Model Checking Unbounded Concurrent Lists

Sethi, Divjyot; Talupur, Muralidhar; Malik, Sharad

doi:10.1007/978-3-642-39176-7_20

Cited by 4 publications

(2 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similar to non-automated verification, most automated approaches assume a garbage collector [Abdulla et al 2016;Amit et al 2007;Berdine et al 2008;Segalov et al 2009;Sethi et al 2013;Vafeiadis 2010a,b;Vechev et al 2009;Zhu et al 2015]. Garbage collection has the advantage of ownership: an allocation is always owned by the allocating thread, it cannot be accessed by any other thread.…”

Section: Related Workmentioning

confidence: 99%

Decoupling lock-free data structures from memory reclamation for static analysis

Meyer

Wolff

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Verification of concurrent data structures is one of the most challenging tasks in software verification. The topic has received considerable attention over the course of the last decade. Nevertheless, human-driven techniques remain cumbersome and notoriously difficult while automated approaches suffer from limited applicability. The main obstacle for automation is the complexity of concurrent data structures. This is particularly true in the absence of garbage collection. The intricacy of lock-free memory management paired with the complexity of concurrent data structures makes automated verification prohibitive.In this work we present a method for verifying concurrent data structures and their memory management separately. We suggest two simpler verification tasks that imply the correctness of the data structure. The first task establishes an over-approximation of the reclamation behavior of the memory management. The second task exploits this over-approximation to verify the data structure without the need to consider the implementation of the memory management itself. To make the resulting verification tasks tractable for automated techniques, we establish a second result. We show that a verification tool needs to consider only executions where a single memory location is reused. We implemented our approach and were able to verify linearizability of Michael&Scott's queue and the DGLM queue for both hazard pointers and epoch-based reclamation. To the best of our knowledge, we are the first to verify such implementations fully automatically.Otherwise, this equality may not hold.Property (G5) holds by definition together with Property (P5). It remains to show Properties (G2) to (G4) and (G6).Ad Property (G2). First consider the case where we have q ∈ valid τ . By Auxiliary (A1) we also have q ∈ valid σ . We getThe second equality holds because m τ (q) = b. That is, we preserve b.data in m τ | valid τ and only need to update the mapping of p. Similarly, we getNow consider the case q valid τ . By Auxiliary (A1) we also have q valid σ . We getThe last equality holds because the update does not survive the restriction to a set which is guaranteed not to contain p. Similarly, we getWe now get:The first equality is by definition of restrictions, the second equality is due to Property (P2), the third one is by Auxiliary (A1), and the last is again by definition. This concludes the property.Ad Property (G3). Only the valuation of p is changed by both act and act ′ . So by Property (P3) it suffices to show m τ .act (p)=a ⇐⇒ m σ .act ′ (p)=a. This follows easily:where the first and last equivalence hold due to the updates up and up ′ and the second equality holds by Property (P3).Ad Property (G4). Let c ∈ m τ .act (valid τ .act ). We have c ∈ m τ (valid τ ). To see this, consider some pexp ∈ valid τ .act such that m τ .act (pexp) = c. If pexp p, then m τ .act (pexp) = m τ (pexp) and pexp ∈ valid τ by definition. So c ∈ m τ (valid τ ) follows immediately. Otherwise, in the case of pexp ≡ p, we have m τ .act (p) = m τ (q). ...

show abstract

Section: Related Workmentioning

confidence: 99%

Decoupling lock-free data structures from memory reclamation for static analysis

Meyer

Wolff

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…The landscape of related work for automated linearizability proofs is similar to its manual counterpart. Most automated approaches ignore memory reclamation, that is, assume a garbage collector [Abdulla et al 2016;Amit et al 2007;Berdine et al 2008;Segalov et al 2009;Sethi et al 2013;Vafeiadis 2010a,b;Vechev et al 2009;Zhu et al 2015]. When reclamation is not considered, memory abstractions are simpler and more efficient, they can exploit ownership guarantees [Bornat et al 2005;Boyland 2003] and the resulting thread-local reasoning techniques [O'Hearn et al 2001;Reynolds 2002].…”

