Skip to main content
SpringerLink
Log in

Model Checking in a Development Workflow: A Study on a Concurrent C++ Hash Table

  • Conference paper
  • First Online:
Formal Methods. FM 2019 International Workshops (FM 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12232))

Included in the following conference series:

  • 609 Accesses

Abstract

In this paper, we report on our effort to design a fast, concurrent-safe hash table and implement it in C++, correctly. It is especially the latter that is the focus of this paper: concurrent data structures are notoriously hard to implement, and C++ is not known to be a particularly safe language. It however does offer unparalleled performance for the level of programming comfort it offers, especially in our area of interest – parallel workloads with intense interaction.

For these reasons, we have enlisted the help of a software model checker (DIVINE) with the ability to directly check the C++ implementation. We discuss how such a heavyweight tool integrated with the engineering effort, what are the current limits of this approach and what kinds of assurances we obtained. Of course, we have applied the standard array of tools throughout the effort – unit testing, an interactive debugger, a memory error checker (valgrind) – in addition to the model checker, which puts us in an excellent position to weigh them against each other and point out where they complement each other.

This work has been partially supported by the Czech Science Foundation grant No. 18-02177S.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In particular, they provide nicer iterator and reference invalidation semantics and are less susceptible to pathological behaviour when using sub-optimal user-supplied hash functions.

  2. 2.

    Here, concurrency means that multiple CPU cores perform operations on the same data structure without additional synchronization.

  3. 3.

    Each cell can hold at most a single key. Basic operations on a cell include storing a key and comparing the content of the cell with a key.

  4. 4.

    In comparison, the design from [2] uses 3 machine words per thread, 64 + 32 words of fixed overhead per a hash table instance and 11 words per cell vector. It also incurs 3 indirections compared to the single indirection in the current design.

  5. 5.

    The class naming has changed during later development stages. We use the last iteration of the class names throughout the paper to avoid confusing the reader.

  6. 6.

    Clearly, the keys stored in a continuous segment of the smaller hash_table may end up distributed arbitrarily in the entire range of the bigger (target) instance.

  7. 7.

    Cells are invalidated when they are rehashed, so that concurrent insertion will not accidentally use an empty cell that has already been ‘moved’ to the next generation leading to a loss of the inserted key.

  8. 8.

    Unfortunately, model checking of scenarios with more than 2 threads does not seem to be realistic, at least not with the allocated budget of 100 GiB of RAM.

  9. 9.

    This incident also revealed a weakness in our testing methodology, where only ‘good’ hash functions were used during unit testing and model checking – cf. Sect. 4.1.

  10. 10.

    Deadlocks involving pthread mutexes are detected, but these mutexes are too expensive to be used in concurrent data structures.

  11. 11.

    A pointer which can only point at objects which manage their own reference counter.

  12. 12.

    The implementation was tested, but not model checked, and is not part of the hash table implementation (it was done in application-level code in an application-specific manner).

  13. 13.

    All the scenarios used a hash_set with the growth pattern 2-4-8. The last scenario was however also attempted with the pattern 1-2-4, reducing the size of the state space and memory requirements considerably, from 85 GiB to about 15 GiB.

References

  1. Baranová, Z., et al.: Model checking of C and C++ with DIVINE 4 (2017)

    Google Scholar 

  2. Barnat, J., Ročkai, P., Štill, V., Weiser, J.: Fast, dynamically-sized concurrent hash table. In: Fischer, B., Geldenhuys, J. (eds.) SPIN 2015. LNCS, vol. 9232, pp. 49–65. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23404-5_5

    Chapter  Google Scholar 

  3. Chen, Z., Gu, Y., Huang, Z., Zheng, J., Liu, C., Liu, Z.: Model checking aircraft controller software: a case study. Softw. Pract. Exp. 45(7), 989–1017 (2015). https://doi.org/10.1002/spe.2242

    Article  Google Scholar 

  4. Fitzgerald, J., Bicarregui, J., Larsen, P.G., Woodcock, J.: Industrial Deployment of Formal Methods: Trends and Challenges. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-33170-110. ISBN 978-3-642-33170-1

  5. Gan, X., Dubrovin, J., Heljanko, K.: A symbolic model checking approach to verifying satellite onboard software. Sci. Comput. Program. 82, 44–55 (2014). https://doi.org/10.1016/j.scico.2013.03.005

