Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties."— Presentation transcript:

1 1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University yahave@post.tau.ac.il http://www.cs.tau.ac.il/~yahave Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic

2 2 Introduction Goal: Verification of concurrent Java programs Support the following  Java concurrency-model  Dynamic allocation/deallocation of objects  Dynamic allocation/deallocation of threads

3 3 Why Verify Java Programs? Concurrency is hard to debug  deadlocks  interference  dependence on thread scheduling  failures hard to reproduce Concurrent Programming in Java  low-level constructs  no compile-time or run-time checks

4 4 Java Concurrency Threads and locks are just dynamically allocated objects synchronized implements mutual exclusion wait, notify and notifyAll coordinate activities across threads

5 5 Java Concurrency Challenges Dynamic allocation Data and control are strongly related  Thread-scheduling info may require understanding of heap structure (e.g., scheduling queue)  Heap analysis requires information on thread scheduling Thread t1 = new Thread(); Thread t2 = new Thread(); … if (…) t = t1 else t = t2; t.start();

6 6 Model Checking Approach Explore the space of possible program configurations Find configurations that violate the desired safety property How do you guarantee finiteness ?

7 7 l_0: while (true) { l_1:synchronized(sharedLock) { l_C:// critical actions l_2:} l_3: } Two threads: (pc 1,pc 2,lockAcquired 1,lockAcquired 2 ) Example - Mutual Exclusion Allocate new lock ? Allocate new thread ?

8 8 Existing Approaches for Dynamic Allocation dSPIN, Java pathfinder, Bandera,  All put an a priori bound on number of allocated objects Abstraction applied when model is extracted

9 9 Existing Approaches for Dynamic Allocation Will fail on many interesting programs Example: http server  Creates a thread for each http request  Threads using exclusive shared resource  Show mutual exclusion R T T R T R

10 10 Existing Approaches for Dynamic Allocation Challenges  Guaranteed correctness vs. assumed correctness  Correctly track thread states R T T R T R R T T R T R T R

11 11 Our Approach Abstract configurations (conservatively) represent multiple program configurations Compute a finite set of abstract configurations modeling program behavior  Every potential concrete configuration is represented  Superfluous configurations might be represented too Check property for every computed abstract configuration

12 12 Plan Concrete Program Model Safety Properties Abstract Program Model Prototype implementation (3VMC) Summary

13 13 Program Model Interleaving model of concurrency Program is a collection of thread-type transition systems

14 14 Configurations A program configuration encodes:  global store  program-location of every thread  status of locks and threads First-order logical structures used to represent program configurations

15 15 Configurations is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0] is_thread at[l_0] is_thread at[l_1] rval[this] blocked

16 16 Configurations Predicates model properties of interest  is_thread  { at[lab](t) : lab  Labels }  { rval[fld](o 1,o 2 ) : fld  Fields }  held_by(l,t)  blocked(t,l)  waiting(t,l) Can use the framework with different predicates

17 17 Configurations Program control-flow is not separately represented Program location for each thread is encoded inside the configuration  { at[lab](t) : lab  Labels }

18 18 Structural Operational Semantics - actions An action consists of:  precondition formula  update formulae Precondition formula may use a free variable t s for “currently scheduled” thread Semantics is non-deterministic

19 19 Structural Operational Semantics - actions lock(v)  t  t s : rval[v](t s,l)  held_by(l,t) held_by’(l 1,t 1 ) = held_by(l 1,t 1 )  (l 1 = l  t 1 = t s ) blocked’ (t 1,l 1 ) = blocked(t 1,l 1 )  ((l 1  l)  (t 1  t s )) precondition predicate update

20 20 Initialize(C 0 ) { for each C  C 0 push(stack,C) } explore() { while stack is not empty { C = pop(stack) if not member(C,stateSpace) { verify(C) stateSpace = stateSpace  {C} for each action ac for each C’ such that C  ac C’ push(stack,C’) } State Space Exploration

21 21 Safety Properties Configuration-local property as logical formula Example: no total deadlock  t,  l b : is_thread(t)   blocked(t, l b )  t 1,t 2 : (t 1  t 2 )   (at[l crit ](t 1 )  at[l crit ](t 2 )) Example: mutual exclusion

22 22 Abstract Program Model Conservative representation of the concrete model Use 3-valued logical structures to conservatively represent multiple 2-valued structures Conservatively apply actions on abstract configurations

23 23 Abstract Configurations First-order 3-valued logical structures are used to represent abstract program configurations 3-valued logic  1 = true  0 = false  1/2 = unknown  A join semi-lattice, 0  1 = 1/2

24 24 Concrete Configuration is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0] is_thread at[l_0] is_thread at[l_1] rval[this] blocked

25 25 Abstract Configuration is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0]

26 26 Canonic Abstraction Merge all nodes with the same unary predicate values into a single summary node Join predicate values Converts a configuration of arbitrary size into a 3-valued abstract configuration of bounded size

27 27 Abstract Semantics Conservatively model the effect of an action  use same formulae as in concrete semantics  soundness is guaranteed by [SRW99] Use same state-space exploration algorithm to explore the abstract state space

28 28 Unbounded Number of Threads Exploit state-space symmetry Previous work defined symmetry between process names (indices) Thread location = thread property Canonic names = symmetry between properties

29 29 Example - Mutual Exclusion is_thread at[l_0] rval[this] Initial configuration

30 30 Example - Mutual Exclusion is_thread at[l_0] rval[this] is_thread at[l_C] rval[this] held_by A thread enters the critical section

31 31 Example - Mutual Exclusion is_thread at[l_1] rval[this] is_thread at[l_C] rval[this] held_by blocked Other threads may be blocked or just beginning execution is_thread at[l_0] rval[this]

32 32 Safety Properties Revisited RW interference WW interference Total deadlock Nested monitors Illegal thread interactions

33 33 Prototype Implementation 3VMC Used to verify several small example programs  concurrent stack  queue  two-lock queue [PODC96]  dining philosophers only intraprocedural no optimizations used

34 34 Further Work Optimizations  Partial-order reduction  Symbolic representations (BDDs) Liveness properties Providing counter examples

35 35 Summary

36 36 http://www.cs.tau.ac.il/~yahave

Download ppt "1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chapter 6 Process Synchronization Bernard Chen Spring 2007.

Chapter 6 Process Synchronization Bernard Chen Spring 2007.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Monitors Chapter 7. The semaphore is a low-level primitive because it is unstructured. If we were to build a large system using semaphores alone, the.

Monitors Chapter 7. The semaphore is a low-level primitive because it is unstructured. If we were to build a large system using semaphores alone, the.
Designing a thread-safe class  Store all states in public static fields  Verifying thread safety is hard  Modifications to the program hard  Design.

Designing a thread-safe class  Store all states in public static fields  Verifying thread safety is hard  Modifications to the program hard  Design.
CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman

CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.

1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
© Andy Wellings, 2004 Roadmap  Introduction  Concurrent Programming  Communication and Synchronization  Completing the Java Model  Overview of the.

© Andy Wellings, 2004 Roadmap  Introduction  Concurrent Programming  Communication and Synchronization  Completing the Java Model  Overview of the.
1 Verifying Temporal Heap Properties Specified via Evolution Logic Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm

1 Verifying Temporal Heap Properties Specified via Evolution Logic Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm

Similar presentations

Ads by Google