Proving liveness. Alexey Gotsman IMDEA Software Institute

Size: px

Start display at page:

Download "Proving liveness. Alexey Gotsman IMDEA Software Institute"

Cecilia Gardner
5 years ago
Views:

1 Proving liveness Alexey Gotsman IMDEA Software Institute

2 Safety properties Ensure bad things don t happen: - the program will not commit a memory safety fault - it will not release a lock it does not hold Counterexamples: finite executions

3 Liveness properties Ensure good things eventually happen: - the program eventually terminates - whenever it acquires a lock, it will eventually release it - every process eventually gets a chance to execute Counterexamples: infinite executions

4 Liveness of sequential programs Fully-automatic tools for proving liveness Liveness of integer sequential programs: TERMINATOR Liveness of heap-manipulating programs by reduction to integer ones: Magill+. Automatic Numeric Abstractions for Heap-Manipulating Programs. POPL 10

5 Liveness of concurrent programs Open research area This lecture: automatically proving liveness properties of non-blocking algorithms Joint work with Byron Cook, Matthew Parkinson and Viktor Vafeiadis Assume we can check liveness properties of sequential C programs

6 Circular reasoning about safety Thread-modular reasoning is circular: R 1,G 1 {P 1 C 1 {Q 1 R 2,G 2 {P 2 C 2 {Q 2 R 1 R 2,G 1 G 2 {P 1 P 2 C 1 C 2 {Q 1 Q 2 assumes C1 satisfies G1 C2 satisfies G2 assumes Sound because G1 and G2 define safety properties

7 Circular reasoning about liveness Circular reasoning about liveness is unsound: x = y = 1; while (x) ; y = 0; while (y) ; x = 0; assumes If the other thread resets x, I ll eventually reset y If the other thread resets y, I ll eventually reset x assumes Both are true, but the program doesn t terminate

8 Treiber s stack struct Node { Node *next; data_t val; *Top; CAS(x, v1, v2) { if (*x == v1) { *x = v2; return true; else return false; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val;

9 Treiber s stack struct Node { Node *next; data_t val; *Top; CAS(x, v1, v2) { if (*x == v1) { *x = v2; return true; else return false; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Do push and pop always terminate?

10 Treiber s stack struct Node { Node *next; data_t val; *Top; CAS(x, v1, v2) { if (*x == v1) { *x = v2; return true; else return false; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val;

11 struct Node { Node *next; data_t val; *Top; CAS(x, v1, v2) { if (*x == v1) { *x = v2; return true; else return false; Treiber s stack void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; push or pop may not terminate if other threads continuously modify Top

12 struct Node { Node *next; data_t val; *Top; CAS(x, v1, v2) { if (*x == v1) { *x = v2; return true; else return false; Treiber s stack void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; push or pop may not terminate if other threads continuously modify Top However: some operation will always terminate

13 struct Node { Node *next; data_t val; *Top; CAS(x, v1, v2) { if (*x == v1) { *x = v2; return true; else return false; Treiber s stack void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; push or pop may not terminate if other threads continuously modify Top However: some operation will always terminate Lock-freedom

14 Lock-freedom Most general client C(m): For any m in any execution of C(m) under any scheduler some operation returns infinitely often Any scheduler: can suspend a thread and never resume it again (but assume it always schedules someone) Also: wait-freedom, obstruction-freedom

15 From lock-freedom to termination Lock-freedom: for any m in any execution of C(m) some operation returns infinitely often True iff for any l the program C (l) terminates

16 From lock-freedom to termination

17 From lock-freedom to termination Non-terminating execution of C (l) execution of C(l) violating lock-freedom

18 From lock-freedom to termination Non-terminating execution of C (l) execution of C(l) violating lock-freedom Same operations as in C (l); threads get preempted forever after one successful iteration

19 From lock-freedom to termination

20 From lock-freedom to termination

21 From lock-freedom to termination

22 From lock-freedom to termination Execution of C(m) violating lock-freedom has only k operations non-terminating execution of C (k)

23 From lock-freedom to termination Execution of C(m) violating lock-freedom has only k operations non-terminating execution of C (k) Same operations as in C (l) with the same scheduling decisions

24 From lock-freedom to termination

25 From lock-freedom to termination

26 RGSep proof struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val;

27 RGSep proof struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Shared state

28 RGSep proof struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Shared state Top 42 4 NULL

29 RGSep proof struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id Shared state Top 42 4 NULL

30 RGSep proof struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id

31 Lock-freedom of Treiber s stack struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id

32 Lock-freedom of Treiber s stack struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id The do loops terminate if no-one else executes Push or Pop infinitely often

33 Lock-freedom of Treiber s stack struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id The do loops terminate if no-one else executes Push or Pop infinitely often No-one executes Push or Pop infinitely often

34 Lock-freedom of Treiber s stack struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id The do loops terminate if no-one else executes Push or Pop infinitely often No-one executes Push or Pop infinitely often Hence, push and pop terminate

