Model Checking Linearizability via Refinement 1 ICFEM 2008 Model Checking Linearizability via Refinement Yang LIU, Wei CHEN, Yanhong A. LIU, and Jun SUN
PAT: Process Analysis Toolkit PAT is a self-contained environment for system specification, visualized simulation and automated verification. 2
Model Checking Linearizability via Refinement Summary about PAT Main Features –MC fairness enhanced systems (vs Spin) Process Counter Abstraction –Refinement checking (vs FDR) –MC Real-time systems (vs Uppaal) Applications –MC Self-stablizing population protocol model –Verification of linearizability (this talk) –Web service conformance checking June 2007 to Nov 2009 –C#, 1 million LOC –Visual Studio like GUI –500+ downloads, 100+ organization, 29 countries/regions –3 Modules: CSP, RTS and WS –50+ build-in examples 3
Model Checking Linearizability via Refinement On-going and future Works New modules –UML, security, sensor network and privacy?? Symbolic representation techniques, e.g. BDD Reduction and abstraction techniques Probabilistic model checking techniques
Model Checking Linearizability via Refinement 5 FM 2009 Outline Motivations and Overview Background –Shared Memory Model –Linearizability Definitions Linearizability as Refinement Relations Verification of Linearizability Experiments Related Work Conclusion and Future Work
Model Checking Linearizability via Refinement 6 FM 2009 Motivations Concurrent objects (shared queue, stacks) are hard to design correctly –Exclusive access (correctness) vs. Maximum interleaving (performance) –Esp. lock-free & wait-free ones Linearizability [HW90] is an accepted correctness criterion for shared objects. –A shared object is linearizable if each operation on the object can be understood as occurring instantaneously at some point, (a.k.a. linearization point) Automatic verification of linearizability is challenging –Rely on the knowledge of linearization points –Linearization points are hard to be statically determined
Model Checking Linearizability via Refinement Overview of Our Approach Define linearizability based on refinement relations –An event-based modeling language –Semantics based on LTS Verify linearizability using refinement checking algorithms –Create linearizable specifications –Refinement between abstract specification and concrete implementation models Tool: Process Analysis Toolkit (PAT) –A toolkit for automatically analyzing event-based concurrent systems including refinement checking –Substantial Experiments: Stack, Queue, K-valued Register Mailbox[DISC’08], SNZI[PODC’07]. FM
Model Checking Linearizability via Refinement 8 FM 2009 Outline Motivations and Overview Background –Shared Memory Model –Linearizability Definitions Linearizability as Refinement Relations Verification of Linearizability Experiments Related Work Conclusion and Future Work
Model Checking Linearizability via Refinement Shared Memory Model A shared memory model M, –O = (o 1,…,o k ) denotes the set of k shared objects, –P = (p 1,…,p n ) denotes the set of n processes accessing the objects. –O support a set of operations: pairs of invocations and matching responses. The behaviour of M –the set of all possible sequences (trace) of invocations and responses together with the initial states of the objects. FM p0: W inv (x,1) W res (x) R inv (y) R res (y,2) p1: W inv (y,2) W res (y) R inv (x) R res (x,1)
Model Checking Linearizability via Refinement Linearizability σ is linearizable if there exists a sequential permutation π of σ such that –1) for each object o i, π| oi is a legal sequential history (i.e. π respects the sequential specification of the objects), and –2) if op1 < σ op2, then op1 < π op2 (i.e., π respects the run-time ordering of operations). Examples FM p0: W inv (x,1) W res (x) R inv (y) R res (y,2) p1: W inv (y,2) W res (y) R inv (x) R res (x,1) p0: W inv (x,1) W res (x) R inv (y) R res (y,2) p1: W inv (y,2) W res (y) R inv (x) R res (x,1) p0: W inv (x,1) W res (x) R inv (y) R res (y,0) p1: W inv (y,2) W res (y) R inv (x) R res (x,1)
Model Checking Linearizability via Refinement Stack Example High-level Linearizability vs. Low-Level Linearizability
Model Checking Linearizability via Refinement 12 FM 2009 Outline Motivations and Overview Background –Shared Memory Model –Linearizability Definitions Linearizability as Refinement Relations Verification of Linearizability Experiments Related Work Conclusion and Future Work
Model Checking Linearizability via Refinement Create Specification Model Event-base formalism (e.g. CSP) Specify each operation op of a shared object o on a process p i using three atomic steps: –the invocation action inv(op) i, –the linearization action lin(op) i, and (Invisible event) –the response action res(op, resp) i. Is linearizable! FM
Model Checking Linearizability via Refinement Create Implementation Consider the implementment of object o. –The visible events of impl are also those inv(op) i 's and res(op, resp) i 's. Is linearizable? FM
Model Checking Linearizability via Refinement Linearizability as Refinement FM
Model Checking Linearizability via Refinement On-the-fly verification algorithm (DFS) Optimizations: –Partial Order Reduction ||| is the main source of state space explosion Explore only a subset of enabled transitions and yet preserve soundness. –Symmetry Reduction Ignore the orders of similar processes E.g. reader ||| writer1 ||| writer2 == reader ||| writer2 ||| writer1 –Process Counter Abstraction Refinement Checking Algorithm 16
Model Checking Linearizability via Refinement Experiments TASE
Model Checking Linearizability via Refinement Related Works Manual proving –Herlihy and Wing ACM Transaction 90 –Vafeiadis et. al. use rely-guarantee PPoPP’06 Using theorem provers –Doherty et. al. use simulation between I/O automata modeling the specification and implementation. FORTE'04 Static analysis –Wang and Stoller present a static analysis that verifies linearizability for an unbounded number of threads. PPoPP’05 Model checking –Amit et al. presented a shape difference abstraction that tracks the difference between two heaps. CAV’07 –Manevich et al. SAS’08 and Berdine et al. CAV’08 extended it to handle larger number and unbounded number of threads, respectively. –Vafeiadis further improved this solution to allow linearization points in different threads. VMCAI’09 –Vechev and Yahav use trace analysis. PLDI'08 FM
Model Checking Linearizability via Refinement 19 FM 2009 Conclusion Specify and verify linearizability using refinement relation Show that refinement checking algorithm behind PAT allows verifying concurrent algorithms –without the knowledge of linearization points –fully automatically –effective reduction technique Formally verify Mailbox and SNZI algorithms for the first time
Model Checking Linearizability via Refinement 20 FM 2009 On-going and future works Deal with infamous state explosion problem Combine different state space reduction techniques and parameterized refinement checking for infinite number of processes
Model Checking Linearizability via Refinement 21 ICFEM 2008 Thank You
Model Checking Linearizability via Refinement Modeling Language Shared Variables and Arrays Synchronization primitives in nonblocking algorithms –compare and swap (CAS) and –load linked (LL)/store-conditional (SC). FM
Model Checking Linearizability via Refinement Semantics System State : a pair (P,V) –P is the current process expression, and –V is the current valuation of the shared variables represented as a mapping from names to values. FM
Model Checking Linearizability via Refinement Refinement L im = (S im, init im,T im ) be a LTS for an implementation. L sp = (S sp, init sp,T sp ) be a LTS for a specification. L im refines L sp, iff traces(L im ) ⊆ traces(L sp ). FM
Model Checking Linearizability via Refinement Back up Support Synchronization Primitives –Compare and Swap –Load-linked/ Store-Conditional