CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.

Slides:



Advertisements
Similar presentations
POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.
Advertisements

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.
Openflow App Testing Chao SHI, Stephen Duraski. Motivation Network is still a complex stuff ! o Distributed mechanism o Complex protocol o Large state.
Symbolic Execution with Mixed Concrete-Symbolic Solving
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Model Checking Concurrent Software Shaz Qadeer Microsoft Research.
The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.
Effective Static Deadlock Detection
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
Ordering and Consistent Cuts Presented By Biswanath Panda.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Partial Order Reduction for Scalable Testing of SystemC TLM Designs Sudipta Kundu, University of California, San Diego Malay Ganai, NEC Laboratories America.
Expressing Giotto in xGiotto and related schedulability problems Class Project Presentation Concurrent Models of Computation for Embedded Software University.
Multi-core Programming Thread Profiler. 2 Tuning Threaded Code: Intel® Thread Profiler for Explicit Threads Topics Look at Intel® Thread Profiler features.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Yang Liu, Jun Sun and Jin Song Dong School of Computing National University of Singapore.
Java Threads 11 Threading and Concurrent Programming in Java Introduction and Definitions D.W. Denbo Introduction and Definitions D.W. Denbo.
Pallavi Joshi* Mayur Naik † Koushik Sen* David Gay ‡ *UC Berkeley † Intel Labs Berkeley ‡ Google Inc.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.
Verification of obstruction-free algorithm with contention management Niloufar Shafiei.
Model Checking Java Programs using Structural Heuristics
Random Testing of Concurrent Programs Prof. Moonzoo Kim Computer Science, KAIST CS492B Analysis of Concurrent Programs.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.
jFuzz – Java based Whitebox Fuzzing
Consider the program fragment below left. Assume that the program containing this fragment executes t1() and t2() on separate threads running on separate.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi State merging, Concolic Execution.
13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.
Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.
CSE 153 Design of Operating Systems Winter 2015 Midterm Review.
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Ordering of Events in Distributed Systems UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau.
Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.
CHESS Finding and Reproducing Heisenbugs in Concurrent Programs
Random Test Generation of Unit Tests: Randoop Experience
Reachability Testing of Concurrent Programs1 Reachability Testing of Concurrent Programs Richard Carver, GMU Yu Lei, UTA.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
1 Active Random Testing of Parallel Programs Koushik Sen University of California, Berkeley.
24 September 2002© Willem Visser Partial-Order Reductions Reduce the number of interleavings of independent concurrent transitions x := 1 || y :=
runtime verification Brief Overview Grigore Rosu
Threads and Memory Models Hal Perkins Autumn 2011
References [1] LEAP:The Lightweight Deterministic Multi-processor Replay of Concurrent Java Programs [2] CLAP:Recording Local Executions to Reproduce.
Threads and Memory Models Hal Perkins Autumn 2009
Lecture 2 Part 2 Process Synchronization
Reachability testing for concurrent programs
Producing short counterexamples using “crucial events”
CUTE: A Concolic Unit Testing Engine for C
Ch 3.
Presentation transcript:

CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley

Solution All paths in the tree are not important for statement reachability  Many paths are equivalent to each other  Prune equivalent paths => Partial Order Reduction Generate inputs along with Partial Order Reduction

Equivalent Paths t1: x = 3 t2: y = 2 Initially x = 0 and y = 0 x=3 y=2 One partial order x=3 y=2 Same partial order Different linear order => Different Path => Equivalent Path x=0, y=0

Independent transitions B and R are independent transitions if 1. they commute: B ∘ R = R ∘ B 2. neither enables nor disables the other B R R B s Example: x = 3 and y = 2 are independent

Existing Approaches Static Partial Order Reduction  Valmari 91, Peled 93, Godefroid 96, SPIN model checkerby Holzmann, Verisoft  Limitation Results in a large dependent relation Pointers -> Whether two pointers point to the same location is determined conservatively (May point-to) Results in over-approximation of the dependency relation Limited POR