35 Lock-freedom of Treiber s stack struct Node { Node *next; data_t val; *Top; void push(data_t v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; while(!cas(&top,t,x)); Push or Id data_t pop() { Node *t, *x; do { t = Top; if (t == NULL) return EMPTY; x = t->next; while(!cas(&top,t,x)); return t->val; Pop or Id The do loops terminate if no-one else executes Push or Pop infinitely often No-one executes Push or Pop infinitely often Hence, push and pop terminate liveness assumption

36 Layered proof I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I terminate I terminate

37 Layered proof Thread-modular query: thread simple environment model can be checked by sequential tools I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I terminate I terminate

38 Layered proof I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I terminate I terminate

39 Layered proof I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often What about n threads? I terminate I terminate

40 Layered proof I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often What about n threads? I terminate I terminate Is such a proof always valid for n threads?

41 Layered proof I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often What about n threads? I terminate I terminate Is such a proof always valid for n threads? Yes: finitely many + finitely many = finitely many!

42 Spinlocks using CAS Lock l: 0 or 1 lock(l) { while (!CAS(l, 0, 1)) ; unlock(l){ l=0; Is it lock-free?

43 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; while(!cas(&col[pos],hisid,myid)) hisid = col[pos]; Contending push and pop can eliminate each other without modifying the stack pop just returns the value that push is trying to insert Operations collide by writing to a random slot in the col array

44 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; Push or Id Xchg or Id while(!cas(&col[pos],hisid,myid)) hisid = col[pos]; Others or Id Contending push and pop can eliminate each other without modifying the stack pop just returns the value that push is trying to insert Operations collide by writing to a random slot in the col array

45 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; Others or Id Push or Id Xchg or Id while(!cas(&col[pos],hisid,myid)) hisid = col[pos];

46 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; Others or Id Push or Id Xchg or Id while(!cas(&col[pos],hisid,myid)) hisid = col[pos]; No-one executes Push or Pop infinitely often

47 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; Others or Id Push or Id Xchg or Id while(!cas(&col[pos],hisid,myid)) hisid = col[pos]; No-one executes Push or Pop infinitely often push and pop terminate if no-one else executes Push, Pop, or Xchg infinitely often

48 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; Others or Id Push or Id Xchg or Id while(!cas(&col[pos],hisid,myid)) hisid = col[pos]; No-one executes Push or Pop infinitely often push and pop terminate if no-one else executes Push, Pop, or Xchg infinitely often push and pop don t execute Xchg infinitely often if noone else executes Push or Pop infinitely often

49 HSY stack (Hendler-Shavit-Yerushalmi) void push(data_t v) { Node *t, *x; x = new Node; x->val = v; while(true) { t = Top; x->next = t; if(cas(&top,t,x)) return; hisid = col[pos]; Others or Id Push or Id Xchg or Id while(!cas(&col[pos],hisid,myid)) hisid = col[pos]; No-one executes Push or Pop infinitely often push and pop terminate if no-one else executes Push, Pop, or Xchg infinitely often push and pop don t execute Xchg infinitely often if noone else executes Push or Pop infinitely often Hence, push and pop terminate

50 Layered proof I execute only Push, Pop, Xchg, Others or Id I execute only Push, Pop, Xchg, Others or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I don t execute Push, Pop or Xchg infinitely often I don t execute Push, Pop or Xchg infinitely often I terminate I terminate

51 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

52 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

53 RGSep judgements R, G {P C {Q If the initial state satisfies P and the environment satisfies R, then C is safe, satisfies G, and the final state, when C terminates, satisfies Q P, Q assertions interpreted over LocalStates SharedStates R, G relations in P(SharedStates SharedStates)

54 Judgements for liveness proofs R, G {P C {Q If the initial state satisfies P and the environment satisfies R, then C is safe, satisfies G, and the final state, when C terminates, satisfies Q P, Q assertions interpreted over LocalStates SharedStates R, G languages of finite and infinite words over the alphabet P(SharedStates SharedStates)

55 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next Semantics over infinite words: δ 1 δ 2... = A δ 1 A δ 1 δ 2 δ 3... δ 1 δ 2... = Ψ i. δ i δ i+1... = Ψ δ 1 δ 2 δ 3... δ 1 δ 2... = Ψ i. δ i δ i+1... = Ψ δ 1 δ 2 δ 3... δ i δ 1 δ 2... = Ψ δ 2 δ 3... = Ψ δ 1 δ 2 δ 3...

