Chris Hawblitzel,Erez Petrank

DOI: https://doi.org/10.2168/LMCS-6%283%3A6%292010

2010-10-18

Abstract:Garbage collectors are notoriously hard to verify, due to their low-level interaction with the underlying system and the general difficulty in reasoning about reachability in graphs. Several papers have presented verified collectors, but either the proofs were hand-written or the collectors were too simplistic to use on practical applications. In this work, we present two mechanically verified garbage collectors, both practical enough to use for real-world C# benchmarks. The collectors and their associated allocators consist of x86 assembly language instructions and macro instructions, annotated with preconditions, postconditions, invariants, and assertions. We used the Boogie verification generator and the Z3 automated theorem prover to verify this assembly language code mechanically. We provide measurements comparing the performance of the verified collector with that of the standard Bartok collectors on off-the-shelf C# benchmarks, demonstrating their competitiveness.

Programming Languages

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Jonathan Marbaniang,Shekhar Bhandakkar,Sathya Peri

DOI: https://doi.org/10.48550/arXiv.1806.00834

2018-07-21

Abstract:Garbage Collection in concurrent data structures, especially lock-free ones, pose multiple design and consistency challenges. In this instance, we consider the case of concurrent sets. A set is a collection of elements, where the elements are ordered and distinct. These two invariants are always maintained at every point in time. Currently, multiple implementations of concurrent sets already exist. LazyList, Hand-over-hand List and Harris List are some of the well-known implementations. However none of these implementations employ, or are concerned with garbage collection of deleted nodes. Instead each implementation ignores deleted nodes or depends on the garbage collector of the language to handle them. Additionally, Garbage collection in concurrent lists, that use optimistic traversals or that are lock-free, is not trivial. For example, in LazyList and Harris List, they allow a thread to traverse a node or a sequence of nodes after these nodes have already been removed from the list, and hence possibly deleted. If deleted nodes are to be reused, this will potentially lead to the ABA problem. Moreover, some languages like C++ do not have an inbuilt garbage collector. Some constructs like Shared Pointers provide a limited garbage collection facility, but it degrades performance by a large scale. Integrating Shared Pointers into a concurrent code is also not a trivial task. In this paper, we propose a new representation of a concurrent set, GCList, which employs inbuilt garbage collection. We propose a novel garbage collection scheme that implements in-built memory reclamation whereby it reuses deleted nodes from the list. We propose both lock-based and lock-free implementations of GCList. The garbage collection scheme works in parallel with the Set operations.

Distributed, Parallel, and Cluster Computing

Ian J. Hayes,Larissa A. Meinicke,Patrick A. Meiring

2023-09-09

Abstract:This paper presents a theory for the refinement of shared-memory concurrent algorithms from specifications. We augment pre and post condition specifications with Jones' rely and guarantee conditions, all of which are encoded as commands within a wide-spectrum language. Program components are specified using either partial or total correctness versions of postcondition specifications. Operations on shared data structures and atomic machine operations (e.g. compare-and-swap) are specified using an atomic specification command. All the above constructs are defined in terms of a simple core language, based on a small set of primitive commands and a handful of operators. A comprehensive set of laws for refining such specifications to code is derived in the theory. The approach supports fine-grained concurrency, avoiding atomicity assumptions on expression evaluation and assignment commands. The theory has been formalised in Isabelle/HOL, and the refinement laws and supporting lemmas have been proven in Isabelle/HOL.

Logic in Computer Science

N. Allen,T. Terriberry

DOI: https://doi.org/10.48550/arXiv.cs/0207036

2002-07-10

Distributed, Parallel, and Cluster Computing

Abstract:We describe an efficient and fault-tolerant algorithm for distributed cyclic garbage collection. The algorithm imposes few requirements on the local machines and allows for flexibility in the choice of local collector and distributed acyclic garbage collector to use with it. We have emphasized reducing the number and size of network messages without sacrificing the promptness of collection throughout the algorithm. Our proposed collector is a variant of back tracing to avoid extensive synchronization between machines. We have added an explicit forward tracing stage to the standard back tracing stage and designed a tuned heuristic to reduce the total amount of work done by the collector. Of particular note is the development of fault-tolerant cooperation between traces and a heuristic that aggressively reduces the set of suspect objects.