Example: static partial-order reduction Global Vars lock m int i1,i2 int x=0 int n=100 char[] a Thread 2 lock(m) i2 := x++ unlock(m) for( ;i2<n; i2+=2) a[i2] := ‘r’ Thread 1 lock(m) i1 := x++ unlock(m) for( ;i1<n; i1+=2) a[i1] := ‘b’ Static analysis gives  i1, i2 are thread-local  x is protected by m  but a[i1] and a[i2] may alias Static POR gives O(n 2 ) explored states and transitions  but only two possible terminating states may-alias (according to static analysis) never alias (in practice)

Dynamic partial-order reduction Static POR relies on static analysis  to yield approximate information about run-time behavior  pointers => coarse information => limited POR => path explosion Dynamic POR  while model checker executes the program, it sees exactly which threads access which locations  use to simultaneously reduce the path space while model-checking

Focus on Race-Detection and Flipping Algorithm Race-Detection and Flipping Algorithm is a simplified form of DPOR

Event (t,l,a)  If thread t executes the statement labeled l and the access type is a  a 2 {w,r,l,u, ? } An execution path  is a sequence of events

Sequential Relation e = (t,l,a) and e’ = (t’,l’,a’) e C e’  e = e', or  t=t’ and e appears before e' in , or  t  t’, t created the thread t’, and e appears before e'' in , where e'' is the fork event on t creating the thread t’, or  there exists an event e'' in  such that e C e'' and e'' C e'. 2: fork(8) e 2 t1t1 t0t0 3: y=2 e 3 4: lock(m) e 4 1: x=1 e 1 5: x=3 e 5 6: unlock(m) e 6 8: lock(m) e 9 9: x=4 e 10 10: unlock(m) e 11 11: y=5 e 12 7: halt e 7 12: halt e 13 e8e8

Causal Relation (Happens-Before Relation) e = (t,l,a) and e’ = (t’,l’,a’) e ¹ e’  e C e’, or  e appears before e' in  and both access a shared memory location m and one of the accesses is update (write, lock acquire, release), or  there exists an event e'' in  such that e ¹ e'' and e'' ¹ e'. ¹ is a partial order relation 2: fork(8) e 2 t1t1 t0t0 3: y=2 e 3 4: lock(m) e 4 1: x=1 e 1 5: x=3 e 5 6: unlock(m) e 6 8: lock(m) e 9 9: x=4 e 10 10: unlock(m) e 11 11: y=5 e 12 7: halt e 7 12: halt e 13 e8e8

Equivalent Paths Definition: Two execution paths are equivalent if they are linearizations of the same partial order Proposition: Exploration of one linear order of each partial order is sufficient for statement reachability

Race Relation Not so strict definition (see paper for the strict definition) e = (t,l,a) and e’ = (t’,l’,a’) e l e’  e ¹ e’  Not (e C e’ or e’ C e)  There exists no e 1 such that e ¹ e 1 and e 1 ¹ e’ Where e 1 is not equal to e or e’ x := 1 y := 2 y := 3 x := 4 Partial Order 1.Events in race relation can be permuted by changing schedule 2.What happens if we have locks? (see paper)

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Execution 1

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { } Execution 1 x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 Backtrack Here { } x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 Backtrack Here x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 2 x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1,t 2 } { t 1 } { } Execution 2 Race x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1,t 2 } { t 1 } { } Execution 2 Race Cannot Backtrack Here x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1,t 2 } { t 1 } { } Execution 2 Race Backtrack Here x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } Execution 2 Race Backtrack Here x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 3 x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { t 2 } { } Execution 3 Race x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { t 2 } { } Execution 3 Race Backtrack Here x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { t 2 } Execution 3 Race Backtrack Here x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { t 2 } { } Execution 4 x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1,t 2 } { } Execution 4 Race Cannot Backtrack Here Done! x := 1 y := 2 y := 3 x := 4 Partial Order

