sequential veriﬁcation formaon/talks/popl10-seqser.pdf•goal verify concurrent data structures...

sequential verificationfor serializability

H. Attiya

Queen Mary

POPL’10 Madrid, Spain 20-January-2010

G. Ramalingam N. Rinetzky

Technion MSR India

Monday, 12 April 2010

• goal verify concurrent data structures

• problem interleaving

• solution ignore problem


• goal verify concurrent data structures

• problem interleaving

• solution ignore problem

1. verify assuming single-threaded contexts

2. conclude results hold in multithread contexts


main idea

• sequential verification for serializability

• use serilizability for sequential verification

• memory safety, assertions, data invariants, ...

⇒data structure “behaves well”

when used by a single thread

any concurrent execution of the data structure operations is

serializable


this talk

• sequential verification for serializability

⇒data structure “behaves well”

when used by a single thread

any concurrent execution of the data structure operations is

serializable


preliminaries

• executions

• concurrent, sequential, non-interleaved

• completability

• conflict-serializability (CS)

• CS-locking protocols


executions

complete operation operation

operation

|| ||(concurrent) execution

complete operation operation complete operation

; ;sequential execution

add s and e


non-interleaved executions

• a thread is given only one chance to run

• several operations may not complete

• total order between operations complete operation operation operation

|; |;non-interleaved execution


non-interleaved executions

• a thread is given only one chance to run

• several operations may not complete

• total order between operations complete operation operation operation



; ;sequential execution


completability

• termination => completability


conflict-serializability (CS)