Sarat Chandra Varanasi,Neeraj Mittal,Gopal Gupta

DOI: https://doi.org/10.48550/arXiv.2011.04045

2020-11-09

Abstract:In this paper we tackle the problem of automatically designing concurrent data structure operations given a sequential data structure specification and knowledge about concurrent behavior. Designing concurrent code is a non-trivial task even in simplest of cases. Humans often design concurrent data structure operations by transforming sequential versions into their respective concurrent versions. This requires an understanding of the data structure, its sequential behavior, thread interactions during concurrent execution and shared memory synchronization primitives. We mechanize this design process using automated commonsense reasoning. We assume that the data structure description is provided as axioms alongside the sequential code of its algebraic operations. This information is used to automatically derive concurrent code for that data structure, such as dictionary operations for linked lists and binary search trees. Knowledge in our case is expressed using Answer Set Programming (ASP), and we employ deduction, induction and abduction---just as humans do---in the reasoning involved. ASP allows for succinct modeling of first order theories of pointer data structures, run-time thread interactions and shared memory synchronization. Our reasoner can systematically make the same judgments as a human reasoner while constructing provably safe concurrent code. We present several reasoning challenges involved in transforming the sequential data structure into its equivalent concurrent version. All the reasoning tasks are encoded in ASP and our reasoner can make sound judgments to transform sequential code into concurrent code. To the best of our knowledge, our work is the first one to use commonsense reasoning to automatically transform sequential programs into concurrent code.

Logic in Computer Science

Vasanthakumar Soundararajan

DOI: https://doi.org/10.48550/arXiv.1501.01086

2015-01-06

Abstract:The Generational Garbage collection involves organizing the heap into different divisions of memory space in-order to filter long-lived objects from short-lived objects through moving the surviving object of each generation Garbage Collection cycle to another memory space updating its age and reclaiming space from the dead ones. The problem in this method is that the longer an object is alive during its initial generations the longer the garbage collector will have to deal with it by checking for its reachability from the root and promoting it to other space divisions where as the ultimate goal of the Garbage Collector is to reclaim memory from unreachable objects at a minimal time possible. This paper is a proposal of a method where the lifetime of every object getting into the heap will be predicted and will be placed in heap accordingly for the garbage collector to deal more with reclaiming space from dead objects and less in promoting the live ones to the higher level.

Programming Languages,Artificial Intelligence

Roland Meyer,Sebastian Wolff

DOI: https://doi.org/10.1145/3290371

2019-01-02

Proceedings of the ACM on Programming Languages

Abstract:Verification of concurrent data structures is one of the most challenging tasks in software verification. The topic has received considerable attention over the course of the last decade. Nevertheless, human-driven techniques remain cumbersome and notoriously difficult while automated approaches suffer from limited applicability. The main obstacle for automation is the complexity of concurrent data structures. This is particularly true in the absence of garbage collection. The intricacy of lock-free memory management paired with the complexity of concurrent data structures makes automated verification prohibitive. In this work we present a method for verifying concurrent data structures and their memory management separately. We suggest two simpler verification tasks that imply the correctness of the data structure. The first task establishes an over-approximation of the reclamation behavior of the memory management. The second task exploits this over-approximation to verify the data structure without the need to consider the implementation of the memory management itself. To make the resulting verification tasks tractable for automated techniques, we establish a second result. We show that a verification tool needs to consider only executions where a single memory location is reused. We implemented our approach and were able to verify linearizability of Michael&Scott's queue and the DGLM queue for both hazard pointers and epoch-based reclamation. To the best of our knowledge, we are the first to verify such implementations fully automatically.

