Proving linearizability & lock-freedom

Size: px

Start display at page:

Download "Proving linearizability & lock-freedom"

Imogene Quinn
5 years ago
Views:

1 Proving linearizability & lock-freedom Viktor Vafeiadis MPI-SWS

2 Michael & Scott non-blocking queue head tail X null

3 CAS compare & swap CAS (address, expectedvalue, newvalue) { atomic { if ( *address == expectedvalue ) { *address = newvalue; return true; else { return false; - A single hardware instruction on x86

4 Michael & Scott non-blocking queue head tail X null

5 Michael & Scott non-blocking queue head tail 4 null X null

6 Michael & Scott non-blocking queue head tail 4 null X 1 3 2

7 Michael & Scott non-blocking queue head tail 4 null X 1 3 2

8 Michael & Scott non-blocking queue head tail 4 null X 1 3 2

9 Enqueue & dequeue enqueue(v) { m = new Node(); m val = v; m next = null; while (true) { t = Q tail; n = tail next; if (Q tail tail) continue; if (n == null) { if (CAS(&t next,n,m)) break; else { CAS(&Q tail,t,n); CAS(&Q tail,t,n); Don t read the code! dequeue () { while (true) { h = Q head; t = Q tail; n = h next; if (Q tail t) continue; if (h == t) { if (n == null) return EMPTY; CAS(&Q tail,t,n); else { if (CAS(&Q head,h,n)) return n val;

10 RGSep actions (pre-/postcondition pairs) Summarize the shared state updates head tail head tail Enqueue A null A B null Dequeue head tail head tail A B A B Advance tail pointer head tail A B head tail A B

The actions of enqueue & dequeue enqueue(v) { m = new Node(); m val = Local v; m next updates = null; while (true) { t = Q tail; n = tail next; if (Q tail t) continue; if (n == null) { if (CAS(&t

11 The actions of enqueue & dequeue enqueue(v) { m = new Node(); m val = Local v; m next updates = null; while (true) { t = Q tail; n = tail next; if (Q tail t) continue; if (n == null) { if (CAS(&t next,n,m)) ENQUEUE break; else { CAS(&Q tail,t,n); ADV. TAIL CAS(&Q tail,t,n); ADV. TAIL dequeue () { while (true) { h = Q head; t = Q tail; n = h next; if (Q tail t) continue; if (h == t) { if (n == null) return EMPTY; CAS(&Q tail,t,n); ADV. TAIL else { if (CAS(&Q head,h,n)) DEQUEUE return n val;

12 Length (first attempt) length() { num = 0; curr = Q head next; while (curr null) { num++; curr = curr next; return num; head tail X null

13 Length (second attempt) length() { num = 0; while (true) { t = Q tail; n = tail next; if (n == null) break; CAS(&Q tail,t,n); curr = Q head next; while (curr null) { num++; if (curr == t) break; curr = curr next; return num; Read Q tail, and ensure that Q tail next == null

14 Length (third attempt) length() { num = 0; do { h = Q head; while (true) { t = Q tail; n = tail next; if (n == null) break; CAS(&Q tail,t,n); while (h Q head); curr = h next; while (curr null) { num++; if (curr == t) break; curr = curr next; return num; Get a snapshot of Q head and Q tail and ensure that Q tail next==null.

15 Verification challenge Functional correctness (linearizability): Every method executes atomically and obeys a high-level specification VMCAI 09 CAV 10 Liveness properties, e.g. lock-freedom: At all times, some outstanding method call is guaranteed to terminate. POPL 09

16 Linearizability Every method executes atomically & obeys a functional correctness specification Shared variable: AQ enqueue(v) spec AQ := append(singleton(v), AQ); return 0; dequeue() spec if (AQ == empty) { return EMPTY; else { r := hd(aq); AQ := tl(aq); return r;

17 Linearizability & forward simulation Linearizability: The implementation (of every method) is a refinement of an atomic specification. Standard proof technique: forward simulation Abstract (spec) S abs S abs Concrete (impl) S conc S conc

18 Linearization points The implementation is a refinement of an atomic specification. abstract execution concrete execution linearization point (LP)

19 Linearization point of enqueue enqueue(v) { m := new Node(); m val := v; m next := null; while (true) { t := Q tail; n := tail next; if (Q tail tail) continue; if (n == null) { if (CAS(&t next,n,m)) break; else { CAS(&Q tail,t,n); CAS(&Q tail,t,n); Lin. Point (provided CAS succeeds)

20 Proof search for the LP? For each execution path of each method, choose a candidate LP Check whether it is a valid LP Does this work?

21 Proof search for the LP? For each execution path of each method, choose a candidate LP Check whether it is a valid LP Does this work? Not quite. 1. LPs can be conditional 2. LPs can be in the code of another thread

22 LP of dequeue, when it returns EMPTY dequeue () { while (true) { h := Q head; t := Q tail; n := h next; if (Q tail t) continue; if (h == t) { if (n == null) return EMPTY; CAS(&Q tail,t,n); else { if (CAS(&Q head,h,n)) return n val; LP provided this test fails, and the h==t test succeeds the n==null test succeeds Condition: prophecy(q tail t) h == t n == null

23 Key observation Method executions that logically modify the state have a simple LP. Method executions that do not logically modify the state often have a complex LP. So: Treat these two cases differently. Search for LPs of executions that logically modify the state; Do a non-constructive proof for executions that do not logically modify the state.

