Post on 05-Jan-2016
Verification of obstruction-free algorithm with contention
management
Verification of obstruction-free algorithm with contention
management
Niloufar ShafieiNiloufar Shafiei
2
AgendaAgenda
The algorithm Correctness condition for shared objects Java PathFinder Verification challenges Verification Summary
The algorithm Correctness condition for shared objects Java PathFinder Verification challenges Verification Summary
3
The algorithmThe algorithm
Obstruction-free deque algorithm with different contention management policies AtomicLongArray AtomicLong
How should the algorithm behave? (correctness) Data structure represents the abstract deque at any time All operations terminate
No livelock or deadlock
Obstruction-free deque algorithm with different contention management policies AtomicLongArray AtomicLong
How should the algorithm behave? (correctness) Data structure represents the abstract deque at any time All operations terminate
No livelock or deadlock
4
Correctness condition for shared objects implementations
Correctness condition for shared objects implementations
Find the linearization point Find the linearization point
5
Correctness condition for shared objects implementations
Correctness condition for shared objects implementations
Find the linearization point Find the linearization point
push(v1)
push(v2)
pop
time
stack
?
6
Correctness condition for shared objects implementations
Correctness condition for shared objects implementations
Find the linearization point Find the linearization point
push(v1)
push(v2)
pop
time
stack
?X
X
X
empty
v1
v2
7
Check the correctness of shared object implementation
Check the correctness of shared object implementation
Find the linearization point Define abstract variables (abstract stack,…) Change the abstract variables at linearization
points At all linearization points, check if the abstract
variables are consistent with data structures In java, insert assert(expression) atomically at
linearization points Synchronized block Atomic block
Find the linearization point Define abstract variables (abstract stack,…) Change the abstract variables at linearization
points At all linearization points, check if the abstract
variables are consistent with data structures In java, insert assert(expression) atomically at
linearization points Synchronized block Atomic block
8
Java PathFinderJava PathFinder
JPF Model checker
Deadlocks Invariants User-defined assertions
JPF versus Spin JPF covers the java programming language (not more than
10000 lines) JPF design goal is to make it as modular and understandable as
possible Spin is faster than JPF
JPF Model checker
Deadlocks Invariants User-defined assertions
JPF versus Spin JPF covers the java programming language (not more than
10000 lines) JPF design goal is to make it as modular and understandable as
possible Spin is faster than JPF
9
Verification challengesVerification challenges
JPF does not support AtomicLongArray and AtomicLong Volatile Long[] and Long Synchronized methods to implement C&S Warning “unprotected field access of deque”
JPF employ Partial Order Reduction to save space For lock protection, determines if a field access is scheduling
relevant (transaction boundary) vm.por.sync_detection=false
JPF does not support AtomicLongArray and AtomicLong Volatile Long[] and Long Synchronized methods to implement C&S Warning “unprotected field access of deque”
JPF employ Partial Order Reduction to save space For lock protection, determines if a field access is scheduling
relevant (transaction boundary) vm.por.sync_detection=false
10
State searchState search
JPF searches DFS
With backtracking is most appropriate for checking liveness properties
BFS Search.heuristic.class = gov.nasa.jpf.search.heuristic.BFSHeuristic
JPF searches DFS
With backtracking is most appropriate for checking liveness properties
BFS Search.heuristic.class = gov.nasa.jpf.search.heuristic.BFSHeuristic
11
VerificationVerification
Result Number of paths
1 thread
(DFS - BFS)
No error 4
2 threads
(DFS - BFS)
No error 135 - 120
3 threads Out of memory
>1200
12
VerificationVerification
How to save the memory? More synchronized methods Synchronized blocks and Atomic blocks (Verify class)
Local instructions At most one shared memory instruction No instruction prevent the program from accessing
endAtomic() Return - break - join - if statement
How to save the memory? More synchronized methods Synchronized blocks and Atomic blocks (Verify class)
Local instructions At most one shared memory instruction No instruction prevent the program from accessing
endAtomic() Return - break - join - if statement
13
VerificationVerification Atomic blocks
Sometimes threads loop in Atomic block
Why processes killed? Need memory more than available memory
Atomic blocks Sometimes threads loop in Atomic block
Why processes killed? Need memory more than available memory
Result Number of paths
1 thread Processes killed
0
2 threads Processes killed
0
3 threads Processes killed
0
14
VerificationVerification Synchronized blocks Synchronized blocks
Result Number of paths
1 thread
(DFS - BFS)
No error 4
2 threads
(DFS - BFS)
No error 135 - 120
3 threads Out of memory
>1200
Why results are not improved?Partial Order reduction
15
SummarySummary
Correctness conditions of shared object Java PathFinder Verification of shared deque
implementation with JPF
Correctness conditions of shared object Java PathFinder Verification of shared deque
implementation with JPF
16
Questions?Questions?