Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Introduction Transactions Dynamic Experiments Conclusion
Dynamic Reductions for Model CheckingConcurrent Software
Alfons [email protected]
Henning Gunther, Ana Sokolova and Georg Weissenbacher
Formal Methods in Systems EngineeringVienna University of Technology
March 21, 2017
Alfons Laarman (TU Wien) 1/14
Introduction Transactions Dynamic Experiments Conclusion
Reductions
Model Checking of Concurrent Software1 Explosion of interleavings2 Partial-order reduction vs Lipton reduction3 Symbolic is a challenge4 Global commutativity is needed, but a severe bottleneck
a = 1;
b = 2;
‖ x = 1;
x += 2;
x += 3;
Alfons Laarman (TU Wien) 2/14
Introduction Transactions Dynamic Experiments Conclusion
Reductions
Model Checking of Concurrent Software1 Explosion of interleavings2 Partial-order reduction vs Lipton reduction3 Symbolic is a challenge4 Global commutativity is needed, but a severe bottleneck
a = 1;
b = 2;
‖ x = 1;
x += 2;
x += 3;
Alfons Laarman (TU Wien) 2/14
Introduction Transactions Dynamic Experiments Conclusion
Reductions
Model Checking of Concurrent Software1 Explosion of interleavings2 Partial-order reduction vs Lipton reduction3 Symbolic is a challenge4 Global commutativity is needed, but a severe bottleneck
x = 1;
a = 1;
b = 2;
‖ x = 1;
x += 2;
x += 3;
Alfons Laarman (TU Wien) 2/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton vs Partial-Order Reduction (POR)
l1
l2
l3
la
lb
lc
a=0;
b=2;
x=1;
y=2;
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
a=0;
x=1;
b=2;
y=2;
a,b=0,2;
x,y=1,2;
a,b=0,2;
x,y=1,2;
Alfons Laarman (TU Wien) 3/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton vs Partial-Order Reduction (POR)
l1
l2
l3
la
lb
lc
a=0;
b=2;
x=1;
y=2;
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
a=0;
x=1;
b=2;
y=2;
a,b=0,2;
x,y=1,2;
a,b=0,2;
x,y=1,2;
Alfons Laarman (TU Wien) 3/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton vs Partial-Order Reduction (POR)
l1
l2
l3
la
lb
lc
a=0;
b=2;
x=1;
y=2;
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
a=0;
x=1;
b=2;
y=2;
a,b=0,2;
x,y=1,2;
a,b=0,2;
x,y=1,2;
Alfons Laarman (TU Wien) 3/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton vs Partial-Order Reduction (POR)
l1
l2
l3
la
lb
lc
a=0;
b=2;
x=1;
y=2;
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
a=0;
x=1;
b=2;
y=2;
a,b=0,2;
x,y=1,2;
a,b=0,2;
x,y=1,2;
Alfons Laarman (TU Wien) 3/14
Introduction Transactions Dynamic Experiments Conclusion
Transactions in databases
lock A lock B lock C UPDATE unlock C unlock B unlock A
internal
pre-phase commit post-phase
Alfons Laarman (TU Wien) 4/14
Introduction Transactions Dynamic Experiments Conclusion
Transactions in databases
lock A lock B lock C UPDATE unlock C unlock B unlock A
internal
pre-phase commit post-phase
Alfons Laarman (TU Wien) 4/14
Introduction Transactions Dynamic Experiments Conclusion
Transactions in databases
lock A lock B lock C UPDATE unlock C unlock B unlock A
internal
pre-phase commit post-phase
Alfons Laarman (TU Wien) 4/14
Introduction Transactions Dynamic Experiments Conclusion
Commutativity
Action α right commutes with β, iff α can always be delayed after β:α β ; β α
Definition (Right commutativity (→./))
σ1
α→./ β iff
σ2 σ3
α→
β→
∀σ1,σ2,σ3 :
σ1 σ4
σ3
α→β→
σ2
α→β→
⇒∃σ4 :
Example
An action both-commutes with all actions that access a disjoint set ofvariables.
A lock(/unlock) right(/right)-commutes with other lock and unlockoperations.
Definition (Right-Movability)
The action α of thread i is a right-mover, iff for all j , i :α→i→./→j
Alfons Laarman (TU Wien) 5/14
Introduction Transactions Dynamic Experiments Conclusion
Commutativity
Action α right commutes with β, iff α can always be delayed after β:α β ; β α
Definition (Right commutativity (→./))
σ1
α→./ β iff
σ2 σ3
α→
β→
∀σ1,σ2,σ3 :
σ1 σ4
σ3
α→β→
σ2
α→β→
⇒∃σ4 :
Example
An action both-commutes with all actions that access a disjoint set ofvariables.
