Presentation is loading. Please wait.

Presentation is loading. Please wait.

Java PathRelaxer: Extending JPF for JMM-Aware Model Checking Huafeng Jin, Tuba Yavuz-Kahveci, and Beverly Sanders Computer and Information Science and.

Published byDavin Bridgewater Modified over 10 years ago

Similar presentations

Presentation on theme: "Java PathRelaxer: Extending JPF for JMM-Aware Model Checking Huafeng Jin, Tuba Yavuz-Kahveci, and Beverly Sanders Computer and Information Science and."— Presentation transcript:

1 Java PathRelaxer: Extending JPF for JMM-Aware Model Checking Huafeng Jin, Tuba Yavuz-Kahveci, and Beverly Sanders Computer and Information Science and Engineering University of Florida

2 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

3 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

4  Specifies “which value each read of a memory location may return”.  Sequentially consistent (SC) memory model  Memory actions must execute one at a time in a single total single order  Read always see the value of the most recent write to that memory location.  Relaxed memory models  PSO, TSO, Java Memory Model (JMM), etc. Memory Model

5  Specifies “which value each read of a memory location may return”.  Sequentially consistent (SC) memory model  Memory actions must execute one at a time in a single total single order  Read always see the value of the most recent write to that memory location.  Relaxed memory models  PSO, TSO, Java Memory Model (JMM), etc. Memory Model JPF assumes SC memory model

6 Example Intially, x = 0, done = false Intially, x = 0, done = false SCMM r == 1 Thread-1Thread-2 x = 1; done = true; while (!done){/*spin*/} r = x;

7 Example Intially, x = 0, done = false Intially, x = 0, done = false Thread-1Thread-2 x = 1; done = true; while (!done){/*spin*/} r = x; SCMM r == 1 JMM r == 0 ˅ r == 1

8 Java’s String class public final class String{ private final char value[]; private final int offset; private final int count; private int hash; //default 0 … public int hashCode(){ int h = hash, len = count; //read of hash if (h == 0 && len > 0){ … /*calculate hash code locally and assign to h*/ hash = h; //write of hash } return h; }  Data race is benign in both SC MM and JMM

9 Another Version public final class String{ private final char value[]; private final int offset; private final int count; private int hash; //default 0 … public int hashCode(){ int h = hash, len = count; //read of hash if (h == 0 && len > 0){ … /*calculate hash code locally and assign to h*/ hash = h; //write of hash } h = hash; //read of hash return h; }  Benign in SC MM but not benign in JMM

10 Another Version public final class String{ private final char value[]; private final int offset; private final int count; private int hash; //default 0 … public int hashCode(){ int h = hash, len = count; //read of hash if (h == 0 && len > 0){ … /*calculate hash code locally and assign to h*/ hash = h; //write of hash } h = hash; //read of hash return h; }  Benign in SC MM but not benign in JMM Return hash code or 0

11  JPF: generates executions under SC memory model.  JPR: generates executions under an overapproximation of JMM. Extending JPF

12 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

13  SC memory model:  Read sees most recent write to that location.  Java memory model:  Read sees any write (past/future) to that location provided the execution is  Well-formed  Meets causality constraints Overview of JMM

14  Action (memory related)  Action (memory related)  Non-synchronization actions:  non-volatile write, non-volatile read  Synchronization actions:  volatile write, volatile read, lock, unlock, thread start, thread join, … JMM Action tThread ID kAction kind (volatile read/write, non-volatile read/write, lock/unlock, thread start, thread join …) vVariable/monitor uUnique action ID

15  Execution E  Execution E JMM Execution AFinite set of actions PProgram ≤ po Program order, a partial order over A based on each thread’s sequence. ≤ so Synchronization order, a total order over all the synchronization actions in A WWrite-seen function, maps each read action to the write action it sees VValue-written function, maps each write action to the value it writes

16  A partial order over actions with regard to ≤ so Synchronizes-with Order ≤ sw unlock(x) ≤ sw subsequent lock(x) volatile write(x)subsequent volatile read(x) start thread t1 st action of thread t Write of default value1 st action in each thread

17  A partial order over actions by taking transitive closure of ≤ po and ≤ sw Initially, x == 0 ⋀ done == false, done is volatile Happens-before Order ≤ hb Thread-1Thread-2 x = 1; done = true while (!done){/*spin*/} r = x; ≤ po ≤ sw

18 Thread-1Thread-2 x = 1; done = true while (!done){/*spin*/} r = x;  A partial order over actions by taking transitive closure of ≤ po and ≤ sw Initially, x == 0 ⋀ done == false, done is volatile Happens-before Order ≤ hb ≤ po ≤ sw ≤ hb

19  In an execution Data Race Thread-1: … Write … Thread-2: … Read … x ≤ hb

20  A program: If all the SC executions are free of data races, it is Data-Race-Free program (DRF). If all the SC executions are free of data races, it is Data-Race-Free program (DRF).  DRF Guarantee:  Any legal execution of DRF program is SC. Data Race Free

21  For all reads r of variable v, it cannot be  r ≤ hb W(r)  W(r) ≤ hb w ≤ hb r (w writes to v) Well-formed Execution

22  r can only be 1, not 0 Initially, x == 0 ⋀ done == false, done is volatile Example Thread-1Thread-2 x = 1; done = true while(!done) {/*spin*/} r = x; ≤ po ≤ sw If read x = 0, then there is an interleaving write x = 1.

