298 research outputs found
The Reads-From Equivalence for the TSO and PSO Memory Models
The verification of concurrent programs remains an open challenge due to the
non-determinism in inter-process communication. Instead of exploring concrete
executions, stateless model-checking (SMC) techniques partition the execution
space into equivalence classes, and explore each class as opposed to each
execution. For the relaxed memory models of TSO and PSO (total/partial store
order), the standard equivalence has been Shasha-Snir traces, seen as an
extension of the classic Mazurkiewicz equivalence from SC (sequential
consistency) to TSO and PSO. The reads-from (RF) equivalence was recently shown
to be coarser than the Mazurkiewicz equivalence, leading to impressive
scalability improvements for SMC under SC. The generalization of RF to TSO and
PSO requires to overcome two challenges, namely, verifying execution
consistency and SMC algorithm. We address these two fundamental problems in
this work.
Our first set of contributions is on the problem of verifying TSO- and
PSO-consistent executions given a reads-from map, VTSO-rf and VPSO-rf,
respectively. The problem has been heavily studied under SC due to its numerous
applications, but little is known for TSO and PSO. For an execution of
events over threads and variables, we establish novel bounds that scale
as for TSO and as for PSO.
Our second contribution is an algorithm for SMC under TSO and PSO using the RF
equivalence. Our algorithm is exploration-optimal, in the sense that it is
guaranteed to explore each class of the RF partitioning exactly once, and
spends polynomial time per class when is bounded. Our experimental
evaluation shows that the RF equivalence is often exponentially coarser than
Shasha-Snir traces, and our SMC algorithm scales much better than
state-of-the-art tools based on Shasha-Snir traces
IST Austria Thesis
The design and verification of concurrent systems remains an open challenge due to the non-determinism that arises from the inter-process communication. In particular, concurrent programs are notoriously difficult both to be written correctly and to be analyzed formally, as complex thread interaction has to be accounted for. The difficulties are further exacerbated when concurrent programs get executed on modern-day hardware, which contains various buffering and caching mechanisms for efficiency reasons. This causes further subtle non-determinism, which can often produce very unintuitive behavior of the concurrent programs. Model checking is at the forefront of tackling the verification problem, where the task is to decide, given as input a concurrent system and a desired property, whether the system satisfies the property. The inherent state-space explosion problem in model checking of concurrent systems causes naïve explicit methods not to scale, thus more inventive methods are required. One such method is stateless model checking (SMC), which explores in memory-efficient manner the program executions rather than the states of the program. State-of-the-art SMC is typically coupled with partial order reduction (POR) techniques, which argue that certain executions provably produce identical system behavior, thus limiting the amount of executions one needs to explore in order to cover all possible behaviors. Another method to tackle the state-space explosion is symbolic model checking, where the considered techniques operate on a succinct implicit representation of the input system rather than explicitly accessing the system. In this thesis we present new techniques for verification of concurrent systems. We present several novel POR methods for SMC of concurrent programs under various models of semantics, some of which account for write-buffering mechanisms. Additionally, we present novel algorithms for symbolic model checking of finite-state concurrent systems, where the desired property of the systems is to ensure a formally defined notion of fairness
Effective lock handling in stateless model checking.
Stateless Model Checking (SMC) is a verification technique for concurrent programs that checks for safety violations by exploring all possible thread interleavings. SMC is usually coupled with Partial Order Reduction (POR), which exploits the independence of instructions to avoid redundant explorations when an equivalent one has already been considered. While effective POR techniques have been developed for many different memory models, they are only able to exploit independence at the instruction level, which makes them unsuitable for programs with coarse-grained synchronization mechanisms such as locks. We present a lock-aware POR algorithm, LAPOR, that exploits independence at both instruction and critical section levels. This enables LAPOR to explore exponentially fewer interleavings than the state-of-the-art techniques for programs that use locks conservatively. Our algorithm is sound, complete, and optimal, and can be used for verifying programs under several different memory models. We implement LAPOR in a tool and show that it can be exponentially faster than the state-of-the-art model checkers
IST Austria Technical Report
We present a new dynamic partial-order reduction method for stateless model checking of concurrent programs. A common approach for exploring program behaviors relies on enumerating the traces of the program, without storing the visited states (aka stateless exploration). As the number of distinct traces grows exponentially, dynamic partial-order reduction (DPOR) techniques have been successfully used to partition the space of traces into equivalence classes (Mazurkiewicz partitioning), with the goal of exploring only few representative traces from each class.