A lock(/unlock) right(/right)-commutes with other lock and unlockoperations.
Definition (Right-Movability)
The action α of thread i is a right-mover, iff for all j , i :α→i→./→j
Alfons Laarman (TU Wien) 5/14
Introduction Transactions Dynamic Experiments Conclusion
Commutativity
Action α right commutes with β, iff α can always be delayed after β:α β ; β α
Definition (Right commutativity (→./))
σ1
α→./ β iff
σ2 σ3
α→
β→
∀σ1,σ2,σ3 :
σ1 σ4
σ3
α→β→
σ2
α→β→
⇒∃σ4 :
Example
An action both-commutes with all actions that access a disjoint set ofvariables.
A lock(/unlock) right(/right)-commutes with other lock and unlockoperations.
Definition (Right-Movability)
The action α of thread i is a right-mover, iff for all j , i :α→i→./→j
Alfons Laarman (TU Wien) 5/14
Introduction Transactions Dynamic Experiments Conclusion
Commutativity
Action α right commutes with β, iff α can always be delayed after β:α β ; β α
Definition (Right commutativity (→./))
σ1
α→./ β iff
σ2 σ3
α→
β→
∀σ1,σ2,σ3 :
σ1 σ4
σ3
α→β→
σ2
α→β→
⇒∃σ4 :
Example
An action both-commutes with all actions that access a disjoint set ofvariables.
A lock(/unlock) right(/right)-commutes with other lock and unlockoperations.
Definition (Right-Movability)
The action α of thread i is a right-mover, iff for all j , i :α→i→./→j
Alfons Laarman (TU Wien) 5/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4;
; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Lipton Reduction[Lipton ’77, Lamport et al. ’89]
Lipton Reduction
A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ
′ (statements after α1 do not block)
Example (A statement sequence, where x is the only global variable)
a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;
x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4
x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9
Alfons Laarman (TU Wien) 6/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×
1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×1 α1, . . . ,αk−1
→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Movability is too strong a condition
1
2
3
a
b
c
a=0;
b=2;
x=1;
y=2;
0
x=y;
×
a=0;
x=1;
b=2;
x=1; a=0;
y=2;
b=2;
y=2;
x=1; a=0;
b=2;
y=2;
x,y=1,2;
x=y;
×1 α1, . . . ,αk−1
→./→j (pre-phase statements (before αk ) are right movers)
2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)
Monotonicity is key!
Alfons Laarman (TU Wien) 7/14
Introduction Transactions Dynamic Experiments Conclusion
Example
int *data = NULL;
void worker thread(int tid) {if (data == NULL) {int *tmp = read from disk(1024);
W: if (!CAS(&data, NULL, tmp)) free(tmp);
}for (int i = 0; i < 512; i++)
R: process(data[i + tid * 512]);
}int main () {pthread create(worker thread, 0); // T1pthread create(worker thread, 1); // T2}
Example
Other dynamic conditionsPointers / array indices that don’t change value.
Atomic Compare-And-Swap (CAS) operations to permanentlygrab resources.
Alfons Laarman (TU Wien) 8/14
Introduction Transactions Dynamic Experiments Conclusion
Example
int *data = NULL;
void worker thread(int tid) {if (data == NULL) {int *tmp = read from disk(1024);
W: if (!CAS(&data, NULL, tmp)) free(tmp);
}for (int i = 0; i < 512; i++)
R: process(data[i + tid * 512]);
}int main () {pthread create(worker thread, 0); // T1pthread create(worker thread, 1); // T2}
Example
Other dynamic conditionsPointers / array indices that don’t change value.
Atomic Compare-And-Swap (CAS) operations to permanentlygrab resources.