Min Yang,Di Wang,Xun Zhou,Yuan Zhang,Binyu Zang

2011-01-01

Abstract:The invention belongs to the technical field of Java virtual machine garbage retriever, particularly relating to a concurrent garbage collector frame based on a Java virtual machine. The frame is divided into two modules of a concurrent algorithm frame and a dispatcher, wherein the concurrent algorithm frame is designed to mainly carry out variation analysis on the existing concurrent garbage collection algorithm to finally divide modules which are conviennt to be reused or can not be reused, and the division is realized by aiming at different characteristics; the dispatcher is mainly composed of a dispatching trigger module, a dispatching algorithm module and an exhaustion processing module and mainly has two functions on determining when to trigger GC (garbage collection) and to process the situation of system resource exhaustion. According to the invention, the platform transportability of the concurrent garbage collection technology is increased to solve the problem that different concurrent garbage collection technologies are experimented under the same platform, and the superiority or inferiority of different concurrent garbage collection technologies can be researched under a certain specific platform.

Amey Karkare,Amitabha Sanyal,Uday Khedker

DOI: https://doi.org/10.48550/arXiv.0710.1482

2007-10-08

Abstract:Current garbage collectors leave a lot of garbage uncollected because they conservatively approximate liveness by reachability from program variables. In this paper, we describe a sequence of static analyses that takes as input a program written in a first-order, eager functional programming language, and finds at each program point the references to objects that are guaranteed not to be used in the future. Such references are made null by a transformation pass. If this makes the object unreachable, it can be collected by the garbage collector. This causes more garbage to be collected, resulting in fewer collections. Additionally, for those garbage collectors which scavenge live objects, it makes each collection faster. The interesting aspects of our method are both in the identification of the analyses required to solve the problem and the way they are carried out. We identify three different analyses -- liveness, sharing and accessibility. In liveness and sharing analyses, the function definitions are analyzed independently of the calling context. This is achieved by using a variable to represent the unknown context of the function being analyzed and setting up constraints expressing the effect of the function with respect to the variable. The solution of the constraints is a summary of the function that is parameterized with respect to a calling context and is used to analyze function calls. As a result we achieve context sensitivity at call sites without analyzing the function multiple number of times.

Programming Languages,Software Engineering

Lujing Cen,Ryan Marcus,Hongzi Mao,Justin Gottschlich,Mohammad Alizadeh,Tim Kraska

DOI: https://doi.org/10.1145/3394450.3397469

2020-04-28

Abstract:Several programming languages use garbage collectors (GCs) to automatically manage memory for the programmer. Such collectors must decide when to look for unreachable objects to free, which can have a large performance impact on some applications. In this preliminary work, we propose a design for a learned garbage collector that autonomously learns over time when to perform collections. By using reinforcement learning, our design can incorporate user-defined reward functions, allowing an autonomous garbage collector to learn to optimize the exact metric the user desires (e.g., request latency or queries per second). We conduct an initial experimental study on a prototype, demonstrating that an approach based on tabular Q learning may be promising.

Programming Languages

Larissa A. Meinicke,Ian J. Hayes

2024-03-20

Abstract:Distributive laws are important for algebraic reasoning in arithmetic and logic. They are equally important for algebraic reasoning about concurrent programs. In existing theories such as Concurrent Kleene Algebra, only partial correctness is handled, and many of its distributive laws are weak, in the sense that they are only refinements in one direction, rather than equalities. The focus of this paper is on strengthening our theory to support the proof of strong distributive laws that are equalities, and in doing so come up with laws that are quite general. Our concurrent refinement algebra supports total correctness by allowing both finite and infinite behaviours. It supports the rely/guarantee approach of Jones by encoding rely and guarantee conditions as rely and guarantee commands. The strong distributive laws may then be used to distribute rely and guarantee commands over sequential compositions and into (and out of) iterations. For handling data refinement of concurrent programs, strong distributive laws are essential.

