dynamic reductions for model checking concurrent...

Introduction Transactions Dynamic Experiments Conclusion

Dynamic Reductions for Model CheckingConcurrent Software

Alfons [email protected]

Henning Gunther, Ana Sokolova and Georg Weissenbacher

Formal Methods in Systems EngineeringVienna University of Technology

March 21, 2017

Alfons Laarman (TU Wien) 1/14

Reductions

Model Checking of Concurrent Software1 Explosion of interleavings2 Partial-order reduction vs Lipton reduction3 Symbolic is a challenge4 Global commutativity is needed, but a severe bottleneck

a = 1;

b = 2;

‖ x = 1;

x += 2;

x += 3;

Reductions

a = 1;

b = 2;

‖ x = 1;

x += 2;

x += 3;

Reductions

x = 1;

a = 1;

b = 2;

‖ x = 1;

x += 2;

x += 3;

Lipton vs Partial-Order Reduction (POR)

x=1; a=0;

a,b=0,2;

x,y=1,2;

a,b=0,2;

x,y=1,2;

x=1; a=0;

a,b=0,2;

x,y=1,2;

a,b=0,2;

x,y=1,2;

x=1; a=0;

a,b=0,2;

x,y=1,2;

a,b=0,2;

x,y=1,2;

x=1; a=0;

a,b=0,2;

x,y=1,2;

a,b=0,2;

x,y=1,2;

Transactions in databases

lock A lock B lock C UPDATE unlock C unlock B unlock A

internal

pre-phase commit post-phase

internal

Commutativity

Action α right commutes with β, iff α can always be delayed after β:α β ; β α

Definition (Right commutativity (→./))

α→./ β iff

σ2 σ3

∀σ1,σ2,σ3 :

σ1 σ4

α→β→

⇒∃σ4 :

Example

An action both-commutes with all actions that access a disjoint set ofvariables.

A lock(/unlock) right(/right)-commutes with other lock and unlockoperations.

Definition (Right-Movability)

The action α of thread i is a right-mover, iff for all j , i :α→i→./→j

Commutativity

α→./ β iff

σ2 σ3

∀σ1,σ2,σ3 :

σ1 σ4

α→β→

⇒∃σ4 :

Example

Commutativity

α→./ β iff

σ2 σ3

∀σ1,σ2,σ3 :

σ1 σ4

α→β→

⇒∃σ4 :

Example

Commutativity

α→./ β iff

σ2 σ3

∀σ1,σ2,σ3 :

σ1 σ4

α→β→

⇒∃σ4 :

Example

Lipton Reduction[Lipton ’77, Lamport et al. ’89]

Lipton Reduction

A statement α1; . . . ;αn of thread i can be reduced to α1 ◦ · · · ◦αn , if for some1 ≤ k < n , and all j , i :

1 α1, . . . ,αk−1→./→j (pre-phase statements (before αk ) are right movers)

2 αk+1, . . . ,αn←./→j (post-phase statements (after αk ) are left movers)

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

′ (statements after α1 do not block)

Example (A statement sequence, where x is the only global variable)

a = 1; x = 2; b = 3; c = 4;

; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Lipton Reduction

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Lipton Reduction

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Lipton Reduction

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Lipton Reduction

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Lipton Reduction

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Lipton Reduction

3 ∀σ ∃σ ′ : σ α2→i ◦· · ·◦αn→i σ

a = 1; x = 2; b = 3; c = 4; ; a, x, b, c = 1, 2, 3, 4;

x = 6 a = 1 x = 7 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 a = 1 x = 8 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 x = 9 c = 4

x = 6 x = 7 x = 8 a = 1 x = 2 b = 3 c = 4 x = 9

Movability is too strong a condition

x=1; a=0;

x,y=1,2;

Monotonicity is key!

x=1; a=0;

x,y=1,2;

x=1; a=0;

x,y=1,2;

x=1; a=0;

x,y=1,2;

x=1; a=0;

x,y=1,2;

x=1; a=0;

x,y=1,2;

×1 α1, . . . ,αk−1

→./→j (pre-phase statements (before αk ) are right movers)

x=1; a=0;

x,y=1,2;

×1 α1, . . . ,αk−1

→./→j (pre-phase statements (before αk ) are right movers)

Example

int *data = NULL;

void worker thread(int tid) {if (data == NULL) {int *tmp = read from disk(1024);

W: if (!CAS(&data, NULL, tmp)) free(tmp);

}for (int i = 0; i < 512; i++)

R: process(data[i + tid * 512]);

}int main () {pthread create(worker thread, 0); // T1pthread create(worker thread, 1); // T2}

Example

Other dynamic conditionsPointers / array indices that don’t change value.

