Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin

Projects and Personnel University of Wisconsin –Anne Mulhern –Alexey Loginov Tel-Aviv University –Prof. Mooly Sagiv –Eran Yahav –Noam Rinetzky –Greta Yorsh University of Saarbrücken –Prof. Reinhard Wilhelm

Verifying Behavioral Subtyping Anne Mulhern Inheritance of code vs. inheritance of behavior Liskov Substitution Principle: For every object x ’ of type t ’ there is an object x of type t, such that for all programs P defined in terms of t, the behavior of P is unchanged when x ’ is substituted for x. [Liskov 1988] Not enforced by compilers Goal: Build a tool that provides some amount of checking

Why? class FooNode { FooNode next;...  many data members ... }; class Foo { FooNode first; FooNode last; AppendElmt(Datum);...  many members ... }; class ListNode { ListNode next; }; class List { ListNode first; ListNode last; AddToEnd(); }; ??

Abstraction Refinement for TVLA/TVMC Alexey Loginov Identify additional abstraction predicates –Nullary? Unary? –Both can be used to refine an abstraction Need to be able to automatically create update formulas –Finite differencing of formulas [Reps, Sagiv] Semantic minimization of formulas

Semantic Minimization    (A): Value of formula  in assignment A In 3-valued logic,    (A) may equal ½  p + p ’  ([p  0]) = 1  p + p ’  ([p  ½]) = ½  p + p ’  ([p  1]) = 1

Two- vs. Three-Valued Logic 01 Two-valued logic {0,1} {0}{1} Three-valued logic {0}  {0,1} {1}  {0,1}

Two- vs. Three-Valued Logic Two-valued logicThree-valued logic

Two- vs. Three-Valued Logic Three-valued logic 0 1 Two-valued logic {1} {0,1} {0} 1 ½ 0

Two- vs. Three-Valued Logic 01 Two-valued logic {0}{1} Three-valued logic {0,1}

Two- vs. Three-Valued Logic 01 Two-valued logic ½ 01 Three-valued logic 0  ½ 1  ½

1: True 0: False 1/2: Unknown A join semi-lattice: 0  1 = 1/2 Three-Valued Logic   1/2 Information order

Boolean Connectives [Kleene]

Semantic Minimization    (A): Value of formula  in assignment A In 3-valued logic,    (A) may equal ½  p + p ’  ([p  0]) = 1  p + p ’  ([p  ½]) = ½  p + p ’  ([p  1]) = 1

Semantic Minimization    (A): Value of formula  in assignment A In 3-valued logic,    (A) may equal ½  p + p ’  ([p  0]) = 1  p + p ’  ([p  ½]) = ½  p + p ’  ([p  1]) = 1 However,  1  ([p  0]) = 1  1  ([p  ½]) = 1  1  ([p  1]) = 1

Semantic Minimization  1  ([p  0]) = 1 =  p + p ’  ([p  0])  1  ([p  ½]) = 1  ½ =  p + p ’  ([p  ½])  1  ([p  1]) = 1 =  p + p ’  ([p  1]) 2-valued logic: 1 is equivalent to p + p ’ 3-valued logic: 1 is better than p + p ’ For a given , is there a best formula? Yes!

Semantic Minimization Input: Propositional formula  Output: Propositional formula  such that For all 3-valued assignments A,    (A) =     (a) a  A, a definite By the monotonicity of    (),    (A) =     (a)     (A) a  A, a definite

Example Original formula (  ) xy ’ + x ’ z ’ + yz (Note:  is an irredundant sum of products) Minimal formula (  ) y ’ z ’ + yz + x ’ z ’ + x ’ y + xz + xy ’   (x ’ y ’ z + xyz ’ ) For which A’s do we have    (A)     (A)? A    (A)    (A) [x  ½, y  0, z  0] 1 ½ [x  0, y  1, z  ½] 1 ½ [x  1, y  ½, z  1] 1 ½

TVMC: A 3-Valued Model Checker Eran Yahav Programming-language features –concurrency –unbounded #’s of threads –pointers/aliasing –unbounded #’s of heap-allocated cells Properties to be checked –FOLTL (LTL + quantification) –Safety properties –Liveness properties (at least some forms...)

Java Threads Are Heap-Allocated Objects  Thread Analysis  Shape Analysis A memory configuration: thread3 inCritical lock1 isAcquired thread1 atStart thread2 atStart thread4 atStart csLock heldBy

An abstract memory configuration: thread inCritical lock1 isAcquired thread ’ atStart csLock heldBy Java Threads Are Heap-Allocated Objects  Thread Analysis  Shape Analysis

Here, model checking means: Explore the space of possible transitions among abstract memory configurations Java Threads Are Heap-Allocated Objects  Thread Analysis  Shape Analysis

Analysis of ADTs Noam Rinetzky Analysis of ADTs (classes) and their clients Objects summarized by finite-state machines obtained via shape-analysis Example: –Class Queue –Four states of a Queue object: Not allocated Empty Non-empty Error

Analysis of Trees Greta Yorsh Shape analysis of tree-manipulation programs –Binary-search-tree operations –Deutsch-Schorr-Waite tree traversal without a stack Challenges –Garbage-collection marking algorithm that uses Deutsch-Schorr-Waite graph traversal (DSW tree traversal of depth-first-search tree) –Barnes-Hut: uses an oct-tree with chained leaves Improved materialization algorithm for TVLA