Model Checking Linearizability via Refinement
Model Checking Linearizability
via Refinement
Yang LIU, Wei CHEN, Yanhong A. LIU, and Jun SUN
ICFEM 2008
1
PAT: Process Analysis Toolkit
PAT is a self-contained environment for system specification,
visualized simulation and automated verification.
http://www.patroot.com
2
Model Checking Linearizability via Refinement
Summary about PAT
• Main Features
–MC fairness enhanced systems (vs Spin)
• Process Counter Abstraction
–Refinement checking (vs FDR)
–MC Real-time systems (vs Uppaal)
• Applications
–MC Self-stablizing population protocol model
–Verification of linearizability (this talk)
–Web service conformance checking
• June 2007 to Nov 2009
–C#, 1 million LOC
–Visual Studio like GUI
–500+ downloads, 100+ organization, 29 countries/regions
–3 Modules: CSP, RTS and WS
–50+ build-in examples
3
Model Checking Linearizability via Refinement
On-going and future Works
• New modules
–UML, security, sensor network and privacy??
• Symbolic representation techniques, e.g. BDD
• Reduction and abstraction techniques
• Probabilistic model checking techniques
Model Checking Linearizability via Refinement
Outline
•Motivations and Overview
•Background
–Shared Memory Model
–Linearizability Definitions
•Linearizability as Refinement Relations
•Verification of Linearizability
•Experiments
•Related Work
•Conclusion and Future Work
FM 2009
5
Model Checking Linearizability via Refinement
Motivations
•Concurrent objects (shared queue, stacks) are hard to design
correctly
–Exclusive access (correctness) vs. Maximum interleaving (performance)
–Esp. lock-free & wait-free ones
•Linearizability [HW90] is an accepted correctness criterion for
shared objects.
–A shared object is linearizable if each operation on the object can be
understood as occurring instantaneously at some point, (a.k.a.
linearization point)
•Automatic verification of linearizability is challenging
–Rely on the knowledge of linearization points
–Linearization points are hard to be statically determined
FM 2009
6
Model Checking Linearizability via Refinement
Overview of Our Approach
• Define linearizability based on refinement relations
–An event-based modeling language
–Semantics based on LTS
• Verify linearizability using refinement checking algorithms
–Create linearizable specifications
–Refinement between abstract specification and concrete
implementation models
• Tool: Process Analysis Toolkit (PAT)
–A toolkit for automatically analyzing event-based concurrent systems
including refinement checking
–Substantial Experiments: Stack, Queue, K-valued Register
Mailbox[DISC’08], SNZI[PODC’07].
FM 2009
7
Model Checking Linearizability via Refinement
Outline
•Motivations and Overview
•Background
–Shared Memory Model
–Linearizability Definitions
•Linearizability as Refinement Relations
•Verification of Linearizability
•Experiments
•Related Work
•Conclusion and Future Work
FM 2009
8
Model Checking Linearizability via Refinement
Shared Memory Model
• A shared memory model M,
–O = (o1,…,ok) denotes the set of k shared objects,
–P = (p1,…,pn) denotes the set of n processes accessing the
objects.
–O support a set of operations: pairs of invocations and
matching responses.
• The behaviour of M
–the set of all possible sequences (trace) of invocations and
responses together with the initial states of the objects.
p0:
p1:
Winv(x,1)
Wres(x)
Rinv(y)
Rres(y,2)
Winv(y,2)
Wres(y)
Rinv(x)
Rres(x,1)
FM 2009
9
Model Checking Linearizability via Refinement
Linearizability
• σ is linearizable if there exists a sequential
permutation π of σ such that
–1) for each object oi, π|oi is a legal sequential history (i.e. π
respects the sequential specification of the objects), and
–2) if op1 <σ op2, then op1 <π op2 (i.e., π respects the run-time
ordering of operations).