24 Basic LP validation Auxiliary variable: lres 1. At the entry to the function: lres := UNDEF; 2. At the candidate effectful LPs: assert(lres==undef); lres := method_spec(); 3. At the return points, check res == lres concrete result abstract result

25 Validating pure executions Auxiliary variable: can_return 1. At the entry to the function: i. can_return[i] := false; 2. At every point, add a pure LP checker : if (abs_method() has no side-effects) can_return[abs_method()] := true; 3. At the return points, check can_return[res] == true concrete result

26 For example... dequeue spec if (AQ == empty) { return EMPTY; else { r := hd(aq); AQ := tl(aq); return r; pure lin. checker if (AQ == empty) { can_return[empty] := true;

27 Enhanced LP validation Auxiliary variables: lres, can_return 1. At the entry to the function: lres := UNDEF; i. can_return[i] := false; 2. At the candidate effectful LPs: assert(lres==undef); lres := abs_method() 3. Add pure checkers at every program point: assign can_return[i] := true if method_spec returns i & has no side-effects. 4. At the return points, check (res==lres) (lres==undef can_return[res])

28 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); -INF INF null contains(5) add(5); remove(3); remove(5)

29 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); -INF INF null c contains(5) add(5); remove(3); remove(5)

30 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); -INF INF null c contains(5) add(5); remove(3); remove(5)

31 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); -INF INF null c contains(5) add(5); remove(3); remove(5)

32 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); -INF INF null c contains(5) add(5); remove(3); remove(5)

33 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); 3 -INF INF null c contains(5) add(5); remove(3); remove(5)

34 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); 3 5 -INF 1 7 +INF null c contains(5) add(5); remove(3); remove(5)

35 LPs in other threads add (e) {... remove (e) {... contains (e) { c := H; while (c val < e) c := c next; return (c val == e); 3 5 -INF 1 7 +INF null c contains(5) add(5); remove(3); remove(5)

36 Enhanced LP validation Auxiliary variables: lres, can_return 1. At the entry to the function: lres := UNDEF; i. can_return[i] := false; 2. At the candidate effectful LPs: assert(lres==undef); lres := abs_method() 3. Add pure checkers at every program point (incl. program points in other threads) 4. At the return points, check (res==lres) (lres==undef can_return[res])

37 Implementation CAVE: Concurrent Algorithm VErifier - RGSep action inference [VMCAI 2010] - Shape-value abstract domain [VMCAI 2009] - Algorithm for proving linearizability [CAV 2010]

38 Experiments (linearizability) Algorithm Lines Ops Eff Pure LpO Time (s) DCAS stack Treiber stack M&S two-lock queue M&S non-blocking queue DGLM non-blocking queue Pessimistic set V&Y DCAS-based set ORVYY lazy set Lines: lines of code: excluding comments & specs Ops: # methods Eff: # effectful methods Pure: # methods with a pure execution path LpO: # linearization points in other threads

39 Non-blocking liveness properties Proving that non-blocking algorithms don t block [Gotsman, Cook, Parkinson, Vafeiadis, POPL 09]

40 Non-blocking liveness properties Wait-freedom: Every thread is guaranteed to complete its operation. Lock-freedom: [Provided that there is at least one thread scheduled,] some thread is guaranteed to complete its operation. Obstruction-freedom: Every thread is guaranteed to complete its operation, provided it eventually executes in isolation. (No assumptions about the scheduler.)

41 Lock-freedom reduces to termination A library is lock-free iff init(); n { if(?) enqueue(?) else if(?) dequeue() else length() terminates when n(=the number of threads) is bounded.

42 Reminder: enqueue & dequeue enqueue(v) { m = new Node(); m val = v; m next = null; while (true) { t = Q tail; n = tail next; if (Q tail t) continue; if (n == null) { if (CAS(&t next,n,m)) ENQUEUE break; else { CAS(&Q tail,t,n); ADV. TAIL CAS(&Q tail,t,n); ADV. TAIL dequeue () { while (true) { h = Q head; t = Q tail; n = h next; if (Q tail t) continue; if (h == t) { if (n == null) return EMPTY; CAS(&Q tail,t,n); ADV. TAIL else { if (CAS(&Q head,h,n)) DEQUEUE return n val;

43 Guarantee-strengthening I don t execute ENQUEUE or DEQUEUE infinitely often I don t execute ENQUEUE or DEQUEUE infinitely often I don t execute ENQUEUE, DEQUEUE, or ADV.TAIL infinitely often I don t execute ENQUEUE, DEQUEUE, or ADV.TAIL infinitely often I terminate I terminate

44 Guarantee-strengthening First, do action inference Then, iteratively eliminate actions

45 Guarantee-strengthening First, do action inference (ENQUEUE DEQUEUE ADV.TAIL) Then, iteratively eliminate actions

46 Guarantee-strengthening First, do action inference (ENQUEUE DEQUEUE ADV.TAIL) Then, iteratively eliminate actions ENQUEUE DEQUEUE ADV.TAIL Terminates

47 Guarantee-strengthening First, do action inference (ENQUEUE DEQUEUE ADV.TAIL) Then, iteratively eliminate actions ENQUEUE DEQUEUE ADV.TAIL Terminates

48 Guarantee-strengthening First, do action inference (ENQUEUE DEQUEUE ADV.TAIL) Then, iteratively eliminate actions ENQUEUE DEQUEUE ADV.TAIL Terminates ENQUEUE DEQUEUE ADV.TAIL Terminates

49 Guarantee-strengthening First, do action inference (ENQUEUE DEQUEUE ADV.TAIL) Then, iteratively eliminate actions ENQUEUE DEQUEUE ADV.TAIL Terminates ENQUEUE DEQUEUE ADV.TAIL Terminates ENQUEUE DEQUEUE ADV.TAIL Terminates

Automatically Proving Linearizability

Automatically Proving Linearizability Viktor Vafeiadis University of Cambridge Abstract. This paper presents a practical automatic verification procedure for proving linearizability (i.e., atomicity and