Atomic Compare-And-Swap (CAS) operations to permanentlygrab resources.

Example

int *data = NULL;

void worker thread(int tid) {if (data == NULL) {int *tmp = read from disk(1024);

W: if (!CAS(&data, NULL, tmp)) free(tmp);

}for (int i = 0; i < 512; i++)

R: process(data[i + tid * 512]);

}int main () {pthread create(worker thread, 0); // T1pthread create(worker thread, 1); // T2}

Example

Other dynamic conditionsPointers / array indices that don’t change value.

Atomic Compare-And-Swap (CAS) operations to permanentlygrab resources.

Instrumentation with dynamic reduction

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

Definition (Dynamic both-moving conditions)

A state predicate cα is a dynamic both-moving condition for anaction α, if for all j , i :

1 (cα ‖ α→i ) ./ (cα ‖→j )

2 cα is never disabled

Example (Heuristics for other dynamic conditions)

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int find-or-put(int v) {

int hash = v / 10;

for (int i = 0; i < 10; i++) {

int index = (i + hash) % 10;

if (CAS(&T[index], E, v)) {

return INSERTED;

} else if (T[index] == v)

return FOUND;

return TABLE_FULL;

int main() {

pthread_create(find-or-put, 25);

cα := T[index] != E

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

pc1 , 0 pc1 = 0

x=1; x=1;

y=2; y=2;

(1,a) (0,al)

(1,al)(1,ar)

pc1 =0

pc1 ,0

�{2}

1 (cα ‖ α→i ) ./ (cα ‖→j )

int T[10] = {E,E,22,35,46,25,E,E,91,E};

int hash = v / 10;

for (int i = 0; i < 10; i++) {

return INSERTED;

return FOUND;

return TABLE_FULL;

int main() {

Movability up to bisimulation

Definition (Right-commutativity up to bisimulation (→./X ))

The transition relationα→i right-commutes with

β→j up to �X ,

notationα→i→./X

β→j , iff:

σ2 σ3β→j

α→i∀σ1,σ2,σ3 :

σ2 σ3β→j

α→i⇒∃σ ′3,σ4 :

σ4β→j

σ ′3α→

Definition (Right-movability up to bisimulation)

The action α of thread i is a right-mover up to �X , iff for all j , i :α→i→./X→j

Dynamic

Transaction Reduction[Flanagan, Qadeer SoftMC’03]

Theorem (Reduction)

Let (→,S) be a transition system. For all i , j , i , let S = Ri ] Li ]Ni such that

For each thread i , there exists a thread bisimulation relation �i , and:

0 Li ‖→i ‖Ri = ∅ post does not reach pre

1 →i ‖Ri →./ →j →i into pre right commutes with→j

2 Li ‖→i←./ →j →i from post left commutes with→j

3 ∀σ ∈ Li : ∃σ ′ ∈ Ni : σ →∗i σ ′ post phases terminate

4 �i ⊆ L2j ∪R2

j ∪N2j (�i entails j -phase-equality)

Let ↪→i ,⋃

j,i Nj ‖→i (i can only transition when all j are in an externalstate).

Let ;i , Ni ‖(↪→i ‖Ni )∗ ↪→i ‖Ni (block steps skip internal states)

Suppose σ →∗ σ ′ , σ ∈ N and σ ′ ∈ N, then there is an σ ′′ ∈ N s.t. σ ↪→∗ σ ′′ .

Dynamic Transaction Reduction[Gunther, Laarman, Sokolova, Weissenbacher VMCAI’17]

Theorem (Reduction)

Let (→,S) be a transition system. For all i , j , i , let S = Ri ] Li ]Ni such thatFor each thread i , there exists a thread bisimulation relation �i , and:

0 Li ‖→i ‖Ri = ∅ post does not reach pre

1 →i ‖Ri →./ {j }→j →i into pre right commutes with→j

2 Li ‖→i←./ {i ,j }→j →i from post left commutes with→j

3 ∀σ ∈ Li : ∃σ ′ ∈ Ni : σ →∗i σ ′ post phases terminate

4 �i ⊆ L2j ∪R2

j ∪N2j (�i entails j -phase-equality)

Let ↪→i ,⋃

j,i Nj ‖→i (i can only transition when all j are in an externalstate).Let ;i , Ni ‖(↪→i ‖Ni )

∗ ↪→i ‖Ni (block steps skip internal states)Suppose σ →∗ σ ′ , σ ∈ N and σ ′ ∈ N, then there is an σ ′′ ∈ N s.t. σ ;∗ σ ′′ .