23 An execution E with ≤ hb is legal if there is a finite sequence of set of actions C i and well- formed executions E i with ≤ hbi and ≤ swi such that C 0 = ∅, C i ⊆ C i-1 for all i > 0, ∪ C i = A, and for each i > 0 the following rules are satisfied: An execution E with ≤ hb is legal if there is a finite sequence of set of actions C i and well- formed executions E i with ≤ hbi and ≤ swi such that C 0 = ∅, C i ⊆ C i-1 for all i > 0, ∪ C i = A, and for each i > 0 the following rules are satisfied: Causality Rules (complicated)

24 An execution E with ≤ hb is legal if there is a finite sequence of set of actions C i and well- formed executions E i with ≤ hbi and ≤ swi such that C 0 = ∅, C i ⊆ C i-1 for all i > 0, ∪ C i = A, and for each i > 0 the following rules are satisfied: An execution E with ≤ hb is legal if there is a finite sequence of set of actions C i and well- formed executions E i with ≤ hbi and ≤ swi such that C 0 = ∅, C i ⊆ C i-1 for all i > 0, ∪ C i = A, and for each i > 0 the following rules are satisfied: Causality Rules (complicated) E → E 1 → E 2 → … → E i ∅ C1C1 C2C2 C i-1 Justify

25  Causality Rules:  Rules out out-of-thin-air values  Example: Initially, x == y == 0, x and y are non-volatile r1 == r2 == 42 is out-of-thin-air value r1 == r2 == 42 is out-of-thin-air value Out-of-thin-air Value Thread-1Thread-2 r1 = x;r2 = y; y = r1;x = r2;

26 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

27  Fixed-point semantics  Overapproximation of JMM  WriteSet JPR Overview WriteSet Write: add values to Read: Pick value from JPF

28 Structure of JPR JPR Driver JPFJMMListener WriteSet old WriteSet new Events Iterative calls Bytecode of the target program

29  JPF’s state representation is extended with the following metadata: Metadata WriteSetMemLoc → 2 Aid × Val Collect write values ActionSet2 Action Current set of actions HBSet2 Aid × Aid Collect ≤ hb relations ImposeSet2 Aid × Val Rule out some out-of-thin-air values ReadAid → Aid × ValRecord W(r) and V(W(r)) WriteAid → ValRecord V(w)

30 Initially, x == y == 0, x and y are non-volatile. Under JMM, r1 == 1 ⋀ r2 == 1 is possible. Example Thread-1Thread-2 r1 = x;r2 = y; y = 1;x = 1;

31 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = { }, WS(y) = { } IS = ∅ 1 st iteration GWS = ∅ init

32 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = { }, WS(y) = { } IS = ∅ R(A1) =, legal past read A1; r1 = x; 1 st iteration initA1

33 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = { }, WS(y) = {, } IS = ∅, R(A1) = A1; r1 = x; A2: y = 1; 1 st iteration initA1A2

34 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = { }, WS(y) = {, } IS = ∅, R(A1) = A1; r1 = x; A2: y = 1; B1: r2 = y; 1 st iteration init A1A2 B1

35 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = { }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = legal past read A1; r1 = x; A2: y = 1; B1: r2 = y; 0 1 st iteration init A1A2 B1

36 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; r1 = 0, r2 = 0 1 st iteration init A1A2 B1B2

37 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = legal past read A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 1 st iteration init A1A2 B1

38 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; r1 = 0, r2 = 1 1 WS(x) = {, }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = 1 st iteration init A1A2 B1B2

39 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; WS(x) = { }, WS(y) = { } IS = ∅, R(A1) =, R(B1) = 0 legal past read 1 st iteration init A1 B1

40 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; WS(x) = { }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = 1 st iteration init A1A2 B1

41 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; B2: x = 1; WS(x) = {, }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = r1 = 0, r2 = 0 1 st iteration init A1A2 B1B2

42 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; B2: x = 1; A2: y = 1; WS(x) = {, }, WS(y) = {, } IS = ∅, R(A1) =, R(B1) = r1 = 0, r2 = 0 1 st iteration init A1A2 B1B2

