mooly Sagiv

Tom Reps Eran Yahav

Tel Aviv University University of Wisconsin IBM T.J. Watson Research Center

Verification Challenge

• Unbounded dynamically-allocated concurrent data structure• Non blocking stack [Treiber, '86]• Non blocking queue [Michael and Scott, PODC’96]• …

• Challenge: automatically prove linearizability

concurrentdata structure

T1 T2 Tn

...

Linearizability [Herlihy and Wing, TOPLAS'90]

• Linearizable data structure – Sequential specification defines legal sequential executions

– Concurrent operations allowed to be interleaved

– Operations appear to execute atomically• External observer gets the illusion that each operation takes effect

instantaneously at some point between its invocation and its response

time

push(4)

pop():4push(7)

push(4)

pop():4push(7)

Last In First Out

concurrent LIFO stack

T1

T2

Main Contributions

• A conservative automatic algorithm for verifying linearizability – Unbounded linked concurrent data structures– Fixed (arbitrary) number of threads– Implementation and experimental results

• A novel shape abstraction that allows comparison between mutable linked data structures

Our Approach

• Construct for every concurrent execution an “equivalent” sequential execution– Simultaneously manipulate 2 data structures

• Concurrent data structure (manipulated by interleaved operations)• Sequential data structure (manipulated by atomic operations)

– Executable sequential specification

concurrentstack

T1

T2

sequentialstack

T1

T2

Our Approach

• Construct for every concurrent execution an “equivalent” sequential execution– Compare results of matching operations

time

push(4)

pop():4push(7)

push(4) pop():4push(7)

concurrentstack

T1

T2

sequentialstack

T1

T2

Comparison under abstraction of unbounded state systems may be

possible when the difference between the systems is bounded

Why Is It Challenging?Main Observation

Show that the observable behavior along every concurrent execution trace is equivalent to that of

a corresponding sequential execution trace

Comparison between two unbounded heaps over an unbounded number of traces

of unbounded length

Comparison under abstraction

Outline

• How to construct the sequential executions?

• How to compare unbounded heaps under abstraction?

Outline

• How to construct the sequential execution?

Inspired by Flanagan, SPIN’04

• How to compare unbounded heaps under abstraction?

Fixed Linearization Points

• Every operation has a (user-specified) fixed linearization point– A statement at which the operation appears to take effect

• Show that these linearization points are correct for every concurrent execution

• User may specify– Several (alternative) linearization points

– Certain types of conditional linearization points

Verification of Fixed Linearization Points

• Compare each concurrent execution to a specific sequential execution

• Show that every (terminating) concurrent operation returns the same result as its sequential counterpart

linearizationpoint

operationConcurrent

Execution

Sequential

Execution

compare results

...

linearizationpoint

Conjoined

Execution

compare results

Treiber's Non-Blocking Stack

1

3

4Top

Push Operation

if (STop == t) STop = x; evaluate to true;else evaluate to false;

1

3

4Top

t

7

x

Top

void push (Stack S, data_type v) { Node x = alloc(sizeof(Node)); xd = v; do { Node t = STop; xn = t; } while ( ! CAS(&STop, t, x) );}

Pop Operation

1

3

4Top

s

7Top

t

return 7

data_type pop (Stack S) { do { Node t = STop; if (t == NULL) return EMPTY; Node s = tn; } while ( ! CAS(&STop, t, s) ); data_type r = td; return r;}

Example: Conjoined Execution (1)

1

3

Top 1

3

Top

7 4

x x

t

t

Top 4

x

Top

B: push(7)

A: push(4)

ConcurrentStack

SequentialStack

Linearization Point

T1 T2

Example: Conjoined Execution (2)

1

3

1

3

7 4

x

t

Top 4 Topfailed CAS

t

7

x

7 TopTop

x

ConcurrentStack

SequentialStack

Linearization Point

B: push(7)

A: push(4)

T1 T2

Example: Conjoined Execution (3)

1

3

1

3

4Top 4 Top

s

7 7 TopTop

t

s

t

matching return values

A: pop()

ConcurrentStack

SequentialStack

Linearization Point

B: push(7)

A: push(4)

T1 T2

Conjoined Execution

ConcurrentStack

SequentialStack

1

3

1

3

4

linearization

point

Top 1

3

1

3

4

Top

1

3

1

3

4Top

1

3

1

3

4Top 4

1

3

1

3

4Top 4

Top Top

Top Top

Top

Throughout conjoined execution,

two stacks remain almost isomorphic

Atomic Operation

Outline

• How to construct the sequential execution?

• How to compare unbounded heaps under abstraction?

