Download presentation
Presentation is loading. Please wait.
1
Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz
2
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking2 Model Checking of Software Models // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c Model Checker filesystem model filesystem model Model Construction
3
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking3 Model Checking of Software // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c Model Checker
4
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking4 Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c expressed in terms of concrete state Calvin theorem proving x
5
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking5 Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c concrete state Calvin theorem proving abstract state Abstraction Invariant ? x
6
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking6 The Need for Atomicity // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing mostly ok
7
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking7 The Need for Atomicity // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing ok Atomicity Checker
8
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking8 Atomicity Serialized execution of inc() X o Y o acq(L) o t=x o x=t+1 o rel(L) o Z o o atomic void inc() { acq(L); int t = x; x = t+1; rel(L); }
9
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking9 Atomicity Serialized execution of inc() Non-serialized executions of inc() inc() is atomic if, for every non-serialized execution, there is a serialized execution with the same overall behavior X o Y o acq(L) o t=x o x=t+1 o rel(L) o Z o o acq(L) o X o t=x o Y o x=t+1 o Z o rel(L) o o acq(L) o t=x o X o Y o x=t+1 o rel(L) o Z o o
10
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking10 Verifying Atomicity via Reduction [Lipton 75] acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0
11
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking11 Verifying Atomicity via Reduction acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0
12
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking12 Verifying Atomicity via Reduction acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 acq(L) S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0
13
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking13 Verifying Atomicity via Reduction acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 acq(L) S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 Y T 2 acq(L) T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0
14
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking14 Verifying Atomicity via Reduction X T 1 Y T 2 acq(L) T 3 t=x S 4 x=t+1 S 5 rel(L) T 6 Z S 7 S0 S0 acq(L) S 1 X S 2 t=x S 3 Y S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 acq(L) S 1 X S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 acq(L) S 2 Y T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0 X T 1 Y T 2 acq(L) T 3 t=x S 4 x=t+1 S 5 Z S 6 rel(L) S 7 S0 S0
15
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking15 Applications of Reduction for Atomicity Type systems for concurrency –extended Java’s type system to verify atomicity –atomicity violations in standard libraries Dynamic checkers –atomicity widespread in Java programs Model checking –Bogor
16
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking16 public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } atomic public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } Example Violation: java.lang.StringBuffer sb.length() acquires lock on sb, gets length, and releases lock use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) other threads can change sb
17
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking17 Limitations of Reduction r:=1 T 1 assume r=1 T 2 L=0 T 3 S 4 assume r!=1 S 5 S 6 S 7 S0 S0 begin atomic CAS(L,0,r) succeeds end atomic L=0 S 4 r:=1 S 1 S 2 S 3 S0 S0 assume r==1 begin atomic assume r!=1 S 6 S 7 end atomic S 5 CAS(L,0,r) succeeds boolean L; // lock, 0 if not held atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); }
18
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking18 Limitations of Reduction boolean L; // lock, 0 if not held atomic void acquire() { boolean r := 1; while (r==1) { CAS(L,0,r); } r:=1 T 1 assume r=1 T 2 L=0 T 3 CAS(L,0,r) succeeds T 4 assume r!=1 T 5 T 6 S 9 S0 S0 begin atomic end atomic L=0 r:=1 S 1 S 2 S 3 CAS(L,0,r) fails S 4 S0 S0 assume r==1 begin atomic S 5 assume r==1 S 6 assume r!=1 S 8 S 9 end atomic CAS(L,0,r) succeeds S 7 9 instructions 7 instructions
19
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking19 Commit-Atomic Run normal and serial executions of program concurrently, on separate stores Normal execution runs as normal –threads execute atomic blocks –each atomic block has commit point Serial execution –runs on separate shadow store –when normal execution commits an atomic block, serial execution runs entire atomic block serially Check two executions yield same behavior
20
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking20 Commit-Atomic commit atomic block... Normal execution Serial execution compare states
21
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking21 Preliminary Evaluation Some small benchmarks –Bluetooth device driver atomicity violation due to error –Busy-waiting lock acquire acquire1: 1 line of code in critical section acquire100: 100 lines of code in critical section Hand translated to PROMELA code –Two versions, with and without commit-atomic
22
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking22 Performance: Bluetooth device driver
23
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking23 Performance: acquire1 and acquire100
24
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking24 Related Work Reduction –[Lipton 75, Lamport-Schneider 89,...] –type systems [Flanagan-Qadeer 03] –model checking [Stoller-Cohen 03, Flanagan-Qadeer 03, Hatcliff et al 04] –dynamic checking [Flanagan-Freund 04] –procedure summaries [Qadeer et al 04] Atomicity a canonical concept –Strict serializability in databases –Linearizability for concurrent objects –Languages: Monitors, Argus [Liskov et al 87], Avalon [Eppinger et al 91] View consistency –[Artho-Biere-Havelund 03, von Praun-Gross 03]
25
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking25 Summary Atomicity –concise, semantically deep partial specification Reduction –lightweight technique for verifying atomicity Commit-Atomicity –more general technique Future work –combine reduction and commit-atomic –generalizing atomicity temporal logics for determinism?
26
Cormac FlanaganVerifying Commit-Atomicity Using Model Checking26 Future Work: Logics for Determinism? Software checking: exploits redundancy –between program and types –between program and specification –between different traces of the same program Do we need temporal logics for determinism? –that is, a logic where we could specify that some traces behave like other traces –express many properties like “atomic”
27
Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.