Complete instrumentation

Gi , (Vi ,δi ) V ′i ,δ′ in G ′i (pictured)

∀(la ,α, lb ) ∈ δi : lNalRblLb

cα ‖α¬cα ‖α

∀(la ,α, lb ) ∈ δi : lR′

lRblLb

∀la ∈ Vi : lRa lR′

∀la ∈ Vi \ LFS i : lLalL′

¬c(la )with c(la) ,∧

(la ,α,lb )∈δi cα

∀(la ,α, lb ) ∈ δi , la ∈ Vi \ LFS i : lL′

a lLbα

∀la ∈ LFS i : lLa lNatrue

α β lN2lN1 lL2lL1 lL′

2lL′

1 lR2lR1 lR′

2lR′

cα ‖ α

¬c α‖α

c α‖α

¬c α‖α

cβ ‖β

¬cβ ‖βcβ‖β

¬c β‖β

truetrue c(l2)¬c(l2)

Complete instrumentation

Gi , (Vi ,δi ) V ′i ,δ′ in G ′i (pictured)

∀(la ,α, lb ) ∈ δi : lNalRblLb

∀(la ,α, lb ) ∈ δi : lR′

lRblLb

∀la ∈ Vi : lRa lR′

∀la ∈ Vi \ LFS i : lLalL′

¬c(la )with c(la) ,∧

(la ,α,lb )∈δi cα

∀(la ,α, lb ) ∈ δi , la ∈ Vi \ LFS i : lL′

a lLbα

∀la ∈ LFS i : lLa lNatrue

α β lN2lN1 lL2lL1 lL′

2lL′

1 lR2lR1 lR′

2lR′

cα ‖ α

¬c α‖α

c α‖α

¬c α‖α

cβ ‖β

¬cβ ‖βcβ‖β

¬c β‖β

truetrue c(l2)¬c(l2)

VVTVienna Verification Tool [Gunther, Laarman, Weissenbacher SVCOMP’16]

http://vvt.forsyte.at/ (open source)

BMC with all dynamic reductions (BMC-dyn in the graphs);

BMC with only static reductions (BMC-phase);

IC3 with all dynamic reductions (IC3-dyn); and

IC3 with only static reductions (IC3-phase).

1 2 3 4 5 6 7 8

#Threads

● ●

BMC−dynBMC−phaseIC3−dynIC3−phase

1 2 3 4 5 6 7 8

#Threads

● ● ●

Lazy initialization Dynamic locking

1 2 3 4 5

#Threads

● ● ●

1 2 3 4 5 6 7

#Threads

1 2 3 4 5 6 7 8 9

#Threads

● ● ● ●

Hash table reads/writes Hash table reads Hash table writes

1 2 3 4 5 6 7 8

#Threads

● ●

1 2 3 4 5 6 7 8

#Threads

● ● ●

1 2 3 4 5

#Threads

● ● ●

1 2 3 4 5 6 7

#Threads

1 2 3 4 5 6 7 8 9

#Threads

● ● ● ●

1 2 3 4 5 6 7 8

#Threads

● ●

1 2 3 4 5 6 7 8

#Threads

● ● ●

1 2 3 4 5

#Threads

● ● ●

1 2 3 4 5 6 7

#Threads

1 2 3 4 5 6 7 8 9

#Threads

● ● ● ●

1 2 3 4 5 6 7 8

#Threads

● ●

1 2 3 4 5 6 7 8

#Threads

● ● ●

1 2 3 4 5

#Threads

● ● ●

1 2 3 4 5 6 7

#Threads

1 2 3 4 5 6 7 8 9

#Threads

● ● ● ●

Conclusions

ContributionsDynamic movers as in stubborn set POR

“Straight-forward” instrumentation and encoding

Dynamic mover conditions are suitable for symbolic modelchecking

Open Questions

Is a weaker reduction theorem possible?

How do transactions compare to POR?

Conclusions

ContributionsDynamic movers as in stubborn set POR

“Straight-forward” instrumentation and encoding

Dynamic mover conditions are suitable for symbolic modelchecking

Open Questions

Is a weaker reduction theorem possible?

How do transactions compare to POR?

dynamic reductions for model checking concurrent...

Documents