/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model Checking

/ PSWLAB Contents Introduction Concurrent Finite-State Systems Concurrent Pushdown Systems Conclusion Thread Modular Model Checking2

/ PSWLAB Introduction 1/8 Designing multithreaded software system is difficult due to subtle interactions among threads operating concurrently on shared data. Model checking is a promising technique for verifying correctness properties of multithreaded software system. However, a multithreaded software system is difficult to model check due to its large state space. Approach  Verify each thread separately using an environment assumption to model interleaved steps of the other threads. –The environment assumption of each thread is a binary relation over the set of global stores. –The environment assumption includes all global store updates that may be performed by other threads Thread Modular Model Checking3

/ PSWLAB Introduction 2/8 Target multithreaded program. –There is a finite number of threads in a system. –There is a finite number of global store in a system. –There is a finite number of local store in each thread. –The multithreaded software system is loosely - coupled. There is little co-relation among the local states of the various threads. –Requirement properties are safety properties. (e.g. assertion, global invariant) Thread Modular Model Checking4

/ PSWLAB Introduction 3/8 Thread-modular model checking overview A guarantee models all global store updates performed by a thread. For a thread, its environment assumption is the disjunction of the guarantees of all the other threads. The guarantee of each thread is initially the empty relation, and is iteratively extended during the model checking process. Each thread is verified using the standard algorithm for sequential model checking except that at each control point of the thread, the global state is allowed to mutate according to the guarantees of the other threads. Whenever a thread modifies the global store, that transition on the global states is added to that thread’s guarantee. The iteration continues until the reachable state space and guarantee of each thread converges Thread Modular Model Checking5

/ PSWLAB Introduction 4/8 Example Simple ( n ) : A multithreaded program with n threads executing procedure p concurrently. Each thread is identified by unique integer value from Tid = {1,…, n }. x : A shared integer variable. Its initial value is 1. m : The mutex which protects the shared variable x. –The type is Mutex = {0} [ Tid. – m is manipulated by two operations: acquire and release. acquire blocks until m =0 and then automatically set m to the identifier of the current thread. release sets m back to 0. For each thread, there is an implicit local variable called pc, the program counter of the thread. –A pc takes values from the set Loc ={1,…,6} of control location. –We denote the program counter of thread tid by pc [ tid ] Thread Modular Model Checking6

/ PSWLAB Introduction 5/8 A simple multithreaded program int x := 1 ; Mutex m := 0 ; void p() { 1:acquire ; 2:x := 0 ; 3: x := 1 ; 4: assert x > 0 ; 5:release ; 6:} Simple ( n ) = p() | … | p() Thread Modular Model Checking7 n times Correctness properties (1) There should be no data race. Error set : 9 i, j 2 Tid. i  j Æ pc [ i ] 2 {2, 3, 4} Æ pc [ j ] 2 {2, 3, 4} (2) The assertion at control location 4 does not fail for any thread. Error set : 9 i 2 Tid. pc [ i ] = 4 Æ x · 0 (3) Every reachable state staisfies the invariant m=0  x = 1. Error set : m = 0 Æ x  1

/ PSWLAB Introduction 6/ Thread Modular Model Checking8 In this program, the domain of global store is ( Mutex £ int ). Thread-modular model checking algorithm computes the guarantee G µ Tid £ ( Mutex £ int ) £ ( Mutex £ int ). –If the thread whose identifier is tid ever takes a step where the global variables is modified from ( m 1, x 1 ) to ( m 2, x 2 ), then ( tid, ( m 1, x 1 ), ( m 2, x 2 )) 2 G. The thread-local reachable set is R µ Tid £ ( Mutex £ int ) £ Loc. –If there is a reachable state where its global store is ( m, x ), and the program counter of thread whose identifier is tid has the value pc, then ( tid, ( m, x ), pc ) 2 R.

/ PSWLAB Introduction 7/ Thread Modular Model Checking9 A simple multithreaded program int x := 1 ; Mutex m := 0 ; void p() { For thread 1 1:acquire ; 2:x := 0 ; 3: x := 1 ; 4: assert x > 0 ; 5:release ; 6:} (tid,, ) (1,, ) (pc, ) (1, ) (2, ) (3, ) (4, ) (5, ) (6, )

/ PSWLAB Introduction 7/ Thread Modular Model Checking10 A simple multithreaded program int x := 1 ; Mutex m := 0 ; void p() { For thread 2 1:acquire ; 2:x := 0 ; 3: x := 1 ; 4: assert x > 0 ; 5:release ; 6:} (1,, ) (1, ) (2, ) (3, ) (4, ) (5, ) (6, ) (2,, ) (1, )

/ PSWLAB Introduction 8/8 Limitation –Thread-modular model checking avoids the overhaed of correlating the local stores of the threads by checking each thread separately. –This approach works if the global store contains sufficient information about the overall system state. If the global store does not contain sufficient information about the overall system state, it may yield false alarms. In previous example, if the value of m is {0, 1}, it reports false alarms. –General approach to alleviate false alarms is to include a suitable abstraction of the local store of each thread in the global store Thread Modular Model Checking11 Ex. int x = 0 ; ThreadA() {ThreadB() { int i = 0 ; for i = 0 to 5 { for i = 0 to 6 { while(x==0) ; while (x == 1) ; x=0 ; } x=1 ; } } assert(x != 1) ; }

/ PSWLAB Concurrent Finite-State Systems 1/5 A concurrent finite-state system consists of a finite number of concurrently executing threads. –The threads communicate through a global store. –Each thread has its own local store. –Each thread has its own thread identifier. A state of the concurrent finite-state system consists of a global store g and a mapping ls from thread identifiers to local stores – ls [ t := l ] denotes a mapping that is identical to ls except that it maps thread identifier t to local store l. Domains Thread Modular Model Checking12

