E ff ect Summaries for Thread-Modular Analysis [ Dagstuhl, 9-Nov-17 - PowerPoint PPT Presentation

E ff ect Summaries for Thread-Modular Analysis [ Dagstuhl, 9-Nov-17 ] Luká š Holík 1 , Roland Meyer 2 , Tomá š Vojnar 1 , and Sebastian Wol ff 2 1 Brno University of Technology 2 TU Braunschweig Paper TechReport

Goal Automated verification of: • lock-free data structures ➡ linearizability • libraries ➡ arbitrarily many most general client threads • manual memory management (MM) ➡ memory can be freed and reallocated

Thread-Modular Verification [ Flanagan et al. SPIN'03 ] • View abstraction splits states into set of views ➡ capturing the system as seen by a single thread ➡ abstracting away correlation among threads • State space exploration as fixed point X = X ∪ sequential ( X ) ∪ interference ( X ) Lets every view in perform Applies to views in possible X X a step of its own thread. influence by other threads.

Thread-Modular Interference Learning approach [ Vafeiadis VMCAI'10 ] successful, but mainly for GC • Update patterns ➡ symbolic representation of modifications performed by the threads ➡ collected from sequential steps • Interference ➡ apply update patterns to the views from X ➡ requires matching to check applicability of update pattern

Thread-Modular Interference cont. successful, 
 Merge-and-project approach [ Abdulla et al. TACAS'13 ] but scales poorly for every pair of views and from X v 1 v 2 1. a merged view is created For manual memory ➡ requires matching to check compatibility management requires: ➡ relates thread-local state • two threads per view [ Abdulla et al. TACAS'13 ] 2. the thread from executes a step v 2 • tailored ownership 3. the result is projected to the thread of v 1 [ Haziza et al. VMCAI'16 ]

Approach 1. Identify programming pattern/rule ➡ generally applicable (for target domain) 2. Exploit pattern/rule to ease verification 3. Check pattern/rule usage

Lock-Free Programming Pattern Copy-and-check blocks Typical implementation ➡ updates a shared value do { 1. copy the shared value copy = SVar; 2. perform computation over it new = ...; if (CAS(SVar, copy, new)) 3. update the shared value 
 break; if unchanged, retry otherwise } while (true); ➡ appears stateless

Statelessness • Effect = update of the shared heap • Effect summary of P Q ➡ stateless sequential program ➡ over-approximation of the effects of program P • Stateless program: • executes atomically • without local state (at the start/end of execution)

Exploiting Statelessness • Guarantee: Given: an effect summary of we have P Q Then: ∞ Y e ff ects ( P ) = e ff ects ( T ) ∞ Y ⊆ e ff ects ( Q ) = e ff ects ( Q ∗ )

Checking Candidate Summaries • Considering copy-and-check blocks atomic gives summary candidates ➡ potentially unsound ➡ a good heuristic (the programmers intent) • Check candidate summary: e ff ects ( T k Q ∗ ) ✓ e ff ects ( Q ∗ ) = ) e ff ects ( P ) ✓ e ff ects ( Q ∗ )

Checking Candidate Summaries P T 1 T 1 s 0 s T 2 T 2

Checking Candidate Summaries Q ∗ P T 1 T 1 s 0 s T 2 T 2

Checking Candidate Summaries Q ∗ P T 1 T 1 s 0 s Q Q

Checking Candidate Summaries Q ∗ P T 1 T 1 s 0 s Q Q T 1 k Q ∗

Checking Candidate Summaries Q ∗ P T 1 T 1 s 0 s Q Q T 1 k Q ∗

Adapt Thread-Modular Framework: Interference • Thread-modular X = X ∪ sequential ( X ) ∪ interference ( X ) • Interference by summary linear in X ‣ on every view in execute the summary X ➡ corresponds to analyzing T k Q ∗ ‣ no matching/merging required ➡ summary has no state which needs to be related

Adapt Thread-Modular Framework: Soundness Check • For every view in linear in X X v (a) perform a sequential step → v v s (b) apply the summary → v v i Check works on top of potentially 
 unsound fixed point solution X • Check that ➡ effects from (a) are included in the effects from (b) ➡ in the summary disposed its local state v i

Experiments: GC classical summaries :10 Coarse Stack 0.29s 0.03s :10 Coarse Queue 0.49s 0.05s :33 Treiber’s stack 1.99s 0.06s :28 Michael&Scott’s queue 11.0s 0.39s DGLM queue 9.56s 0.37s :25

Experiments: MM classical summaries :10 Coarse Stack 1.89s 0.19s :2 Coarse Queue 2.34s 0.98s :15 Treiber’s stack 25.5s 1.64s :114 Michael&Scott’s queue 11700s 102s DGLM queue false-positive violation

Note on Manual Memory Management • Problem: explicit frees ➡ target memory unreachable from shared variables ➡ cannot be mimicked by stateless summary • Solution: ownership transfer ➡ breaking reachability from shared variables grants ownership ➡ stateless summary can free immediately after gaining ownership • Future work: relax statelessness

Approach 1. Identify programming pattern/rule ➡ generally applicable (for target domain) 2. Exploit pattern/rule to ease verification 3. Check pattern/rule usage

Thanks.

Example: Treiber's Stack push(val): pop(): node = new Node(val); while (true) { while (true) { top = ToS; top = ToS; if (top == NULL) node.next = top; return EMPTY; if (CAS(ToS, top, node)) next = top.next; return; if (CAS(ToS, top, next)) } return top.data; } Summary: atomic: atomic: node = new Node(*); assume(ToS != NULL); M node.next = ToS; ToS = ToS.next; ToS = node;