We introduce a new equivalence on traces under sequential consistency semantics, which we call the observation equivalence. Two traces are observationally equivalent if every read event observes the same write event in both traces. While the traditional Mazurkiewicz equivalence is control-centric, our new definition is data-centric. We show that our observation equivalence is coarser than the Mazurkiewicz equivalence, and in many cases even exponentially coarser. We devise a DPOR exploration of the trace space, called data-centric DPOR, based on the observation equivalence.
1. For acyclic architectures, our algorithm is guaranteed to explore exactly one representative trace from each observation class, while spending polynomial time per class. Hence, our algorithm is optimal wrt the observation equivalence, and in several cases explores exponentially fewer traces than any enumerative method based on the Mazurkiewicz equivalence.
2. For cyclic architectures, we consider an equivalence between traces which is finer than the observation equivalence; but coarser than the Mazurkiewicz equivalence, and in some cases is exponentially coarser. Our data-centric DPOR algorithm remains optimal under this trace equivalence.
Finally, we perform a basic experimental comparison between the existing Mazurkiewicz-based DPOR and our data-centric DPOR on a set of academic benchmarks. Our results show a significant reduction in both running time and the number of explored equivalence classes
Optimal Stateless Model Checking under the Release-Acquire Semantics
We present a framework for the efficient application of stateless model
checking (SMC) to concurrent programs running under the Release-Acquire (RA)
fragment of the C/C++11 memory model. Our approach is based on exploring the
possible program orders, which define the order in which instructions of a
thread are executed, and read-from relations, which specify how reads obtain
their values from writes. This is in contrast to previous approaches, which
also explore the possible coherence orders, i.e., orderings between conflicting
writes. Since unexpected test results such as program crashes or assertion
violations depend only on the read-from relation, we avoid a potentially
significant source of redundancy. Our framework is based on a novel technique
for determining whether a particular read-from relation is feasible under the
RA semantics. We define an SMC algorithm which is provably optimal in the sense
that it explores each program order and read-from relation exactly once. This
optimality result is strictly stronger than previous analogous optimality
results, which also take coherence order into account. We have implemented our
framework in the tool Tracer. Experiments show that Tracer can be significantly
faster than state-of-the-art tools that can handle the RA semantics.Comment: Accepted paper in OOPSLA'1
Dynamic Partial Order Reduction for Checking Correctness Against Transaction Isolation Levels
Modern applications, such as social networking systems and e-commerce
platforms are centered around using large-scale databases for storing and
retrieving data. Accesses to the database are typically enclosed in
transactions that allow computations on shared data to be isolated from other
concurrent computations and resilient to failures. Modern databases trade
isolation for performance. The weaker the isolation level is, the more
behaviors a database is allowed to exhibit and it is up to the developer to
ensure that their application can tolerate those behaviors.
In this work, we propose stateless model checking algorithms for studying
correctness of such applications that rely on dynamic partial order reduction.
These algorithms work for a number of widely-used weak isolation levels,
including Read Committed, Causal Consistency, Snapshot Isolation, and
Serializability. We show that they are complete, sound and optimal, and run
with polynomial memory consumption in all cases. We report on an implementation
of these algorithms in the context of Java Pathfinder applied to a number of
challenging applications drawn from the literature of distributed systems and
databases.Comment: Submission to PLDI 202
- …