Michalis Kokologiannakis
Konstantinos Sagonas
ABSTRACT
Read-Copy-Update (RCU) is a synchronization mechanism used heavily in key components of the Linux kernel, such as the virtual filesystem (VFS), to achieve scalability by exploiting RCU's ability to allow concurrent reads and updates. RCU's design is non-trivial, requires significant effort to fully understand it, let alone become convinced that its implementation is faithful to its specification and provides its claimed properties. The fact that as time goes by Linux kernels are becoming increasingly more complex and are employed in machines with more and more cores and weak memory does not make the situation any easier.
This paper presents an approach to systematically test the code of the main flavor of RCU used in the Linux kernel (Tree RCU) for concurrency errors, both under sequential consistency and weak memory. Our modeling allows Nidhugg, a stateless model checking tool, to reproduce, within seconds, safety and liveness bugs that have been reported for RCU. More importantly, we were able to verify the Grace-Period guarantee, the basic guarantee that RCU offers, on several Linux kernel versions (non-preemptible builds). Our approach is effective, both in dealing with the increased complexity of recent Linux kernels and in terms of time that the process requires. We have good reasons to believe that our effort constitutes a big step towards making tools such as Nidhugg part of the standard testing infrastructure of the Linux kernel.
- Parosh Abdulla, Stavros Aronis, Bengt Jonsson, and Konstantinos Sagonas. 2014. Optimal Dynamic Partial Order Reduction. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, NY, USA, 373–384. Google Scholar
Digital Library
- Parosh Aziz Abdulla, Stavros Aronis, Mohamed Faouzi Atig, Bengt Jonsson, Carl Leonardsson, and Konstantinos Sagonas. 2015. Stateless Model Checking for TSO and PSO. In Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Vol. 9035. Springer, Berlin, Heidelberg, 353–367. 978-3-662-46681-0_28 Google ScholarDigital Library
- Iftekhar Ahmed, Alex Groce, Carlos Jensen, and Paul E. McKenney. 2015. How Verified is My Code? Falsification-Driven Verification. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering. IEEE Computer Society, Washington, DC, USA, 737–748.Google Scholar
- Jade Alglave, Daniel Kroening, and Michael Tautschnig. 2013. Partial Orders for Efficient Bounded Model Checking of Concurrent Software. In Computer Aided Verification (LNCS), Vol. 8044. Springer, Berlin, Heidelberg, 141–157.Google Scholar
- John Callaham. 2015. Google says there are now 1.4 billion active Android devices worldwide. (29 Sept. 2015). http://www.androidcentral.com/ google-says-there-are-now-14-billion-active-android-devices-worldwideGoogle Scholar
- Edmund M. Clarke, Daniel Kroening, and Flavio Lerda. 2004. A Tool for Checking ANSI-C Programs. In Tools and Algorithms for the Construction and Analysis of Systems (LNCS), Kurt Jensen and Andreas Podelski (Eds.), Vol. 2988. Springer, Berlin, Heidelberg, 168–176.Google Scholar
- CPUHotplugDoc 2016. CPU Hotplug in the Kernel. (Dec. 2016). https://www. kernel.org/doc/Documentation/core-api/cpu_hotplug.rstGoogle Scholar
- Mathieu Desnoyers, Paul E. McKenney, and Michel R. Dagenais. 2013. Multi-core Systems Modeling for Formal Verification of Parallel Algorithms. SIGOPS Oper. Syst. Rev. 47, 2 (July 2013), 51–65. Google ScholarDigital Library
- Mathieu Desnoyers, Paul E. McKenney, Alan S. Stern, Michel R. Dagenais, and Jonathan Walpole. 2012. User-Level Implementations of Read-Copy Update. IEEE Trans. Parallel Distrib. Syst. 23, 2 (Feb. 2012), 375–382. TPDS.2011.159 Google ScholarDigital Library
