Model checking transactional memories

Model checking transactional memories (TMs) is difficult because of the unbounded number, length, and delay of concurrent transactions, as well as the unbounded size of the memory. We show that, under certain conditions satisfied by most TMs we know of, the model checking problem can be reduced to a finite-state problem, and we illustrate the use of the method by proving the correctness of several TMs, including two-phase locking, DSTM, and TL2. The safety properties we consider include strict serializability and opacity; the liveness properties include obstruction freedom, livelock freedom, and wait freedom. Our main contribution lies in the structure of the proofs, which are largely automated and not restricted to the TMs mentioned above. In a first step we show that every TM that enjoys certain structural properties either violates a requirement on some program with two threads and two shared variables, or satisfies the requirement on all programs. In the second step, we use a model checker to prove the requirement for the TM applied to a most general program with two threads and two variables. In the safety case, the model checker checks language inclusion between two finite-state transition systems, a nondeterministic transition system representing the given TM applied to a most general program, and a deterministic transition system representing a most liberal safe TM applied to the same program. The given TM transition system is nondeterministic because a TM can be used with different contention managers, which resolve conflicts differently. In the liveness case, the model checker analyzes fairness conditions on the given TM transition system.

[1]  Robin Milner,et al.  An Algebraic Definition of Simulation Between Programs , 1971, IJCAI.

[2]  Irving L. Traiger,et al.  The notions of consistency and predicate locks in a database system , 1976, CACM.

[3]  J. T. Robinson,et al.  On optimistic methods for concurrency control , 1979, TODS.

[4]  Christos H. Papadimitriou,et al.  The serializability of concurrent database updates , 1979, JACM.

[5]  Robert S. Streett,et al.  Propositional Dynamic Logic of Looping and Converse Is Elementarily Decidable , 1982, Inf. Control..

[6]  Gérard Roucairol,et al.  Maximal Serializability of Iterated Transactions , 1985, Theor. Comput. Sci..

[7]  Edmund M. Clarke,et al.  Reasoning about networks with many identical finite-state processes , 1986, PODC '86.

[8]  Òòòðð,et al.  Shared-memory Mutual Exclusion: Major Research Trends Since 1986 , 1986 .

[9]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[10]  Maurice Herlihy,et al.  Transactional Memory: Architectural Support For Lock-free Data Structures , 1993, Proceedings of the 20th Annual International Symposium on Computer Architecture.

[11]  David L. Dill,et al.  Automatic verification of Pipelined Microprocessor Control , 1994, CAV.

[12]  Thomas A. Henzinger,et al.  Computing simulations on finite and infinite graphs , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[13]  Nir Shavit,et al.  Software transactional memory , 1995, PODC '95.

[14]  Thomas A. Henzinger,et al.  Verifying Sequential Consistency on Shared-Memory Multiprocessor Systems , 1999, CAV.

[15]  Rajeev Alur,et al.  Model-Checking of Correctness Conditions for Concurrent Objects , 2000, Inf. Comput..

[16]  Maurice Herlihy,et al.  Software transactional memory for dynamic-sized data structures , 2003, PODC '03.

[17]  Maurice Herlihy,et al.  Obstruction-free synchronization: double-ended queues as an example , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[18]  Shaz Qadeer,et al.  Verifying Sequential Consistency on Shared-Memory Multiprocessors by Model Checking , 2001, IEEE Trans. Parallel Distributed Syst..

[19]  James H. Anderson,et al.  Shared-memory mutual exclusion: major research trends since 1986 , 2003, Distributed Computing.

[20]  Yue Yang,et al.  QB or Not QB: An Efficient Execution Verification Tool for Memory Orderings , 2004, CAV.

[21]  Rachid Guerraoui,et al.  Polymorphic Contention Management , 2005, DISC.

[22]  William N. Scherer,et al.  Advanced contention management for dynamic software transactional memory , 2005, PODC '05.

[23]  Michael L. Scott Sequential Specification of Transactional Memory Semantics , 2006 .

[24]  Nir Shavit,et al.  Transactional Locking II , 2006, DISC.

[25]  James R. Larus,et al.  Transactional Memory , 2006, Transactional Memory.

[26]  Thomas A. Henzinger,et al.  Antichains: A New Algorithm for Checking Universality of Finite Automata , 2006, CAV.

[27]  Sebastian Burckhardt,et al.  CheckFence: checking consistency of concurrent data types on relaxed memory models , 2007, PLDI '07.

[28]  Amir Pnueli,et al.  Verifying Correctness of Transactional Memories , 2007, Formal Methods in Computer Aided Design (FMCAD'07).

[29]  CheckFence: checking consistency of concurrent data types on relaxed memory models , 2007, PLDI.

[30]  Keir Fraser,et al.  Concurrent programming without locks , 2007, TOCS.

[31]  James R. Larus,et al.  Transactional Memory (Synthesis Lectures on Computer Architecture) , 2007 .

[32]  Amir Pnueli,et al.  Verifying Correctness of Transactional Memories , 2007 .

[33]  Rachid Guerraoui,et al.  On the correctness of transactional memory , 2008, PPoPP.

[34]  Rachid Guerraoui,et al.  Completeness and Nondeterminism in Model Checking Transactional Memories , 2008, CONCUR.

[35]  Rachid Guerraoui,et al.  Model checking transactional memories , 2008, PLDI '08.

[36]  Amir Pnueli,et al.  Mechanical Verification of Transactional Memories with Non-transactional Memory Accesses , 2008, CAV.

[37]  Rachid Guerraoui,et al.  Software Transactional Memory on Relaxed Memory Models , 2009, CAV.

[38]  Håkan Grahn,et al.  Transactional memory , 2010, J. Parallel Distributed Comput..