Symbolic Abstract Data Types (ADTs) Constantin Enea University - - PowerPoint PPT Presentation

symbolic abstract data types adts
SMART_READER_LITE
LIVE PREVIEW

Symbolic Abstract Data Types (ADTs) Constantin Enea University - - PowerPoint PPT Presentation

Feb 11, 2023 18 likes •263 views

Symbolic Abstract Data Types (ADTs) Constantin Enea University Paris Diderot - Paris 7 joint work with Michael Emmi, IMDEA Madrid Modular Reasoning Abstract Data Types smaller & simpler program, easier to reason about

slide-1
SLIDE 1

Symbolic Abstract Data Types (ADTs)

Constantin Enea

University Paris Diderot - Paris 7 joint work with Michael Emmi, IMDEA Madrid

slide-2
SLIDE 2

𝜒

𝜒

smaller & simpler program, easier to reason about Abstract Data Types

Compositional Proof Rule

that could be checked once for all programs

⊧ ⊧

your program complex objects

Modular Reasoning

slide-3
SLIDE 3

Concurrent objects

  • methods are called from different threads
  • behaviors = sequences of method calls and returns
  • callt1 push(1) ret t1 OK callt2 pop() callt1 pop() ret t1 1 …. ret t2 3

happens-before partial order

push(1) pop ⇒ 1 push(2) push(3) pop ⇒ 2 pop ⇒ 3

  • more abstractly, as histories (posets of invocations)
slide-4
SLIDE 4
  • ADT = set of sequential histories (total orders)

O |= ADT iff ∀ h ∈ Histories(O) ∃ linearization ∈ ADT

∃ linearization ∈ SeqStack ?

push(1) pop⇒1 push(2) push(3) pop⇒2 pop⇒3 push(1) pop⇒3 pop⇒1 push(2) pop⇒2 push(3)

push(1) pop⇒1 pop⇒3 push(2) pop⇒2 push(3)

push(1) pop⇒1 push(2) pop⇒3 pop⇒2 push(3)

∉ ∈

push(1) pop⇒1 push(2) pop⇒3 pop⇒2 push(3)

ADTs, Linearizability

slide-5
SLIDE 5

Challenges:

  • a history has exponentially-many linearizations

(checking linearizability is more complex than checking reachability)

  • infinite sets of linearizations

Approach: symbolic representations of seq. hist. (linearizations) (first order logic)

Modular Reasoning

  • 1. Is there a valid linearization for each history ?
  • 2. Does every valid linearization preserve client invariants ?
slide-6
SLIDE 6

Describing ADTs

  • declarative specifications rather than state-based
  • specifying a register: every read returns the value written by

the most recent write

∀ o1, o2, o3. “o1 is a write(a)” ∧ “o2 is a write(b)” ∧ “o3 is a read=>a” ∧ o1 < o2 => o3 < o2

slide-7
SLIDE 7

Inferring Symbolic ADTs

GOAL
 inferring FO descriptions of ADTs HYPOTHESIS


  • violations can be decomposed in a small set of patterns
  • patterns manifest with few operations

[Emmi, E, POPL’16]

slide-8
SLIDE 8

Challenges

pop⇒1 push(1) pop⇒1

violation correct

  • infinite sets of method invocations and input/output

values

  • characterizing infinite sets of violations with a finite

set of patterns:

  • adding ops. to violations may lead to correct hist.
slide-9
SLIDE 9

Abstracting Data: Matchings

push(1) push(2) pop⇒EMPTY pop⇒2 pop⇒1

  • Describing histories in first-order logic:
  • Empty: an unmatched push cannot precede a pop⇒EMPTY
  • Fifo order: for every two ordered enqueues, the matching

dequeues cannot be in the reverse order

enq(1) deq⇒1 enq(2) deq⇒2

  • Group operations in matchings (operations referring to the

same instances of values)

slide-10
SLIDE 10

Abstract Algorithm

Input: a reference implementation Impl Output: FO formula representing Histories(Impl) patterns = O ; for each seq. hist. h do if * then break; else if h is executable with Impl then continue; else if h is redundant with patterns then continue; else add h to patterns return exclusion of patterns

slide-11
SLIDE 11

Example: atomic queue

deq⇒1 deq⇒1 enq(1) deq⇒1 enq(1) deq⇒1 enq(1) deq⇒EMPTY enq(1) deq⇒1 deq⇒EMPTY enq(2) enq(1) deq⇒2 enq(2) enq(1) deq⇒2 deq⇒1

