Efficient Linearizability Monitoring

My Work

Under submission

Consistency Checking against the Release-Acquire semantics

Work with Parosh, Elli and Faouzi.

• Given a system modeled as a register machine
• Does this system satisfy the WRA/RA/SRA semantics?

Example WRA violation

Checking consistency of event-driven traces

With Parosh, Faouzi, Ramanathan and Govind

• Given a trace (with reads-from edges and coherence order edges)
• Find a total execution and message order between messages
• Such that the trace is consistent w.r.t. SC

Efficient Linearizability Monitoring

Work with Parosh, Bengt, Krishna & Om.

• Polynomial-time linearizability monitoring algorithms

Introduction

Concurrent Systems

Communicate

Using shared ADT

Linearizability

Extends a sequential specification to the concurrent setting. (Herlihy and Wing,TOPLAS1990)

First slide

Def continuation

Def Cont 2

Verification

We are looking at the monitoring problem; Is a given execution (consisting of a sequence of calls and returns) linearizable?

• NP-complete (in the length) for registers (Gibbons and Korach,SIAM J. Comput.1997)

Stacks

We assume the history is differentiated: each value occurs in at most one push and one pop.

Any (stack/queue) history h is linearizable if and only if there is a linearizable differentiated history h’ and some map that renames the values of h’ to the values of h. (Abdulla, Haziza, Holík, Jonsson, and Rezine,TACAS2013)

This enables us to construct polynomial-time algorithms

Previous work

• Quadratic-time algorithm for stacks and queues (Peterson, Cook, and Dechev,VMCAI2021)

  – We found a counterexample!

• Polynomial-time algorithm for a class of collection structures (e.g. stacks, sets and queues) (Emmi and Enea,POPL2018)

  – We found a bug in the proof!

Small changes

can change the outcome!

Stacks

We present an algorithm that is quadratic in the length of the history.

• Compute populated and deserted segments
• Apply simplification steps
  • Extreme value removal
  • Partitioning

If we ever cannot progress, conclude unlinearizability.

First slide

Ignore threads

Slide histories/sdhk2-rw.hist.000.svg

Ignore threads

Slide histories/sdhk2-rw.hist.001.svg

Compute segments

Slide histories/sdhk2-rw.hist.002.svg

Compute segments

Slide histories/sdhk2-rw.hist.003.svg

Extreme value removal

Slide histories/sdhk2-rw.hist.004.svg

Extreme value removal

Slide histories/sdhk2-rw.hist.005.svg

Compute segments

Slide histories/sdhk2-rw.hist.006.svg

Compute segments

Slide histories/sdhk2-rw.hist.007.svg

Partitioning

Slide histories/sdhk2-rw.hist.008.svg

Compute segments

Slide histories/sdhk2-rw.hist.009.svg

Compute segments

Slide histories/sdhk2-rw.hist.010.svg

Compute segments

Slide histories/sdhk2-rw.hist.011.svg

Extreme value removal

Slide histories/sdhk2-rw.hist.012.svg

Extreme value removal

Slide histories/sdhk2-rw.hist.013.svg

Compute segments

Slide histories/sdhk2-rw.hist.014.svg

Compute segments

Slide histories/sdhk2-rw.hist.015.svg

Compute segments

Slide histories/sdhk2-rw.hist.016.svg

Extreme value removal

Slide histories/sdhk2-rw.hist.017.svg

Done!

Incomplete histories

Can be completed

Pop Empty

pop-operations that returns \(\bot\), indicating an empty stack

Slide histories/popempty.hist.000.svg

Slide histories/popempty.hist.001.svg

Slide histories/popempty.hist.002.svg

Slide histories/popempty.hist.003.svg

Empty proof

\(h\) with pop(\(\bot\))-operation \(o\) linearizable

\(\iff\)

\(h - \{o\}\) linearizable and \(o\) overlaps with a deserted segment.

• \((\Rightarrow)\): The linearization point for \(o\) must be when the stack is empty, which it can only be in a deserted segment.
• \((\Leftarrow)\): Each value is uniquely to the left or right of the opening. We slide their linearization points, so that \(o\) can be linearized after all operations in L and before all operations in R.