• Examples
p0:
p1:
Winv(x,1)
Wres(x)
p0:
p1:
Winv(x,1) Wres(x)
p0:
p1:
Winv(x,1)
Winv(y,2)
Rinv(y)
Wres(y)
Rres(y,2)
Rinv(x)
Rres(x,1)
Rinv(y) Rres(y,2)
Winv(y,2) Wres(y)
Wres(x)
Winv(y,2)
Rinv(x) Rres(x,1)
Rinv(y)
Wres(y)
FM 2009
Rres(y,0)
Rinv(x)
Rres(x,1)
10
Model Checking Linearizability via Refinement
Stack Example
•High-level Linearizability vs. Low-Level Linearizability
Model Checking Linearizability via Refinement
Outline
•Motivations and Overview
•Background
–Shared Memory Model
–Linearizability Definitions
•Linearizability as Refinement Relations
•Verification of Linearizability
•Experiments
•Related Work
•Conclusion and Future Work
FM 2009
12
Model Checking Linearizability via Refinement
Create Specification Model
• Event-base formalism (e.g. CSP)
• Specify each operation op of a shared object o on a
process pi using three atomic steps:
–the invocation action inv(op)i,
–the linearization action lin(op)i, and (Invisible event)
–the response action res(op, resp)i .
• Is linearizable!
FM 2009
13
Model Checking Linearizability via Refinement
Create Implementation
• Consider the implementment of object o.
–The visible events of impl are also those inv(op)i 's and res(op,
resp)i 's.
• Is linearizable?
FM 2009
14
Model Checking Linearizability via Refinement
Linearizability as Refinement
FM 2009
15
Model Checking Linearizability via Refinement
Refinement Checking Algorithm
• On-the-fly verification algorithm (DFS)
•
Optimizations:
–Partial Order Reduction
• ||| is the main source of state space explosion
• Explore only a subset of enabled transitions and yet preserve soundness.
–Symmetry Reduction
• Ignore the orders of similar processes
• E.g. reader ||| writer1 ||| writer2 == reader ||| writer2 ||| writer1
–Process Counter Abstraction
16
Model Checking Linearizability via Refinement
Experiments
TASE 2009
17
Model Checking Linearizability via Refinement
Related Works
•
Manual proving
–Herlihy and Wing ACM Transaction 90
–Vafeiadis et. al. use rely-guarantee PPoPP’06
•
Using theorem provers
–Doherty et. al. use simulation between I/O automata modeling the specification
and implementation. FORTE'04
•
Static analysis
–Wang and Stoller present a static analysis that verifies linearizability for an
unbounded number of threads. PPoPP’05
•
Model checking
–Amit et al. presented a shape difference abstraction that tracks the difference
between two heaps. CAV’07
–Manevich et al. SAS’08 and Berdine et al. CAV’08 extended it to handle larger
number and unbounded number of threads, respectively.
–Vafeiadis further improved this solution to allow linearization points in different
threads. VMCAI’09
–Vechev and Yahav use trace analysis. PLDI'08
FM 2009
18
Model Checking Linearizability via Refinement
Conclusion
•Specify and verify linearizability using refinement
relation
•Show that refinement checking algorithm behind PAT
allows verifying concurrent algorithms
–without the knowledge of linearization points
–fully automatically
–effective reduction technique
•Formally verify Mailbox and SNZI algorithms for the
first time
FM 2009
19
Model Checking Linearizability via Refinement
On-going and future works
•Deal with infamous state explosion problem
•Combine different state space reduction techniques
and parameterized refinement checking for infinite
number of processes
FM 2009
20
Model Checking Linearizability via Refinement
Thank You
ICFEM 2008
21
Model Checking Linearizability via Refinement
Modeling Language
• Shared Variables and Arrays
• Synchronization primitives in nonblocking algorithms
–compare and swap (CAS) and
–load linked (LL)/store-conditional (SC).
FM 2009
22
Model Checking Linearizability via Refinement
Semantics
• System State : a pair (P,V)
–P is the current process expression, and
–V is the current valuation of the shared variables represented
as a mapping from names to values.
FM 2009
23
Model Checking Linearizability via Refinement
Refinement
• Lim = (Sim, initim,Tim) be a LTS for an implementation.
• Lsp = (Ssp, initsp,Tsp) be a LTS for a specification.
• Lim refines Lsp, iff traces(Lim) ⊆ traces(Lsp).
FM 2009
24
Model Checking Linearizability via Refinement
Back up
• Support Synchronization Primitives
–Compare and Swap
–Load-linked/ Store-Conditional