Section: Related Workmentioning

confidence: 99%

Pointer life cycle types for lock-free data structures with memory reclamation

Meyer

Wolff

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We consider the verification of lock-free data structures that manually manage their memory with the help of a safe memory reclamation (SMR) algorithm. Our first contribution is a type system that checks whether a program properly manages its memory. If the type check succeeds, it is safe to ignore the SMR algorithm and consider the program under garbage collection. Intuitively, our types track the protection of pointers as guaranteed by the SMR algorithm. There are two design decisions. The type system does not track any shape information, which makes it extremely lightweight. Instead, we rely on invariant annotations that postulate a protection by the SMR. To this end, we introduce angels, ghost variables with an angelic semantics. Moreover, the SMR algorithm is not hard-coded but a parameter of the type system definition. To achieve this, we rely on a recent specification language for SMR algorithms. Our second contribution is to automate the type inference and the invariant check. For the type inference, we show a quadratic-time algorithm. For the invariant check, we give a source-to-source translation that links our programs to off-the-shelf verification tools. It compiles away the angelic semantics. This allows us to infer appropriate annotations automatically in a guess-and-check manner. To demonstrate the effectiveness of our type-based verification approach, we check linearizability for various list and set implementations from the literature with both hazard pointers and epoch-based memory reclamation. For many of the examples, this is the first time they are verified automatically. For the ones where there is a competitor, we obtain a speed-up of up to two orders of magnitude.Proving lock-free data structures linearizable has received a lot of attention (cf. Section 10). Doherty et al. [2004], for instance, give a mechanized proof of a practical lock-free queue. Such proofs require plenty of manual work and take a considerable amount of time. Moreover, they require an understanding of the proof method and the data structure under consideration. To overcome this drawback, we are interested in automated verification. The cave tool by Vafeiadis [2010a,b], for example, is able to establish linearizability for singly-linked data structures fully automatically.The problem with automated verification for lock-free data structures is its limited applicability. Most techniques are restricted to implementations that assume a garbage collector (GC). This assumption, however, does not apply to all programming languages. Take C/C++ as an example. It does not provide an automatic garbage collector that is running in the background. Instead, it is the programmer's obligation to avoid memory leaks by reclaiming memory that is no longer in use (using delete). In lock-free data structures, this task is much harder than it may seem at first glance. The root of the problem is that threads typically traverse the data structure without synchronization. Hence, there may be threads holding pointers to records that have alread...

show abstract

Verifying Linearizability of Intel® Software Guard Extensions

Leslie-Hurd

Caspi

Fernandez

2015

Computer Aided Verification

View full text Add to dashboard Cite

Intel R Software Guard Extensions (SGX) is a collection of CPU instructions that enable an application to create secure containers that are inaccessible to untrusted entities, including the operating system and other low-level software. Establishing that the design of these instructions provides security is critical to the success of the feature, however, SGX introduces complex concurrent interactions between the instructions and the shared hardware state used to enforce security, rendering traditional approaches to validation insufficient. In this paper, we introduce Accordion, a domain specific language and compiler for automatically verifying linearizability via model checking. The compiler determines an appropriate linearization point for each instruction, computes the required linearizability assertions, and supports experimentation with a variety of model configurations across multiple model checking tools. We show that this approach to verifying linearizability works well for validating SGX and that the compiler provides improved usability over encoding the problem in a model checker directly.

show abstract

Model Checking Unbounded Concurrent Lists

Cited by 4 publications

References 26 publications

Decoupling lock-free data structures from memory reclamation for static analysis

Decoupling lock-free data structures from memory reclamation for static analysis

Pointer life cycle types for lock-free data structures with memory reclamation

Verifying Linearizability of Intel® Software Guard Extensions

Contact Info

Product

Resources

About