43 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; B2: x = 1; A2: y = 1; B1: r2 = y; WS(x) = { }, WS(y) = { } IS = ∅ R(B1) = legal past read 1 st iteration initB1

44 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; B2: x = 1; A2: y = 1; B1: r2 = y; A1; r1 = x; WS(x) = { }, WS(y) = { } IS = ∅ R(B1) =, R(A1) = legal past read 1 st iteration init A1 B1

45 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; B2: x = 1; A2: y = 1; B1: r2 = y; A1; r1 = x; A2: y = 1; B2: x = 1; A2: y = 1; r1 = 0, r2 = 0 1 st iteration

46 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 A1; r1 = x; A2: y = 1; B1: r2 = y; 0 B2: x = 1; 1 B1: r2 = y; A2: y = 1; B2: x = 1; A2: y = 1; B1: r2 = y; A1; r1 = x; A2: y = 1; B2: x = 1; A2: y = 1; B2: x = 1; A1; r1 = x; 0 A2: y = 1; 1 r1 = 0, r2 = 1 1 st iteration

47 r1 = 0, r2 = 1 The WriteSet collected after 1 st iteration is GWS(x) = {, } GWS(y) = {, } It is passed to the 2 nd iteration init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1;

48 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = ∅ 2 nd iteration GWS(x) = {, } GWS(y) = {, } init

49 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = ∅ 2 nd iteration A1: r1 = x; initA1

50 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = { }, R(A1) = potential future read 2 nd iteration A1: r1 = x; 0 1 … initA1

51 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = { }, R(A1) = 2 nd iteration A1: r1 = x; 0 1 A2: y = 1; … initA1A2

52 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = { }, R(A1) = 2 nd iteration A1: r1 = x; 0 1 A2: y = 1; B1: r2 = y; … init A1A2 B1

53 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = { }, R(A1) =, R(B1) = 2 nd iteration A1: r1 = x; 0 1 A2: y = 1; B1: r2 = y; 01 … … init A1A2 B1

54 init: x = 0, y = 0; Thread-1Thread-2 A1: r1 = x;B1: r2 = y; A2: y = 1;B2: x = 1; init: x = 0, y = 0 WS(x) = {, }, WS(y) = {, } IS = { }, justified R(A1) =, R(B1) = 2 nd iteration A1: r1 = x; 0 1 A2: y = 1; B1: r2 = y; 01 B2: x = 1; … … r1 = 1, r2 = 1 init A1A2 B1B2

55  3 rd iteration generates the same global WriteSet as 2 nd iteration, so a fixed-point is reached.  Possible outcomes running JPR:  r1 == 0 ⋀ r2 == 0  r1 == 0 ⋀ r2 == 1  r1 == 1 ⋀ r2 == 0  r1 == 1 ⋀ r2 == 1 Example

56 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

57  JRF (Java Racefinder) is a JPF extension used to precisely detect data races.  Kyunghee Kim, Eric Mercer, Neha Rungta, Tuba Yavuz-Kahveci, Beverly Sanders  http://babelfish.arc.nasa.gov/trac/jpf/wiki/proje cts/jpf-racefinder Working with JRF

58  Data Race Free (DRF) Guarantee  For DRF programs, model checking under SC memory model is enough.  JPF is sufficient, no need to run JPR. Working with JRF

59 JRF JPF JPR DRF? Y DRF? N

60 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

61  Group 1  tc1 – tc20 from JMM causality test cases http://www.cs.umd.edu/~pugh/java/memoryModel/unified Proposal/testcases.html  Group 2  Benign data races (hash code, is prime)  Group 3  Harmful data races (dcl, peterson, dekker) Testing Suites

62 Experiment Results Test Cases Time (milliseconds)

63 Experiment Results Test Cases Time (milliseconds) JPR takes much longer time than JPF:  Iterations  Data choice generators

64 Experiment Results Test Cases Number of states

65 Contents  Memory Model  The Java Memory Model  Algorithm  Implementation  Experience  Conclusion

66  JPR:  Applies a fixed-point based semantic  Adds non-SC behaviors into JPF  Generates an overapproximiation of JMM Conclusion

67

Download ppt "Java PathRelaxer: Extending JPF for JMM-Aware Model Checking Huafeng Jin, Tuba Yavuz-Kahveci, and Beverly Sanders Computer and Information Science and."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
Practical techniques & Examples

Practical techniques & Examples
Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.

Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.
Runtime Verification Ali Akkaya Boğaziçi University.

Runtime Verification Ali Akkaya Boğaziçi University.
Memory Models (1) Xinyu Feng University of Science and Technology of China.

Memory Models (1) Xinyu Feng University of Science and Technology of China.
Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.

Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,

CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 5: Process Synchronization.
Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.

Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.
PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.

PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.

ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.

Similar presentations

Ads by Google