Logic in Computer Science

Constantin Enea,Eric Koskinen

2024-10-18

Abstract:Concurrent objects form the foundation of many applications that exploit multicore architectures and their importance has lead to informal correctness arguments, as well as formal proof systems. Correctness arguments (as found in the distributed computing literature) give intuitive descriptions of a few canonical executions or "scenarios" often each with only a few threads, yet it remains unknown as to whether these intuitive arguments have a formal grounding and extend to arbitrary interleavings over unboundedly many threads. We present a novel proof technique for concurrent objects, based around identifying a small set of scenarios (representative, canonical interleavings), formalized as the commutativity quotient of a concurrent object. We next give an expression language for defining abstractions of the quotient in the form of regular or context-free languages that enable simple proofs of linearizability. These quotient expressions organize unbounded interleavings into a form more amenable to reasoning and make explicit the relationship between implementation-level contention/interference and ADT-level transitions. We evaluate our work on numerous non-trivial concurrent objects from the literature (including the Michael-Scott queue, Elimination stack, SLS reservation queue, RDCSS and Herlihy-Wing queue). We show that quotients capture the diverse features/complexities of these algorithms, can be used even when linearization points are not straight-forward, correspond to original authors' correctness arguments, and provide some new scenario-based arguments. Finally, we show that discovery of some object's quotients reduces to two-thread reasoning and give an implementation that can derive candidate quotients expressions from source code.

Programming Languages

Graham Campbell,Detlef Plump

DOI: https://doi.org/10.48550/arXiv.2101.01842

2021-01-06

Abstract:The transformation of graphs and graph-like structures is ubiquitous in computer science. When a system is described by graph-transformation rules, it is often desirable that the rules are both terminating and confluent so that rule applications in an arbitrary order produce unique resulting graphs. However, there are application scenarios where the rules are not globally confluent but confluent on a subclass of graphs that are of interest. In other words, non-resolvable conflicts can only occur on graphs that are considered as "garbage". In this paper, we introduce the notion of confluence up to garbage and generalise Plump's critical pair lemma for double-pushout graph transformation, providing a sufficient condition for confluence up to garbage by non-garbage critical pair analysis. We apply our results in two case studies about efficient language recognition: we present backtracking-free graph reduction systems which recognise a class of flow diagrams and a class of labelled series-parallel graphs, respectively. Both systems are non-confluent but confluent up to garbage. We also give a critical pair condition for subcommutativity up to garbage which, together with closedness, implies confluence up to garbage even in non-terminating systems.

Logic in Computer Science

Wenyu Zhao,Stephen M. Blackburn,Kathryn S. McKinley

DOI: https://doi.org/10.1145/3519939.3523440

2022-10-31

Abstract:Production garbage collectors make substantial compromises in pursuit of reduced pause times. They require far more CPU cycles and memory than prior simpler collectors. concurrent copying collectors (C4, ZGC, and Shenandoah) suffer from the following design limitations. 1) Concurrent copying. They only reclaim memory by copying, which is inherently expensive with high memory bandwidth demands. Concurrent copying also requires expensive read and write barriers. 2) Scalability. They depend on tracing, which in the limit and in practice does not scale. 3) Immediacy. They do not reclaim older objects promptly, incurring high memory overheads. We present LXR, which takes a very different approach to optimizing responsiveness and throughput by minimizing concurrent collection work and overheads. 1) LXR reclaims most memory without any copying by using the Immix heap structure. It then combats fragmentation with limited judicious stop-the-world copying. 2) LXR uses reference counting to achieve both scalability and immediacy, promptly reclaiming young and old objects. It uses concurrent tracing as needed for identifying cyclic garbage. 3) To minimize pause times while allowing judicious copying of mature objects, LXR introduces remembered sets for reference counting and concurrent decrement processing. 4) LXR introduces a novel low-overhead write barrier that combines coalescing reference counting, concurrent tracing, and remembered set maintenance. The result is a collector with excellent responsiveness and throughput. On the widely-used Lucene search engine with a generously sized heap, LXR has 6x higher throughput while delivering 30x lower 99.9 percentile tail latency than the popular Shenandoah production collector in its default configuration.