DPOR (POPL 05) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 { } x := 1 y := 2 y := 3 x := 4 Partial Order Persistent { t 2 } { }

DPOR (POPL 05) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1,t 2 } { t 1 } { } Execution 2 x := 1 y := 2 y := 3 x := 4 Partial Order Persistent { t 1,t 2 } { t 2 } { }

DPOR (POPL 05) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { t 2 } { } Execution 3 x := 1 y := 2 y := 3 x := 4 Partial Order Persistent { t 2 } { t 1 } { }

DPOR (POPL 05) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Execution 4 x := 1 y := 2 y := 3 x := 4 Partial Order Postponed { t 1,t 2 } { } Persistent { t 1,t 2 } { }

DPOR Problem Thread t 1 : 1: x := 1 2: x := 2 Thread t 2 : 1: y := 1 2: x := 3 DPOR (both approaches) explores all 6 execution paths => No reduction Example in the POPL 05 paper has error Think about it Need Sleep Set to obtain reduction

Sleep Set Example

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Execution 1

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { } Execution 1 x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { }

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { }

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 { } x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { } Backtrack Here

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Race Execution 1 x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { } Backtrack Here

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 2 x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { } { t 1 } { }

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 2 Race x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { } { t 1 } { } X

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 2 Race x := 1 y := 2 y := 3 x := 4 Partial Order { } { t 1 } { } Nothing to Backtrack Here Delayed X

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 2 Race x := 1 y := 2 y := 3 x := 4 Partial Order { } { t 1 } { } Backtrack Here X

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } Execution 2 Race x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { } { t 1 } { } Backtrack Here X

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 3 x := 1 y := 2 y := 3 x := 4 Partial Order Delayed { t 1 } { } { t 1 }

DPOR (Race-detection and flipping) Example Thread t 1 : 1: x := 1 2: y := 2 Thread t 2 : 1: y := 3 2: x := 4 x := 1 y := 2 y := 3 x := 4 Postponed { t 1 } { } Execution 3 Race x := 1 y := 2 y := 3 x := 4 Partial Order X Delayed { t 1 } { } { t 1 }

jCUTE Key Observation: Concolic execution is ideal for testing concurrent programs with complex data inputs  Use symbolic execution to generate new inputs  Use concrete execution to perform partial order reduction ?

jCUTE Key Observation: Concolic execution is ideal for testing concurrent programs with complex data inputs  Use symbolic execution to generate new inputs  Use concrete execution to perform partial order reduction Explore “Interesting” thread schedules or total orders  Where to perform context switches?  How to perform context switches? ?

jCUTE Key Observation: Concolic execution is ideal for testing concurrent programs with complex data inputs  Use symbolic execution to generate new inputs  Use concrete execution to perform partial order reduction Explore “Interesting” thread schedules or total orders  Where to perform context switches?  Detect data race and lock race  How to perform context switches?  Hijack the scheduler using semaphores  Insert semaphores through instrumentation ?

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR;

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set { }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  3, z  17x  3, z  z 0 { }{ } { }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  3, z  17x  3, z  z 0 x  2, z  17x  2, z  z 0 { t 1 } { }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  3, z  17x  3, z  z 0 x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 { t 1 } { } 2*z 0 +1!=2

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  3, z  17x  3, z  z 0 x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 { t 1 } { } 2*z 0 +1!=2 Backtrack Here Solve: 2*z 0 +1=2 No Solution

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  3, z  17x  3, z  z 0 x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 { t 1 } Backtrack Here

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set { t 1 }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=2 Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 { t 1 } { }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 { t 1 } { } 2*z 0 +1!=2

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 x  3, z  17x  3, z  z 0 { t 1 } { t 2 } { } 2*z 0 +1!=2

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 x  3, z  17x  3, z  z 0 { t 1 } { t 2 } { } 2*z 0 +1!=2 Backtrack Here Solve: 2*z 0 +1=2 No Solution