operation

read Ywrite Y|| ||

write Xwrite X

conflict conflict




operation

read Ywrite Y|| ||

write Xwrite X

conflict conflict

complete operation operation operation





operation

read Ywrite Y|| ||

write Xwrite X

conflict conflict


non-interleaved execution

~~~ conflict

|; |;


• CS-locking protocols

• common programming discipline to obtain conflict-serializability

• lock-protected accesses

• special locking patterns

• ...

CS in practice


CS-locking protocols• common programming discipline to obtain

conflict-serializability

• two-phase locking [Papadimitiriou ’79]

• tree (hand-over-hand) locking [Kedem et al. ’81]

• dag locking [Chaudhri et al. ’95]

⊨concurrent execution

locking protocol

concurrent execution:

⇒ ⊨ CSconcurrent execution

∀


our contributions


sequential reductions for CS-locking protocols

• two-phase locking

• tree (hand-over-hand) locking

• dag locking

• progressive local CS-locking protocols

⇒∀⊨sequential execution∀ ⊨concurrent

executionlocking

protocol

locking protocol

completable∧


sequential verificationfor conflict-serializability

⇒∀⊨sequential execution∀ ⊨concurrent

executionlocking

protocol

⊨concurrent execution

locking protocol

concurrent execution:

⇒ ⊨ CSconcurrent execution

∀

locking protocol

completable∧


sequential verificationfor conflict-serializability

∀ ⊨concurrent execution

locking protocol

⇒∀⊨concurrent execution

locking protocol∀ ⊨concurrent

execution CS

⇒⇒⊨sequential execution∀

locking protocol

completable∧


⇒sequential verificationfor conflict-serializability


locking protocol

∀ ⊨concurrent execution CS

⇒⊨sequential execution∀

locking protocol

completable∧


⇒ ⇒sequential verificationfor conflict-serializability


locking protocol

∀ ⊨concurrent execution CS

⇒⊨sequential

execution∀ locking protocol

finite sequence of operations terminates

∧

⊨sequential execution∀

locking protocol

completable∧

∀


example

• dynamic tree (hand-over-hand) locking

• heap-allocated tree-like data structures

• hand-over-hand traversal

• lock object before using its fields

• lock child before unlock parent

• never lock object twice

• ...


1. verify hand-over-hand list implementation using the most general single-thread client

1. correctly follows the protocol

2. every call terminates ⇒ completability

2. apply sequential reduction theorem

3. conclude hand-over-hand list correctly follows the protocol

verification outline


bool find(int v){ ACQUIRE H; if (H != null){ Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null){ acquire(c);

while (c & c.d<v){ release(p); p = c; c = p.n; acquire(c); }

hand-over-hand locking

if (c & c.d==v){ Node y = c.n; c.n = null; p.n = y; }

release(p); if (c) release(c); } else { ...

bool b = false; if (c & c.d==v) b = true;

release(p); if (c) release(c); return b; } else { ...

insert(int v){ ACQUIRE H; if (H != null){ Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null){ acquire(c);


if (c & c.d<v){ Node x = alloc Node; p.n = x; x.d = v; x.n = c; }


Type Node { int d; Node n;}Node H = null;

remove(int v){ ACQUIRE H; if (H != null){ Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null){ acquire(c);




-4 7 18 25 33-9Hn n n n n



remove(int v) { ACQUIRE H; if (H != null) { Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null) { acquire(c);


: remove(18)



-4 7 18 25 33-9Hn n n n n

: remove(18)







-4 7 18 25 33-9Hn n n n n

p





: remove(18)



-4 7 18 25 33-9Hn n n n n

p c





: remove(18)



-4 7 18 25 33-9Hn n n n n

p c y





: remove(18)



-4 7 18 25 33-9Hn n n n

p c y





: remove(18)



-4 7 18 25 33-9Hn n n

p c y

n





: remove(18)


insert(int v) { ACQUIRE H; if (H != null) { Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null) { acquire(c); ...

remove(int v) { ACQUIRE H; if (H != null) { Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null) { acquire(c); ...

find(int v) { ACQUIRE H; if (H != null) { Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null) { acquire(c); ...

sequential verificationof hand-over-hand-locking


sequential shape reasoning





-4 7 18 25 33-9Hn n n n n

p c


✓ ✓✓insert(int v) { ACQUIRE H; if (H != null) { Node p = H; acquire(p); RELEASE H; Node c = p.n; if (c != null) { acquire(c); ...



∀ sequential execution ⊨hand-over-hand locking





sequential termination

-4 7 18 25 33-9Hn n n

p c y

nMonday, 12 April 2010

ACNI-reduction

⇒⇒

⊨LP∀ complete operation operation operation

sequential reductionfor hand-over-hand locking

⊨∀ complete operation operation complete operation

NI-reduction


operation

∀ ⊨

|; |;

; ;

|| || LP

LPsequential

termination+





∀ concurrent execution ⊨hand-over-hand-locking


“ignoring interleavings”

-4 7 18 25 33-9Hn n

p c y

n

p cp

|| || ||...


sequential reductionfor CS-locking protocols

• NI-reduction

• ACNI-reduction

⇒∀⊨sequential execution

locking protocol∀ ⊨concurrent

executionlocking

protocolcompletable

∧


NI-reduction

LP∀ complete operation operation operation


operation

∀ ⊨LP

|; |;

|| ||

⊨⇒


complete operation

ACNI-reduction


|; |;

; ;


LP∀

∀ ⊨LP

⊨⇒


non-interleaved execution ⊭ LP

int Y = 0;

setY(){ ACQUIRE Y; Y = 1; RELEASE Y; while (true) skip;}

|; ACQUIRE Y; Y=1; RELEASE Y; ACQUIRE Y; y=Y; RELEASE Y; violate LP

getY(){ ACQUIRE Y; int y = Y; RELEASE Y; if (y == 1)

violate LP}


∀ sequential execution ⊨ LP

int Y = 0;



violate LP}

ACQUIRE Y; y=Y; RELEASE Y; violate LP|; ACQUIRE Y; Y=1; RELEASE Y; skip; skip; skip; ...


execution not completable

int Y = 0;



violate LP}

ACQUIRE Y; Y=1; RELEASE Y; skip; skip; skip; ...


completability weaker than sequential termination

int Y = 0;

setY(){ ACQUIRE Y; Y = 1; RELEASE Y; while (*) skip;}


violate LP}



int Y = 0;

setY(){ ACQUIRE Y; Y = 1; RELEASE Y; while (*) skip;}


violate LP}


completability weaker than sequential termination

skip; skip

complete operation


complete operation

ACNI-reduction


|; |;

; ;


LP∀

∀ ⊨LP

⊨⇒completable

∧


ACNI-reduction

⇒⇒

⊨LP∀ complete operation operation operation

sequential reductionfor CS-locking protocols

⊨LP∀


NI-reduction


operation

∀ ⊨LP

|; |;

; ;

|| ||

completable∧


shape analysis

• TVLA [Sagiv et al., TOPLAS’02][Lev-Ami, Sagiv, SAS’00]

• hand-over-hand locking

• termination

singly linked list 4 sec. 4 MB

binary tree 125 sec. 91 MB


main results• sequential reductions for CS-locking

protocols

• local CS-locking protocols

• progressive local CS-locking protocols

• sequential analyses for serializability

• verifiable properties and techniques

• shape analysis adapting TVLA ‘s existing shape analyses of sequential lists & trees


thank you!

ignore your problemsand they (sometimes) go away ...


sequential veriﬁcation formaon/talks/popl10-seqser.pdf•goal verify concurrent data structures...

Documents

Transcript of sequential veriﬁcation formaon/talks/popl10-seqser.pdf•goal verify concurrent data structures...