Alfons Laarman (TU Wien) 8/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
b
c
x=1;
y=2;
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
bl br
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Instrumentation with dynamic reduction
1
2
3
a=0;
b=2;
0
x=y;
a
al ar
cl cr
cl cr
pc1 , 0 pc1 = 0
x=1; x=1;
y=2; y=2;
(0,a)
(1,a) (0,al)
(1,al)(1,ar)
x=y;
pc1 =0
x=y;
pc1 ,0
�
�
�
�{2}
Definition (Dynamic both-moving conditions)
A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :
1 (cα ‖ α→i ) ./ (cα ‖→j )
2 cα is never disabled
Example (Heuristics for other dynamic conditions)
int T[10] = {E,E,22,35,46,25,E,E,91,E};
int find-or-put(int v) {
int hash = v / 10;
for (int i = 0; i < 10; i++) {
int index = (i + hash) % 10;
if (CAS(&T[index], E, v)) {
return INSERTED;
} else if (T[index] == v)
return FOUND;
}
return TABLE_FULL;
}
int main() {
pthread_create(find-or-put, 25);
pthread_create(find-or-put, 42);
}
cα := T[index] != E
Alfons Laarman (TU Wien) 9/14
Introduction Transactions Dynamic Experiments Conclusion
Movability up to bisimulation
Definition (Right-commutativity up to bisimulation (→./X ))
The transition relationα→i right-commutes with
β→j up to �X ,
notationα→i→./X
β→j , iff:
σ1
σ2 σ3β→j
α→i∀σ1,σ2,σ3 :
σ1
σ2 σ3β→j
α→i⇒∃σ ′3,σ4 :
σ4β→j
σ ′3α→
i�X
Definition (Right-movability up to bisimulation)
The action α of thread i is a right-mover up to �X , iff for all j , i :α→i→./X→j
Alfons Laarman (TU Wien) 10/14
Introduction Transactions Dynamic Experiments Conclusion
Dynamic
Transaction Reduction[Flanagan, Qadeer SoftMC’03]
Theorem (Reduction)
Let (→,S) be a transition system. For all i , j , i , let S = Ri ] Li ]Ni such that
For each thread i , there exists a thread bisimulation relation �i , and:
0 Li ‖→i ‖Ri = ∅ post does not reach pre
1 →i ‖Ri →./ →j →i into pre right commutes with→j
2 Li ‖→i←./ →j →i from post left commutes with→j
3 ∀σ ∈ Li : ∃σ ′ ∈ Ni : σ →∗i σ ′ post phases terminate
4 �i ⊆ L2j ∪R2
j ∪N2j (�i entails j -phase-equality)
Let ↪→i ,⋃
j,i Nj ‖→i (i can only transition when all j are in an externalstate).
Let ;i , Ni ‖(↪→i ‖Ni )∗ ↪→i ‖Ni (block steps skip internal states)
Suppose σ →∗ σ ′ , σ ∈ N and σ ′ ∈ N, then there is an σ ′′ ∈ N s.t. σ ↪→∗ σ ′′ .
Alfons Laarman (TU Wien) 11/14
Introduction Transactions Dynamic Experiments Conclusion
Dynamic Transaction Reduction[Gunther, Laarman, Sokolova, Weissenbacher VMCAI’17]
Theorem (Reduction)
Let (→,S) be a transition system. For all i , j , i , let S = Ri ] Li ]Ni such thatFor each thread i , there exists a thread bisimulation relation �i , and:
0 Li ‖→i ‖Ri = ∅ post does not reach pre
1 →i ‖Ri →./ {j }→j →i into pre right commutes with→j
2 Li ‖→i←./ {i ,j }→j →i from post left commutes with→j
3 ∀σ ∈ Li : ∃σ ′ ∈ Ni : σ →∗i σ ′ post phases terminate
4 �i ⊆ L2j ∪R2
j ∪N2j (�i entails j -phase-equality)
Let ↪→i ,⋃
j,i Nj ‖→i (i can only transition when all j are in an externalstate).Let ;i , Ni ‖(↪→i ‖Ni )
∗ ↪→i ‖Ni (block steps skip internal states)Suppose σ →∗ σ ′ , σ ∈ N and σ ′ ∈ N, then there is an σ ′′ ∈ N s.t. σ ;∗ σ ′′ .
