E ff ect Summaries for Thread-Modular Analysis [ Dagstuhl, 9-Nov-17 - - PowerPoint PPT Presentation

e ff ect summaries for thread modular analysis
SMART_READER_LITE
LIVE PREVIEW

E ff ect Summaries for Thread-Modular Analysis [ Dagstuhl, 9-Nov-17 - - PowerPoint PPT Presentation

Oct 21, 2022 22 likes •269 views

E ff ect Summaries for Thread-Modular Analysis [ Dagstuhl, 9-Nov-17 ] Luk Holk 1 , Roland Meyer 2 , Tom Vojnar 1 , and Sebastian Wol ff 2 1 Brno University of Technology 2 TU Braunschweig Paper TechReport Goal Automated verification

slide-1
SLIDE 1

Effect Summaries for Thread-Modular Analysis

Lukáš Holík1, Roland Meyer 2, Tomáš Vojnar1, and Sebastian Wolff 2

1 Brno University of Technology 2 TU Braunschweig

Paper TechReport

[Dagstuhl, 9-Nov-17]

slide-2
SLIDE 2

Goal

Automated verification of:

  • lock-free data structures

➡ linearizability

  • libraries

➡ arbitrarily many most general client threads

  • manual memory management (MM)

➡ memory can be freed and reallocated

slide-3
SLIDE 3

Thread-Modular Verification [Flanagan et al. SPIN'03]

  • View abstraction splits states into set of views

➡ capturing the system as seen by a single thread ➡ abstracting away correlation among threads

  • State space exploration as fixed point

X = X ∪ sequential(X) ∪ interference(X)

Lets every view in perform a step of its own thread. Applies to views in possible influence by other threads.

X X

slide-4
SLIDE 4

Thread-Modular Interference

Learning approach [Vafeiadis VMCAI'10]

  • Update patterns

➡ symbolic representation of modifications performed by the threads ➡ collected from sequential steps

  • Interference

➡ apply update patterns to the views from ➡ requires matching to check applicability of update pattern

successful, but mainly for GC

X

slide-5
SLIDE 5

Thread-Modular Interference cont.

Merge-and-project approach [Abdulla et al. TACAS'13] for every pair of views and from

  • 1. a merged view is created

➡ requires matching to check compatibility ➡ relates thread-local state

  • 2. the thread from executes a step
  • 3. the result is projected to the thread of v1

v2 v1 X v2

successful,
 but scales poorly For manual memory management requires:

  • two threads per view

[Abdulla et al. TACAS'13]

  • tailored ownership

[Haziza et al. VMCAI'16]

slide-6
SLIDE 6

Approach

  • 1. Identify programming pattern/rule

➡ generally applicable (for target domain)

  • 2. Exploit pattern/rule to ease verification
  • 3. Check pattern/rule usage
slide-7
SLIDE 7

Lock-Free Programming Pattern

Copy-and-check blocks

➡ updates a shared value

  • 1. copy the shared value
  • 2. perform computation over it
  • 3. update the shared value


if unchanged, retry otherwise

➡ appears stateless

Typical implementation do { copy = SVar; new = ...; if (CAS(SVar, copy, new)) break; } while (true);

slide-8
SLIDE 8

Statelessness

  • Effect = update of the shared heap
  • Effect summary of

➡ stateless sequential program ➡ over-approximation of the effects of program

  • Stateless program:
  • executes atomically
  • without local state (at the start/end of execution)

P Q P

slide-9
SLIDE 9

Exploiting Statelessness

  • Guarantee:

Given: an effect summary of we have Then:

P Q

effects(P) = effects(

Y T) ⊆ effects(

Y Q) = effects(Q∗)

slide-10
SLIDE 10

Checking Candidate Summaries

  • Considering copy-and-check blocks atomic gives summary candidates

➡ potentially unsound ➡ a good heuristic (the programmers intent)

  • Check candidate summary:

effects(T k Q∗) ✓ effects(Q∗) = ) effects(P) ✓ effects(Q∗)

slide-11
SLIDE 11

Checking Candidate Summaries

T1 T1 T2 T2 s s0 P

slide-12
SLIDE 12

Checking Candidate Summaries

Q∗ T1 T1 T2 T2 s s0 P

slide-13
SLIDE 13

Checking Candidate Summaries

Q∗ T1 T1 Q Q s s0 P

slide-14
SLIDE 14

Checking Candidate Summaries

Q∗ T1 T1 Q Q P s s0 T1 k Q∗

slide-15
SLIDE 15

Checking Candidate Summaries

Q∗ T1 T1 Q Q P s s0 T1 k Q∗

slide-16
SLIDE 16

Adapt Thread-Modular Framework: Interference

  • Thread-modular
  • Interference by summary
  • on every view in execute the summary

➡ corresponds to analyzing

  • no matching/merging required

➡ summary has no state which needs to be related

X = X ∪ sequential(X) ∪ interference(X)

X

linear in X

T k Q∗

slide-17
SLIDE 17

Adapt Thread-Modular Framework: Soundness Check

  • For every view in

(a) perform a sequential step (b) apply the summary

  • Check that

➡ effects from (a) are included in the effects from (b) ➡ in the summary disposed its local state

linear in X

X

Check works on top of potentially
 unsound fixed point solution X

vi v vs → v v vi →

slide-18
SLIDE 18

classical summaries Coarse Stack 0.29s 0.03s Coarse Queue 0.49s 0.05s Treiber’s stack 1.99s 0.06s Michael&Scott’s queue 11.0s 0.39s DGLM queue 9.56s 0.37s

Experiments: GC

:10 :10 :33 :28 :25

slide-19
SLIDE 19

classical summaries Coarse Stack 1.89s 0.19s Coarse Queue 2.34s 0.98s Treiber’s stack 25.5s 1.64s Michael&Scott’s queue 11700s 102s DGLM queue false-positive violation

Experiments: MM

:10 :2 :15 :114

slide-20
SLIDE 20

Note on Manual Memory Management

  • Problem: explicit frees

➡ target memory unreachable from shared variables ➡ cannot be mimicked by stateless summary

  • Solution: ownership transfer

➡ breaking reachability from shared variables grants ownership ➡ stateless summary can free immediately after gaining ownership

  • Future work: relax statelessness
slide-21
SLIDE 21

Approach

  • 1. Identify programming pattern/rule

➡ generally applicable (for target domain)

  • 2. Exploit pattern/rule to ease verification
  • 3. Check pattern/rule usage
slide-22
SLIDE 22

Thanks.

slide-23
SLIDE 23

Example: Treiber's Stack

push(val): node = new Node(val); while (true) { top = ToS; node.next = top; if (CAS(ToS, top, node)) return; } pop(): while (true) { top = ToS; if (top == NULL) return EMPTY; next = top.next; if (CAS(ToS, top, next)) return top.data; }

Summary: atomic: node = new Node(*); node.next = ToS; ToS = node; atomic: assume(ToS != NULL); ToS = ToS.next;

M