Stack Proof

\(h\) linearizable iff one of the following hold

• \(h = \epsilon\)
• \(h\) has an extreme value \(x\) and \(h - \{x\}\) is linearizable
• \(h\) can be partitioned into two linearizable subhistories \(L\), \(R\).

We have a proof of this, which these slides are too small to contain.

Complexity

First, sort values by push return. O(n log n)

• Compute deserted and populated segments. O(n)
• Finding extreme is O(n)
• Partitioning is O(n)
• Worst case, each step only removes one value, so we need \(n\) steps.
• \(O\left(\sum_{i=1}^{n} n\right) = O(n^2)\)

Queues

We achieve \(O(n~log~n)\).

Small model property; a (differentiated, completed) queue history is linearizable if and only if for no pair of values \(a\), \(b\), we have

\[enq(a) < enq(b) \wedge deq(b) < deq(a)\]

where < is the happens-before relation

Note: does not hold for stacks.

Step 1

\[enq(a) < enq(b) \wedge deq(b) < deq(a)\]

Step 2

\[\textrm{outer seg. of } b \subseteq \textrm{inner seg. of } a\]

Algorithm

We want to see if for any two values, the outer (enq.call, deq.ret) segment of one is contained in the inner (enq.ret, deq.call) segment of the other. We call a pair of such values critical.

• Construct a queue-tree
• Scan it for containment.

Tree

We construct a red-black tree, where each node contains

• A left and right subtree
• Left and right endpoints of the inner interval
• A high key, the highest right occuring in its subtrees.

Example History

• Inner segments: (3, 6), (4, 11), (9, 14), (12, 26), (16, 25), (18, 20), (21, 28), (24, 30)
• Outer segments: (1, 8), (2, 13), (5, 17), (7, 29), (10, 27), (15, 23), (19, 31), (22, 32)

Slide queue_tree1.svg

• Outer segments: (1, 8), (2, 13), (5, 17), (7, 29), (10, 27), (15, 23), (19, 31), (22, 32)

Slide queue_tree2.svg

• Outer segments: (1, 8), (2, 13), (5, 17), (7, 29), (10, 27), (15, 23), (19, 31), (22, 32)

Slide queue_tree3.svg

• Outer segments: (1, 8), (2, 13), (5, 17), (7, 29), (10, 27), (15, 23), (19, 31), (22, 32)

Extreme Values

\(h\) linearizable

\(\iff\)

\(h\) has some value \(v\) with minimal enq and deq, and \(h - \{v\}\) is linearizable.

• \((\Rightarrow)\): Some value must be enqueued first, and the first enqueued must be dequeued first, so it is minimal.
• \((\Leftarrow)\): Linearize enq(v) before every other enq, and deq(v) before any other deq.

Small Model Property

\(h\) linearizable \(\iff\) no two \(a, b\) in \(h\) are critical.

• \((\Rightarrow)\): Easy.
• \((\Leftarrow)\): Induction on the size of \(h\). We choose the minimal enq(a) with earliest called deq, and argue its deq must be minimal.

Search

def search(p, a):
    (l, r, h, L, R) = p
    (i, j) = a
    if p is None: return False
    if l <= i and j <= r: return True
    if L is not None and l <= i and j <= L.h: return True
    if L is not None and l <= i and j > L.h: return search(R, a)
    return search(L, a)

• Proof based on structural induction of where in the tree a given containing interval is.

Complexity

• Constructing the tree is O(n log n)
• Each search is O(log n)
• We do \(n\) searches.
• O(n log n)

(Multi)Sets

Operations add(x), rmv(x).

• A multiset history is linearizable \(\iff\) each single-value projection is linearizable.
• A single-valued multiset history is linearizable \(\iff\) the number of returned rmv never exceed the number of called add.

Conclusion

We have shown monitoring algorithms

• \(O(n^2)\) for stacks
• \(O(n~log n)\) for queues
• \(O(n)\) for (multi)sets

…and shown their correctness

Future Work

• Formalizing in a theorem prover
• Extend to other data structures
• Extend to related correctness conditions (e.g. durable linearizability)

Thanks for listening!

References