Delta Abstraction

Starting Point: Canonical Abstraction [ SRW'02 ]

1 34x 7 nnn

xn

n

summary node

Concretization

1 34x 7 nnn

n8x 5

3 92x 3 nnn

7n

xn

n

summary node

Comparison of Responses Under Abstraction

1

3

4

7 Top

1

3

4

7Top ? ? TopTop

?=

Abstract Domain

• Separate abstractions will not do

Concrete Domain

Concurrent

Stack

Sequential

Stack

Concurrent

Stack

Sequential

Stack

9

5

3Top

3

3

6

11 Top

Main Idea

1

3

1

3

4 4 Top

t

7

x

Top

ConcurrentStack

SequentialStack

track precisely

abstract awayIsomorphic Sub-graphsMaintain a mapping

between memory layouts of concurrent and

sequential data structures

Recording Isomorphism Using Correlation Relation

1

3

1

3

4 4

7 7 TopTop

• All nodes are correlated

• Correlated nodes are similar (successors also correlated or both null)

• Nodes pointed-to by Top are correlated

Isomorphism Under Delta Abstraction

1

3

1

3

4 4

7 7 TopTopsimilar

similar

similar

similar

duo-object

Isomorphism Under Delta Abstraction

7 7 TopTopsimilar

3 3similar

1 1similar

4 4similar

duo-object

similar

summary duo-object

TopTopsimilar

Isomorphism Under Bounded Delta Abstraction

Constructing the Correlation Relation

• Incrementally constructed during execution

• Nodes allocated by matching push operations are correlated

• Correlated nodes have equal data values

– Show that matching pops return data values of correlated nodes

Conjoined Execution Under Abstraction (1)

Top Top

x x

t

t

Top

x

Top

B: push(7)

A: push(4)

ConcurrentStack

SequentialStack

Linearization Point

similar

similar

similarT1 T2

Conjoined Execution Under Abstraction (2)

x

t

Top Topfailed CAS

t

x

TopTop

x

ConcurrentStack

SequentialStack

Linearization Point

similar

similar

similar

similarB: push(7)

A: push(4)

T1 T2

Conjoined Execution Under Abstraction (3)

TopTop

matching return values

ConcurrentStack

SequentialStack

similar

similar

similar

Partial isomorphism

can be maintained under abstraction

since the difference

between the memory layouts

is bounded

A: pop()

B: push(7)

A: push(4)

Bounded difference may be at an unbounded

distance from the root

T1 T2

Experimental Results

[1] Treiber, '86

[2] Michael and Scott, PODC’96

Verification (Time)

0

2000

4000

6000

8000

10000

12000

14000

16000

[1] [2] NBQ [3] [2] 2LQ [4]

Benchmark

Sec

on

ds

Verification (Space)

0

50000

100000

150000

200000

250000

[1] [2] NBQ [3] [2] 2LQ [4]

Benchmark

# o

f S

tate

s

Falsification (Time)

0

50

100

150

200

250

[1] [1] [2]NBQ

[2]NBQ

[2]2LQ

[2]2LQ

[4]

Benchmark

Sec

on

ds

Falsification (Space)

02000400060008000

100001200014000160001800020000

[1] [1] [2]NBQ

[2]NBQ

[2]2LQ

[2]2LQ

[4]

Benchmark

# o

f S

tate

s

[3] Doherty et al., FORTE'04

[4] Vafeiadis et al., PPoPP'06

32

2 4

2

3

2

2

4

2

20,000250

16,000 250,000

Related Methods

• Manual – Rely-guarantee reasoning [Vafeiadis et al., PPoPP'06]

• Semi-automatic

– Proving simulation relation between I/O Automata using PVS[Doherty et al., FORTE'04]

• Automatic– Proving atomicity of procedures [Wang and Stoller, PPoPP'05]

More general

Limitations

• User-specified guess of fixed linearization points

• User-specified fixed correlation rule

• Fixed number of threads– Arbitrary in theory

– Small in practice (scalability)

• Assuming memory is garbage collected

Future Work

Summary

• A conservative automatic algorithm for verifying linearizability of unbounded linked concurrent data structures– Sequential specification

– Conjoined executions

• Delta abstraction: A novel heap abstraction – Maintains an isomorphism between mutable linked data structures under

abstraction

• Implementation and experimental results– Non blocking stack [Treiber, '86]

– Non blocking queue [Michael and Scott, PODC’96] [Doherty et al., FORTE'04]

– 2 lock queue [Michael and Scott, PODC’96 ]

– Set with fine grained locking [Vafeiadis et al., PPoPP'06 ]

Main Observation

Comparison under abstraction of unbounded state systems

may be possible when the difference between the systems

is bounded

The EndMSc Thesis: www.cs.tau.ac.il/~amitdaph

Stack's Most-General Client

void client (Stack S) { do {

if (?) push(S, rand());else pop(S);

} while ( 1 );}