56 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next Semantics over finite words: δ 1...δ m = A δ 1 A δ 1 δ 2 δ 3... δ m δ 1...δ m = Ψ i. 1 i m δ i...δ m = Ψ δ 1 δ 2 δ 3... δ m δ 1...δ m = Ψ i. 1 i m δ i...δ m = Ψ δ 1 δ 2 δ 3... δ i δ m δ 1...δ m = Ψ m 2 δ 2...δ m = Ψ δ 1 δ 2 δ 3... δ m

57 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next

58 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A

59 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A

60 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A A

61 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A A finitely often A

62 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A A finitely often A (A 1 A 2 )

63 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A A finitely often A (A 1 A 2 ) A1 is always followed by A2

64 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A A finitely often A (A 1 A 2 ) A1 is always followed by A2 False

65 Linear temporal logic (LTL) Ψ ::= RGSepActions Ψ Ψ Ψ Ψ Ψ Ψ always eventually next A finitely often A A finitely often A (A 1 A 2 ) A1 is always followed by A2 False termination

66 Property specification RGSep triple R, G {P C {Q: R, G {P C {Q push doesn t execute Push or Pop infinitely often : push terminates if no-one else executes Push or Pop infinitely often :

67 Keeping track of guarantees I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I terminate I terminate

68 Extra judgement form R, (G 1, G 2 ) {P C 1 C 2 {Q If the initial state satisfies P and the environment satisfies R, then C 1 C 2 is safe, C 1 satisfies G 1, C 2 satisfies G 2, and the final state, when C 1 C 2 terminates, satisfies Q P, Q assertions interpreted over LocalStates SharedStates R, G 1, G 2 languages of finite and infinite words over the alphabet P(SharedStates SharedStates)

69 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

70 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

Discharging thread-local assumptions Automata-theoretic framework [Vardi 1991] Fair termination of SmallfootRG [Calcagno + 2007,

71 Discharging thread-local assumptions Automata-theoretic framework [Vardi 1991] Fair termination of SmallfootRG [Calcagno , Vafeiadis 2010] Abstract transition system [Magill , 2010] Equiterminating integer program Terminator with fairness [Cook ] Yes/No

72 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

73 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

74 Proof rule G 1 G 2 G 1 G 2

75 Proof rule G 1 G 2 G 1 G 2 R G 2,G 1 {P 1 C 1 {Q 1 R G 1,G 2 {P 2 C 2 {Q 2 R, G 1 G 2 {P 1 P 2 C 1 C 2 {Q 1 Q 2

76 Layered proof I execute only Push, Pop, Xchg, Others or Id I execute only Push, Pop, Xchg, Others or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I don t execute Push, Pop or Xchg infinitely often I don t execute Push, Pop or Xchg infinitely often I terminate I terminate

77 Proof system push and pop don t execute Push, Pop or Xchg infinitely often if no-one else executes Push or Pop infinitely often

78 Proof system push and pop don t execute Push, Pop or Xchg infinitely often if no-one else executes Push or Pop infinitely often

79 Proof system push and pop don t execute Push, Pop or Xchg infinitely often if no-one else executes Push or Pop infinitely often

80 Proof system push and pop don t execute Push, Pop or Xchg infinitely often if no-one else executes Push or Pop infinitely often

81 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

82 Wish list Formal system for thread-local judgements Tool for discharging the judgements Proof rules for combining the judgements Strategy for proof search

83 Proof search strategy Relies/guarantees of the form are usually sufficient Only a few actions per algorithm

84 Proof search strategy Run the safety checker:

85 Proof search strategy Run the safety checker: ü ü û û Try to use this guarantee to prove actions can t be executed infinitely often

86 Proof search strategy Run the safety checker: ü ü û û

87 Proof search strategy Run the safety checker: ü ü û û ü ü ü û Try to use the guarantee (Push Pop) to prove actions can t be executed infinitely often

88 Proof search strategy Run the safety checker: ü ü û û ü ü ü û

89 Proof search strategy Run the safety checker: ü ü û û ü ü ü û ü ü ü ü Try to use the guarantee (Push Pop Xchg) to prove actions can t be executed infinitely often

90 Proof search strategy Run the safety checker: ü ü û û ü ü ü û ü ü ü ü

91 Proof search strategy Run the safety checker: Proof valid for an arbitrary number of threads ü ü û û ü ü ü û ü ü ü ü

92 Case studies Treiber's stack [Treiber 1986] HSY stack [Hendler+ 2004] Non-blocking queue [Michael, Scott 1996] Non-blocking linked list [Michael 2002] RDCSS [Harris+ 2002]

93 Conclusion: research paradigm Pick a class of programs Design an appropriate logic Observe that proofs are simple and follow the same pattern Infer proofs automatically Proofs produce insights into algorithm architecture: if no-one can screw you up infinitely often, then you re lockfree

94 Conclusion: technique Circular reasoning about liveness is unsound Yet modular reasoning about liveness is possible by repeatedly strengthening thread guarantees: I execute only Push, Pop or Id I execute only Push, Pop or Id I don t execute Push or Pop infinitely often I don t execute Push or Pop infinitely often I terminate I terminate

95 References Gotsman, Cook, Parkinson, Vafeiadis. Proving that non-blocking algorithms don t block. POPL 09

Proving linearizability & lock-freedom

Proving linearizability & lock-freedom Viktor Vafeiadis MPI-SWS Michael & Scott non-blocking queue head tail X 1 3 2 null CAS compare & swap CAS (address, expectedvalue, newvalue) { atomic { if ( *address