    Article  Google Scholar 

  6. Hwong, Y.L., Keiren, J.J., Kusters, V.J., Leemans, S., Willemse, T.A.: Formalising and analysing the control software of the CMS experiment at the large hadron collider. Sci. Comput. Program. 78(12), 2435–2452 (2013). https://doi.org/10.1016/j.scico.2012.11.009

    Article  Google Scholar 

  7. Klein, G., et al.: seL4: formal verification of an OS kernel. In: SOSP, pp. 207–220. ACM (2009). https://doi.org/10.1145/1629575.1629596

  8. Lång, J., Prasetya, I.S.W.B.: Model checking a C++ software framework, a case study (2019). https://doi.org/10.1145/3338906.3340453

  9. O’Callahan, R., Jones, C., Froyd, N., Huey, K., Noll, A., Partush, N.: Engineering record and replay for deployability (2017). arXiv:1705.05937

  10. Penix, J., Visser, W., Engstrom, E., Larson, A., Weininger, N.: Verification of time partitioning in the DEOS scheduler kernel. In: International Conference on Software Engineering, pp. 488–497. ACM Press (2000)

    Google Scholar 

  11. Potts, D., Bourquin, R., Andresen, L., Andronick, J., Klein, G., Heiser, G.: Mathematically verified software kernels: raising the bar for high assurance implementations. Technical report, NICTA, Sydney, Australia (2014)

    Google Scholar 

  12. Ročkai, P., Barnat, J.: A simulator for LLVM bitcode (2017). https://arxiv.org/abs/1704.05551. Preliminary version

  13. Ročkai, P., Barnat, J., Brim, L.: Improved state space reductions for LTL model checking of C and C++ programs. In: Brat, G., Rungta, N., Venet, A. (eds.) NFM 2013. LNCS, vol. 7871, pp. 1–15. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38088-4_1

    Chapter  Google Scholar 

  14. Stallman, R., Pesch, R., Shebs, S.: Debugging with GDB (2010)

    Google Scholar 

  15. Visan, A.-M., Arya, K., Cooperman, G., Denniston, T.: URDB: a universal reversible debugger based on decomposing debugging histories. In: PLOS 2011 (2011)

    Google Scholar 

  16. Woodcock, J., Larsen, P.G., Bicarregui, J., Fitzgerald, J.: Formal methods: practice and experience. ACM Comput. Surv. 41(4), 19:1–19:36 (2009). https://doi.org/10.1145/1592434.1592436

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Informatics, Masaryk University, Brno, Czech Republic

    Petr Ročkai

Authors
  1. Petr Ročkai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Petr Ročkai .

Editor information

Editors and Affiliations

  1. McMaster University, Hamilton, ON, Canada

    Emil Sekerinski

  2. University of Porto, Porto, Portugal

    Nelma Moreira

  3. University of Minho, Braga, Portugal

    José N. Oliveira

  4. Argo Ai, Munich, Germany

    Daniel Ratiu

  5. University of Pisa, Pisa, Italy

    Riccardo Guidotti

  6. University of Liverpool, Liverpool, UK

    Marie Farrell

  7. University of Liverpool, Liverpool, UK

    Matt Luckcuck

  8. University of Exeter, Exeter, UK

    Diego Marmsoler

  9. University of Minho, Braga, Portugal

    José Campos

  10. University of Newcastle, Newcastle upon Tyne, UK

    Troy Astarte

  11. Claude Bernard University, Lyon, France

    Laure Gonnord

  12. Nazarbayev University, Nur-Sultan, Kazakhstan

    Antonio Cerone

  13. University of Surrey, Guildford, UK

    Luis Couto

  14. University of Surrey, Guildford, UK

    Brijesh Dongol

  15. University of Giessen, Giessen, Germany

    Martin Kutrib

  16. University of Lisbon, Lisbon, Portugal

    Pedro Monteiro

  17. Airbus Operations S.A.S., Toulouse, France

    David Delmas

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ročkai, P. (2020). Model Checking in a Development Workflow: A Study on a Concurrent C++ Hash Table. In: Sekerinski, E., et al. Formal Methods. FM 2019 International Workshops. FM 2019. Lecture Notes in Computer Science(), vol 12232. Springer, Cham. https://doi.org/10.1007/978-3-030-54994-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-54994-7_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-54993-0

  • Online ISBN: 978-3-030-54994-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation