Verification of obstruction-free algorithm with contention

management

Verification of obstruction-free algorithm with contention

management

Niloufar ShafieiNiloufar Shafiei

2

AgendaAgenda

The algorithm Correctness condition for shared objects Java PathFinder Verification challenges Verification Summary

The algorithm Correctness condition for shared objects Java PathFinder Verification challenges Verification Summary

3

The algorithmThe algorithm

Obstruction-free deque algorithm with different contention management policies AtomicLongArray AtomicLong

How should the algorithm behave? (correctness) Data structure represents the abstract deque at any time All operations terminate

No livelock or deadlock

Obstruction-free deque algorithm with different contention management policies AtomicLongArray AtomicLong

How should the algorithm behave? (correctness) Data structure represents the abstract deque at any time All operations terminate

No livelock or deadlock

4

Correctness condition for shared objects implementations

Correctness condition for shared objects implementations

Find the linearization point Find the linearization point

5

Correctness condition for shared objects implementations

Correctness condition for shared objects implementations

Find the linearization point Find the linearization point

push(v1)

push(v2)

pop

time

stack

?

6

Correctness condition for shared objects implementations

Correctness condition for shared objects implementations

Find the linearization point Find the linearization point

push(v1)

push(v2)

pop

time

stack

?X

X

X

empty

v1

v2

7

Check the correctness of shared object implementation

Check the correctness of shared object implementation

Find the linearization point Define abstract variables (abstract stack,…) Change the abstract variables at linearization

points At all linearization points, check if the abstract

variables are consistent with data structures In java, insert assert(expression) atomically at

linearization points Synchronized block Atomic block

Find the linearization point Define abstract variables (abstract stack,…) Change the abstract variables at linearization

points At all linearization points, check if the abstract

variables are consistent with data structures In java, insert assert(expression) atomically at

linearization points Synchronized block Atomic block

8

Java PathFinderJava PathFinder

JPF Model checker

Deadlocks Invariants User-defined assertions

JPF versus Spin JPF covers the java programming language (not more than

10000 lines) JPF design goal is to make it as modular and understandable as

possible Spin is faster than JPF

JPF Model checker

Deadlocks Invariants User-defined assertions

JPF versus Spin JPF covers the java programming language (not more than

10000 lines) JPF design goal is to make it as modular and understandable as

possible Spin is faster than JPF

9

Verification challengesVerification challenges

JPF does not support AtomicLongArray and AtomicLong Volatile Long[] and Long Synchronized methods to implement C&S Warning “unprotected field access of deque”

JPF employ Partial Order Reduction to save space For lock protection, determines if a field access is scheduling

relevant (transaction boundary) vm.por.sync_detection=false

JPF does not support AtomicLongArray and AtomicLong Volatile Long[] and Long Synchronized methods to implement C&S Warning “unprotected field access of deque”

JPF employ Partial Order Reduction to save space For lock protection, determines if a field access is scheduling

relevant (transaction boundary) vm.por.sync_detection=false

10

State searchState search

JPF searches DFS

With backtracking is most appropriate for checking liveness properties

BFS Search.heuristic.class = gov.nasa.jpf.search.heuristic.BFSHeuristic

JPF searches DFS

With backtracking is most appropriate for checking liveness properties

BFS Search.heuristic.class = gov.nasa.jpf.search.heuristic.BFSHeuristic

11

VerificationVerification

Result Number of paths

1 thread

(DFS - BFS)

No error 4

2 threads

(DFS - BFS)

No error 135 - 120

3 threads Out of memory

>1200

12

VerificationVerification

How to save the memory? More synchronized methods Synchronized blocks and Atomic blocks (Verify class)

Local instructions At most one shared memory instruction No instruction prevent the program from accessing

endAtomic() Return - break - join - if statement

How to save the memory? More synchronized methods Synchronized blocks and Atomic blocks (Verify class)

Local instructions At most one shared memory instruction No instruction prevent the program from accessing

endAtomic() Return - break - join - if statement

13

VerificationVerification Atomic blocks

Sometimes threads loop in Atomic block

Why processes killed? Need memory more than available memory

Atomic blocks Sometimes threads loop in Atomic block

Why processes killed? Need memory more than available memory

Result Number of paths

1 thread Processes killed

0

2 threads Processes killed

0

3 threads Processes killed

0

14

VerificationVerification Synchronized blocks Synchronized blocks

Result Number of paths

1 thread

(DFS - BFS)

No error 4

2 threads

(DFS - BFS)

No error 135 - 120

3 threads Out of memory

>1200

Why results are not improved?Partial Order reduction

15

SummarySummary

Correctness conditions of shared object Java PathFinder Verification of shared deque

implementation with JPF

Correctness conditions of shared object Java PathFinder Verification of shared deque

implementation with JPF

16

Questions?Questions?