- Cormac Flanagan and Patrice Godefroid. 2005. Dynamic Partial-order Reduction for Model Checking Software. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, NY, USA, 110–121. Google ScholarDigital Library
- Patrice Godefroid. 1997. Model checking for programming languages using VeriSoft. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM, New York, NY, USA, 147–186. Google ScholarDigital Library
- Patrice Godefroid. 2005. Software Model Checking: The VeriSoft Approach. Formal Methods in System Design 26, 2 (2005), 77–101. Google ScholarDigital Library
- Alexey Gotsman, Noam Rinetzky, and Hongseok Yang. 2013. Verifying Concurrent Memory Reclamation Algorithms with Grace. In Programming Languages and Systems (LNCS), Vol. 7792. Springer, Berlin, Heidelberg, 249–269. Google ScholarDigital Library
- Lihao Liang, Paul E. McKenney, Daniel Kroening, and Tom Melham. 2016. Verification of the Tree-Based Hierarchical Read-Copy Update in the Linux Kernel. (Oct. 2016). http://arxiv.org/abs/1610.03052Google Scholar
- LLVM-Atomics 2017. LLVM Atomic Instructions and Concurrency Guide. (2017). http://llvm.org/docs/Atomics.html#libcalls-atomicGoogle Scholar
- Paul E. McKenney. 2008. Hierarchical RCU. (2008). http://lwn.net/Articles/305782/Google Scholar
- Paul E. McKenney. 2015. Verification Challenge 4: Tiny RCU. (9 March 2015). http://paulmck.livejournal.com/39343.htmlGoogle Scholar
- Paul E. McKenney and John D. Slingwine. 1998. Read-Copy Update: Using Execution History to Solve Concurrency Problems. In Parallel and Distributed Computing and Systems. 509–518.Google Scholar
- Paul E. McKenney and Jonathan Walpole. 2007. What is RCU, Fundamentally? (17 Dec. 2007). http://lwn.net/Articles/262464/Google Scholar
- Mandanlal Musuvathi, Shaz Qadeer, Thomas Ball, Gerald Basler, Piramanayagam Arumuga Nainar, and Iulian Neamtiu. 2008. Finding and Reproducing Heisenbugs in Concurrent Programs. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, USA, 267–280. Google ScholarDigital Library
- NOHZDoc 2017. NO_HZ: Reducing Scheduling-Clock Ticks. (April 2017). https: //www.kernel.org/doc/Documentation/timers/NO_HZ.txtGoogle Scholar
- Abhishek Prakash. 2016. Linux now runs on 99.6% of top 500 supercomputers. (15 Nov. 2016). https://itsfoss.com/linux-99-percent-top-500-supercomputers/Google Scholar
- RCU-Bug-AdditionalPatches 2009. RCU: Clean up locking for ->completed and ->gpnum fields. (Oct. 2009). https://lkml.org/lkml/2009/10/30/212Google Scholar
- RCU-Bug-Synch 2009. RCU: Fix synchronization for rcu_process_gp_end() uses of ->completed counter. (Nov. 2009). https://lkml.org/lkml/2009/11/4/69Google Scholar
Index Terms
- Stateless model checking of the Linux kernel's hierarchical read-copy-update (tree RCU)
Recommendations
Effective stateless model checking for C/C++ concurrency
We present a stateless model checking algorithm for verifying concurrent programs running under RC11, a repaired version of the C/C++11 memory model without dependency cycles. Unlike most previous approaches, which enumerate thread interleavings up to ...
Stateless model checking of the Linux kernel's read---copy update (RCU)
Read---copy update (RCU) is a synchronization mechanism used heavily in key components of the Linux kernel, such as the virtual filesystem (VFS), to achieve scalability by exploiting RCU's ability to allow concurrent reads and updates. RCU's design is ...
Concurrent updates with RCU: search tree as an example
PODC '14: Proceedings of the 2014 ACM symposium on Principles of distributed computingRead copy update (RCU) is a novel synchronization mechanism, in which the burden of synchronization falls completely on the updaters, by having them wait for all pre-existing readers to finish their read-side critical section. This paper presents citrus,...
Comments