Alfons Laarman (TU Wien) 11/14
Introduction Transactions Dynamic Experiments Conclusion
Complete instrumentation
Gi , (Vi ,δi ) V ′i ,δ′ in G ′i (pictured)
∀(la ,α, lb ) ∈ δi : lNalRblLb
cα ‖α¬cα ‖α
∀(la ,α, lb ) ∈ δi : lR′
a
lRblLb
cα ‖α¬cα ‖α
∀la ∈ Vi : lRa lR′
atrue
∀la ∈ Vi \ LFS i : lLalL′
a
lNa
c(la)
¬c(la )with c(la) ,∧
(la ,α,lb )∈δi cα
∀(la ,α, lb ) ∈ δi , la ∈ Vi \ LFS i : lL′
a lLbα
∀la ∈ LFS i : lLa lNatrue
l2
l1
α β lN2lN1 lL2lL1 lL′
2lL′
1 lR2lR1 lR′
2lR′
1
cα ‖ α
¬c α‖α
c α‖α
¬c α‖α
cβ ‖β
¬cβ ‖βcβ‖β
¬c β‖β
truetrue c(l2)¬c(l2)
αβ
true
Alfons Laarman (TU Wien) 12/14
Introduction Transactions Dynamic Experiments Conclusion
Complete instrumentation
Gi , (Vi ,δi ) V ′i ,δ′ in G ′i (pictured)
∀(la ,α, lb ) ∈ δi : lNalRblLb
cα ‖α¬cα ‖α
∀(la ,α, lb ) ∈ δi : lR′
a
lRblLb
cα ‖α¬cα ‖α
∀la ∈ Vi : lRa lR′
atrue
∀la ∈ Vi \ LFS i : lLalL′
a
lNa
c(la)
¬c(la )with c(la) ,∧
(la ,α,lb )∈δi cα
∀(la ,α, lb ) ∈ δi , la ∈ Vi \ LFS i : lL′
a lLbα
∀la ∈ LFS i : lLa lNatrue
l2
l1
α β lN2lN1 lL2lL1 lL′
2lL′
1 lR2lR1 lR′
2lR′
1
cα ‖ α
¬c α‖α
c α‖α
¬c α‖α
cβ ‖β
¬cβ ‖βcβ‖β
¬c β‖β
truetrue c(l2)¬c(l2)
αβ
true
Alfons Laarman (TU Wien) 12/14
Introduction Transactions Dynamic Experiments Conclusion
VVTVienna Verification Tool [Gunther, Laarman, Weissenbacher SVCOMP’16]
http://vvt.forsyte.at/ (open source)
BMC with all dynamic reductions (BMC-dyn in the graphs);
BMC with only static reductions (BMC-phase);
IC3 with all dynamic reductions (IC3-dyn); and
IC3 with only static reductions (IC3-phase).
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Lazy initialization Dynamic locking
1 2 3 4 5
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7
#Threads
●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8 9
#Threads
● ● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Hash table reads/writes Hash table reads Hash table writes
Alfons Laarman (TU Wien) 13/14
Introduction Transactions Dynamic Experiments Conclusion
VVTVienna Verification Tool [Gunther, Laarman, Weissenbacher SVCOMP’16]
http://vvt.forsyte.at/ (open source)
BMC with all dynamic reductions (BMC-dyn in the graphs);
BMC with only static reductions (BMC-phase);
IC3 with all dynamic reductions (IC3-dyn); and
IC3 with only static reductions (IC3-phase).
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Lazy initialization Dynamic locking
1 2 3 4 5
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7
#Threads
●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8 9
#Threads
● ● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Hash table reads/writes Hash table reads Hash table writes
Alfons Laarman (TU Wien) 13/14
Introduction Transactions Dynamic Experiments Conclusion
VVTVienna Verification Tool [Gunther, Laarman, Weissenbacher SVCOMP’16]
http://vvt.forsyte.at/ (open source)
BMC with all dynamic reductions (BMC-dyn in the graphs);
BMC with only static reductions (BMC-phase);
IC3 with all dynamic reductions (IC3-dyn); and
IC3 with only static reductions (IC3-phase).
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Lazy initialization Dynamic locking
1 2 3 4 5
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7
#Threads
●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8 9
#Threads
● ● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Hash table reads/writes Hash table reads Hash table writes
Alfons Laarman (TU Wien) 13/14
Introduction Transactions Dynamic Experiments Conclusion
VVTVienna Verification Tool [Gunther, Laarman, Weissenbacher SVCOMP’16]
http://vvt.forsyte.at/ (open source)
BMC with all dynamic reductions (BMC-dyn in the graphs);
BMC with only static reductions (BMC-phase);
IC3 with all dynamic reductions (IC3-dyn); and
IC3 with only static reductions (IC3-phase).
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Lazy initialization Dynamic locking
1 2 3 4 5
050
015
0025
0035
00
#Threads
Tim
e(s)
● ● ●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7
#Threads
●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
1 2 3 4 5 6 7 8 9
#Threads
● ● ● ●
●
●
BMC−dynBMC−phaseIC3−dynIC3−phase
Hash table reads/writes Hash table reads Hash table writes
Alfons Laarman (TU Wien) 13/14
Introduction Transactions Dynamic Experiments Conclusion
Conclusions
ContributionsDynamic movers as in stubborn set POR
“Straight-forward” instrumentation and encoding
Dynamic mover conditions are suitable for symbolic modelchecking
Open Questions
Is a weaker reduction theorem possible?
How do transactions compare to POR?
Alfons Laarman (TU Wien) 14/14
Introduction Transactions Dynamic Experiments Conclusion
Conclusions
ContributionsDynamic movers as in stubborn set POR
“Straight-forward” instrumentation and encoding
Dynamic mover conditions are suitable for symbolic modelchecking
Open Questions
Is a weaker reduction theorem possible?
How do transactions compare to POR?
Alfons Laarman (TU Wien) 14/14