/ PSWLAB Concurrent Finite-State Systems 2/5 The behavior of the individual threads can be modeled as the transition relation T : T µ Tid £ ( GlobalStore £ LocalStore ) £ ( GlobalStore £ LocalStore ) We assume that program execution starts in an initial state Σ 0 = ( g 0, l 0 ). The correctness condition for the program in a system is provided by an error set E µ GlobalStore £ LocalStores. –A state ( g, ls ) is erroneous if E ( g, ls ) is true. –The goal of model checking is to determine if, when started from the initial state Σ 0, the system can reach an erroneous state Thread Modular Model Checking13

/ PSWLAB Concurrent Finite-State Systems 3/5 Standard model checking The least solution R µ State to the following inference rules describes the set of reachable states Thread Modular Model Checking14 Having computed R, it is straightforward to determine if any erroneous state is reachable. - An erroneous state is reachable If there exist g and ls such that R ( g, ls ) Æ E ( g, ls ) The size of R (the space complexity) is O (| GlobalStore | £ | LocalStore | | Tid | ). The time complexity is O (| Tid | £ | GlobalStore | 2 £ | LocalStore | | Tid |+1 ). - For an element R, (BASIC STEP) can be applied | Tid | £ | GlobalStore | £ | LocalStore | times.

/ PSWLAB Concurrent Finite-State Systems 4/5 Thread-modular model checking Under thread-modular model checking, each thread is checked separately, using guarantees that abstract the behavior of interleaved steps of other threads. This algorithm works by computing two relations: – R specifies the reachable states of each thread. R µ Tid £ GlobalStore £ LocalStore – G specifies the guarantee of each thread. G µ Tid £ GlobalStore £ GlobalStore –Inference rules Thread Modular Model Checking15

/ PSWLAB Concurrent Finite-State Systems 5/5 Lemma1. For all global store g and local store maps ls, if R ( g, ls ) then for all thread identifier t, R ( t, g, ls ( t )).  If a software error causes an erroneous state to be reachable, then the thread-modular algorithm will catch that error. 9 g, ls.( E ( g, ls ) Æ R ( g, ls )) ! 9 g, ls.( E ( g, ls ) Æ8 t. R ( t, g, ls ( t ))) Space complexity O (| Tid | £ | GlobalStore | £ | GlobalStore |+| Tid | £ | GlobalStore | £ | LocalStore | ) Time complexity O (| Tid | 2 £ | GlobalStore | 2 £ | LocalStore |+| Tid | £ | GlobalStore | 2 £ | LocalStore | 2 ) Thread Modular Model Checking16 GuaranteeReachable states

/ PSWLAB Concurrent Pushdown Systems 1/6 Realistic software systems are typically constructed using procedures and procedure calls. For this reason, we extend the previous approach to handle concurrent pushdown systems. A state of concurrent pushdown systems consists of a global store, a collection of local stores, and a collection of stacks(one for each thread). Domains Thread Modular Model Checking17

/ PSWLAB Concurrent Pushdown Systems 2/6 We model the behavior of the individual threads using following three relations: Thread Modular Model Checking18 - T models thread steps that do not manipulate the stack. - T + models steps of thread t that push a frame onto the stack. - T - models steps of thread t that pop a frame from the stack The correctness condition is specified by an error set E µ GlobalStore £ LocalStores.

/ PSWLAB Concurrent Pushdown Systems 3/6 Assume that all stacks are empty in the initial state ( ss 0 ) The set of reachable states is defined by the least relation R µ State satisfying the following rules: Thread Modular Model Checking19

/ PSWLAB Concurrent Pushdown Systems 4/6 Although sound and complete model checking of concurrent pushdown systems is undecidable, thread-modular reasoning allows us to model check such systems an conservative yet useful manner. The algorithm works by computing the guarantee relation G and the reachability relation P and Q Thread Modular Model Checking20 - P ( t, g, l, g ’, l ’) holds if (1) ( g, l ) is reachable where l is a local store of t, (2) from any such state, the system can later reach a state with ( g ’, l ’) where l ’ is a local store of t. - Q ( t, g, l, f, g ’, l ’) holds if (1) ( g, l ) is reachable where l is a local store of t, and (2) from any such state, the system can later reach a state with g ’ and l ’ where l ’ is a local store of t, and where the stack is identical to that in first state except that the frame f has been added to it.

/ PSWLAB Concurrent Pushdown Systems 5/6 The relation G, P, Q are defined as the least solution to the following rules Thread Modular Model Checking21

/ PSWLAB Concurrent Pushdown Systems 6/6 Lemma 2 For all global stores g and local store maps ls and stack maps ss, if R ( g, ls, ss ) then for all thread identifier t, there exists some g ’, l ’ such that P ( t, g ’, l ’, g, ls ( t )).  If a software error causes an erroneous state to be reachable, then thread-modular algorithm will catch that error. 9 g, ls, ss. ( E ( g, ls ) Æ R ( g, ls, ss )) ! 9 g, ls. E ( g, ls ) Æ 8 t. 9 g ’, l ’. P ( t, g ’, l ’, g, ls ( t ) ) Space complexity O (| Tid | £ | GlobalStore | 2 £ | LocalStore | 2 £ | Frame |) Time complexity O (| Tid | 2 £ | GlobalStore | 3 £ | LocalStore | 3 £ | Frame |) Thread Modular Model Checking22

/ PSWLAB Conclusion This work presents thread-modular model checking for verifying multithreaded software system. The thread-modular model checking algorithm constructs an abstraction of multithreaded software system using environment assumptions. This technique is particularly effective for the verification of loosely-coupled multithreaded software systems Thread Modular Model Checking23