One deq per enq dequeuing empty fifo order

slide-12
SLIDE 12

Abstract Algorithm

Input: a reference implementation Impl Output: FO formula representing Histories(Impl) patterns = O ; for each seq. hist. h do if * then break; else if h is executable with Impl then continue; else if h is redundant with patterns then continue; else add h to patterns return exclusion of patterns

some pattern ⪯ h

slide-13
SLIDE 13

History Weakening

LEMMA
 Libraries closed under weakening

weaker order

push(1) pop⇒1 push(2)

pop⇒EMPTY

pop⇒2

all concurrent

push(1) pop⇒1 push(2) pop⇒EMPTY pop⇒2

  • “weaker than” = linearizability
slide-14
SLIDE 14

Closure properties

  • LEMMA. Libraries closed under weakening
  • Closure under removing matches

push(1) pop⇒1 pop⇒EMPTY push(2) pop⇒2

  • Closure under removing duplicates

write(1) read⇒1 read⇒1 read⇒1

slide-15
SLIDE 15

Weaker than ++

PROPOSITION
 Typical concurrent libraries are closed under ⪰

  • the set of violations is closed under ⪯

h ⪯ h’ iff h is weaker than h’ or h has more matches or duplicates THEOREM
 ⪯ is a well quasi-order on bounded-width histories

bounded number

  • f threads
slide-16
SLIDE 16

Inference Algorithm

  • enumerate histories according to their size
  • patterns = minimal elements w.r.t. ⪯
  • closure properties => all histories greater than

patterns are violations

  • ⪯ is a wqo => there are only finitely-many patterns
  • stop, when increasing the size doesn’t add new patterns
  • typically, at most 4 ops. suffice to infer complete

specifications

slide-17
SLIDE 17

Excluding Patterns

enq(1) deq⇒1

∃ o, o’: lab(o) = deq⇒1 ⋀ lab(o’) = enq(1) ⋀ o < o’ ⋀ match(o) = o’

  • formulas describing patterns where operations are

existentially-quantified

  • the negation describes all histories greater than

the pattern

slide-18
SLIDE 18

Runtime Monitoring

GOAL


  • nline history checking

  • complete per sample

  • constant space
  • /w: exhaust memory

  • linear time
  • /w: progressive slowdown

HYPOTHESIS
 w/o sacrificing practical completeness


  • avoid linearizations

NP → PTIME


  • forget operations

PTIME → linear time + constant space

[Emmi, E, Hamza, PLDI’15]

slide-19
SLIDE 19

Symbolic checking

THEORY(AtomicStack) transitive ∀o1,o2,o3. o1 < o2 ⋀ o2 < o3 ⟹ o1 < o3
 antisymmetric ∀o1,o2. o1 < o2 ⟹ o2 ≮ o1
 empty ∀o1,o2. pop(o1,empty) ⋀ push(o2,_) ⋀ unmatched(o2) ⟹ o1 < o2
 … FORMULA(h) … ⋀ push(o4,2) 
 ⋀ …
 ⋀ pop(o6,empty)
 ⋀ …
 ⋀ o4 < o5
 ⋀ o5 < o6

THEOREM
 h ∈ Hist(L) iff FORMULA(h) ⋀ THEORY(L) is SAT

transitive


  • 4 < o6

empty


  • 6 < o4

} }

push(1) pop⇒1 push(2) push(3) pop⇒EMPTY pop⇒3
  • 4
  • 5
  • 6
  • 1
  • 3
  • 2
slide-20
SLIDE 20

Saturation Algorithm

push(1) pop⇒1 push(2) push(3) pop⇒EMP pop⇒3 push(2) push(3) pop⇒EMP push(2) push(3) pop⇒EMP

ONLY PROPAGATION

transitive empty

push(2) pop⇒3 push(2) pop⇒3 push(1) pop⇒1 push(2) push(3) pop⇒EMP pop⇒3

branch backtrack

NO DECISIONS

NP → PTIME

slide-21
SLIDE 21

Operation Removal

THEOREM
 Always sound to remove matches IDEA
 identify obsolete matches

remove match PTIME → linear time + constant space

STILL A VIOLATION

push(2) push(3) pop⇒EMPTY pop⇒3 push(1) pop⇒1 push(2) push(3) pop⇒EMPTY pop⇒3

m a t c h i n g

slide-22
SLIDE 22

Empirically

Enumerate Symbolic Symbolic+R Saturate Saturate+R 10 100 1000 Steps 5 25 50 75 100 Seconds E 47 SYM 47 SAT 47 C(4) 44 C(2) 27 E 32 SYM 33 SAT 33 C(4) 25 C(2) 11 E 18 SYM 18 SAT 18 C(4) 15 C(2) 12 E 49 SYM 49 SAT 49 C(4) 49 C(2) 25 Bounded-Size k-FIFO Distributed Queue Random-Dequeue Queue Unbounded-Size k-FIFO 5 10 15 20 25 30 35 40 45 Violations discovered w/o removal w/ removal

exponentially more efficient complete
 in practice

slide-23
SLIDE 23

Conclusion

Future work:

  • Complete verification: Leverage insights on violations?
  • Weaker abstractions: e.g., causal consistency in place of

atomicity?

  • monitoring scheme for checking h ∈ Hist(L)
  • first-order theories for describing atomic objects
  • incomplete solver (only boolean propagation)
  • inferring logical characterizations of sets of histories
slide-24
SLIDE 24

Inference Algorithm

Input: a reference implementation Impl Output: FO formula representing Seq(Impl) patterns = O ; k = 1; repeat none-found = true; for each seq. hist. h of size k do if h is executable with Impl then continue; else if some pattern ⪯ h then continue; else add h to patterns; none-found = false; k++; return exclusion of patterns