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  2, z  17x  2, z  z 0 x  3, z  17x  3, z  z 0 { t 1 } { t 2 } Backtrack Here

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set { t 1 } { t 2 }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=2 Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 { t 1 } { t 2 }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  3, z  17x  3, z  z 0 { t 1,t 2 } { t 2 } { }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  3, z  17x  3, z  z 0 x  3, z  17x  3, z  z 0 { } 2*z 0 +1!=3 { t 1,t 2 }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  17x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  17x  2, z  z 0 x  3, z  17x  3, z  z 0 x  3, z  17x  3, z  z 0 { } 2*z 0 +1!=3 Backtrack Here Solve: 2*z 0 +1=3 Solution: z = 1 { t 1,t 2 }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; Concrete State x  0, z  1x  0, z  z 0 Symbolic State Path Constraint + Postponed Set { } { t 1,t 2 }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  1x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  1x  2, z  z 0 x  3, z  1x  3, z  z 0 x  3, z  1x  3, z  z 0 { } 2*z 0 +1=3 { t 1,t 2 } ERROR { }

jCUTE Example z = input(); Thread t 1 : 1: x := 3 Thread t 2 : 1: x := 2 2: if (2*z + 1 == x) 3:ERROR; x :=3 x :=2 2*z+1 ==x Concrete State x  0, z  1x  0, z  z 0 Symbolic State Path Constraint + Postponed Set x  2, z  1x  2, z  z 0 x  3, z  1x  3, z  z 0 x  3, z  1x  3, z  z 0 { } 2*z 0 +1=3 { t 1,t 2 } ERROR { } Nothing to Backtrack

Race Detection Dynamic Vector Clock Algorithm [FSE’03,TACAS’04] Vector clock V : Threads ! Nat V i be vector clock for each thread t i. V x a and V x w vector clocks for each shared variable x. Algorithm: 1. if e i k is a shared memory access, then V i [i] à V i [i] if e i k is a read of a variable x then V i à max{V i,V x w } V x a à max{V x a,V i } 3. if e i k is a write of a variable x then V x w à V x a à V i à max{V x a,V i } Lemma: For any two events e ¹ e’ iff V e · V e’

Race Flipping: Hijack Thread Scheduler Ensure that only one thread is executing Create a tester thread (t sched ) Associate a semaphore sem(t) with each thread t Before any shared memory access by t  release control to the tester thread V(sem(t sched )); P(sem(t)); Tester thread schedules a thread t V(sem(t)); P(sem(t sched ));

jCUTE jCUTE can test multi-threaded Java programs URL: Next generation testing tools  Combines Testing and Model-Checking jCUTE supports generation of JUnit test cases The tools also support replay of a buggy execution

Sun Microsystem’s JDK 1.4 Library java.util package provides thread-safe data-structure classes  LinkedList, ArrayList, HashSet, TeeMap, etc. Widely used Found previously undocumented concurrency related problems  Data race, Infinite Loop, Uncaught Exceptions, and Deadlocks List l1 = Collections.synchronizedList(new LinkedList()); List l2 = Collections.synchronizedList(new LinkedList()); l1.add(null); l2.add(null); // Create two threads // let thread 1 run l1.clear(); // let thread 2 run l2.containsAll(l1) ;

Name Runtime in seconds # of Paths # of Threads % Branch Coverage # of Functions Tested # of Bugs Found data races+ deadlocks+ infinite loops+ exceptions Vector ArrayList LinkedList LinkedHash Set TreeSet HashSet Sun Microsystem’s JDK 1.4 Library

Honeywell’s DEOS real-time scheduling kernel Operating system developed for use in small business aircraft  jCUTE found the subtle time-partitioning error in < 1 minute Java Pathfinder from NASA Ames ran out of memory on the original program  Had to test manually created abstraction  Took 11 minutes to discover the same error in the abstraction

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.