Programming Languages

David Sanán,Yongwang Zhao,Zhe Hou,Fuyuan Zhang,Alwen Tiu,Yang Liu

DOI: https://doi.org/10.1007/978-3-662-54577-5_28

2017-01-01

Abstract:It is essential to deal with the interference of the environment between programs in concurrent program verification. This has led to the development of concurrent program reasoning techniques such as rely-guarantee. However, the source code of the programs to be verified often involves language features such as exceptions and procedures which are not supported by the existing mechanizations of those concurrent reasoning techniques. Schirmer et al. have solved a similar problem for sequential programs by developing a verification framework in the Isabelle/HOL theorem prover called Simpl, which provides a rich sequential language that can encode most of the features in real world programming languages. However Simpl only aims to verify sequential programs, and it does not support the specification nor the verification of concurrent programs. In this paper we introduce CSimpl, an extension of Simpl with concurrency-oriented language features and verification techniques. We prove the compositionality of the CSimpl semantics and we provide inference rules for the language constructors to reason about CSimpl programs using rely-guarantee, showing that the inference rules are sound w.r.t. the language semantics. Finally, we run a case study where we use CSimpl to specify and prove functional correctness of an abstract communication model of the XtratuM partitioning separation micro-kernel.

Larissa A. Meinicke,Ian J. Hayes,Cliff B. Jones

2024-05-09

Abstract:Specifications of significant systems can be made short and perspicuous by using abstract data types; data reification can provide a clear, stepwise, development history of programs that use more efficient concrete representations. Data reification (or "refinement") techniques for sequential programs are well established. This paper applies these ideas to concurrency, in particular, an algebraic theory supporting rely-guarantee reasoning about concurrency. A concurrent version of the Galler-Fischer equivalence relation data structure is used as an example.

Logic in Computer Science,Software Engineering

Hongjin Liang,Xinyu Feng,Ming Fu

DOI: https://doi.org/10.1145/2576235

IF: 1.714

2014-01-01

ACM Transactions on Programming Languages and Systems

Abstract:Verifying program transformations usually requires proving that the resulting program (the target) refines or is equivalent to the original one (the source). However, the refinement relation between individual sequential threads cannot be preserved in general with the presence of parallel compositions, due to instruction reordering and the different granularities of atomic operations at the source and the target. On the other hand, the refinement relation defined based on fully abstract semantics of concurrent programs assumes arbitrary parallel environments, which is too strong and cannot be satisfied by many well-known transformations. In this paper, we propose a Rely-Guarantee-based Simulation (RGSim) to verify concurrent program transformations. The relation is parametrized with constraints of the environments that the source and the target programs may compose with. It considers the interference between threads and their environments, thus is less permissive than relations over sequential programs. It is compositional w.r.t. parallel compositions as long as the constraints are satisfied. Also, RGSim does not require semantics preservation under all environments, and can incorporate the assumptions about environments made by specific program transformations in the form of rely/guarantee conditions. We use RGSim to reason about optimizations and prove atomicity of concurrent objects. We also propose a general garbage collector verification framework based on RGSim, and verify the Boehm et al. concurrent mark-sweep GC.

Eduard Kamburjan,Nathan Wasser

DOI: https://doi.org/10.4204/EPTCS.365.1

2022-08-09

Abstract:We present a novel and well automatable approach to formal verification of C programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of concurrent systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a fully formal semantics for the considered C subset. In the extracted model every non-deterministic choice corresponds to one possible evaluation order. This step also automatically translates specifications in the ANSI/ISO C Specification Language (ACSL) into method contracts and object invariants for Active Objects. We then perform verification on the specified Active Objects model, using the Crowbar theorem prover, which verifies the extracted model with respect to the translated specification and ensures the original property of the C code for all possible evaluation orders. By using model extraction, we can use standard tools, without designing a new complex program logic to deal with underspecification. The case study used is highly underspecified and cannot be handled correctly by existing tools for C.

Programming Languages