Presentation is loading. Please wait.

Presentation is loading. Please wait.

Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani.

Published byDiana Edwina Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani."— Presentation transcript:

1 Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani

2 Outline Motivation Context – SLAM Models: LGFSMs and PLS Reachability for PLS Beacon and Rockall

3 Motivation Object-oriented (O-O) design very common Libraries export a set of classes Internal state maintained via member variables Multithreading becoming more prevalent O-O libraries designed to be thread-safe Usually via some locking mechanism How can you check if your library is thread safe?

4 Stack of integers class IntStack { private: public: }; int *Data;int Size; void Push(int newTop) { Data[Size++] = newTop; } int Pop(void) { if(Size > 0) return Data[--Size]; else return –1; }

5 Making it thread-safe class IntStack { private: int *Data; int Size; public: void Push(int newTop) { Data[Size++] = newTop; } }; mutex Lock; Lock.lock(); Lock.unlock();

6 The eternal question So you have made it thread-safe.. eh ! How do you know ?

7 More precisely … How do you know the value of Size is always non-negative ? Ok … let us make it simpler … Assuming at most two threads can access the stack simultaneously, how do you answer the above question ?

8 That’s easy … main() Push() Pop() Size main() Push() Pop() main calls Push and Pop non-deterministically Push and Pop manipulate Size Allow lock and unlock operations Verify AG(Size >= 0) Thread 1Thread 2Shared

9 Can we model check this? Will not work in general Specifically if you allow recursion Not even with just two threads Not even with just boolean variables The problem is undecidable

10 Outline Motivation Context – SLAM Models: LGFSMs and PLS Reachability for PLS Beacon and Rockall

11 The SLAM Toolkit Program SLIC specification

12 P’ B Is ERROR reachable? Yes, path p No Return “No” Is p feasible in P? Is ERROR reachable? don’t know No, explanation Yes Return “Yes”, p Return “don’t know” Bebop Newton C2bp Predicates from instrumentation

13 Model checking multi-threaded boolean programs B1 | B2   Given two CFGs G1 and G2, whether they have a non-empty intersection is undecidable You can reduce this question to a safety (reachability) question for two boolean programs which communicate via shared variables and interleave arbitrarily

14 One solution: FSM abstactions B1  F1 B2  F2 F1 | F2   B1 | B2  

15 FSM Abstractions Number of threads not known in advance Possible solutions Model check a finite number of threads Use parameterized model checking and handle an arbitrary number of threads

16 So now what ? Number of threads not known in advance Possible solutions Model check a finite number of threads Blows up pretty quickly Use parameterized model checking and handle an arbitrary number of threads Can handle some examples even when instantiation to finite number of threads blows up!!

17 Model checking multi-threaded boolean programs B  F F*   B*   Rest of the talk is on this step

18 Outline Motivation Context – SLAM Models: LGFSMs and PLS Reachability for PLS Beacon and Rockall

19 Local-Global FSM L1 G1 L2 G2 L1 G3

20 L1 G1 L1 G1 L2 G2 L1 G3

21 L1 G1 L1L2 G2 L1 G1 L2 G2 L1 G3

22 L1 G1 L1L2 G2 L1 G2 L2 L1 G1 L2 G2 L1 G3

23 L1 G1 L1L2 G2 L1 G2 L2L1 G3 L1 G1 L2 G2 L1 G3

24 L1 G1 L1L2 G2 L1 G2 L2L1 G3 L1 G1 L2 G2 L1 G3

25 Parameterized Library System Given a LGFSM F and a positive integer n, F(n) denotes a library system composed of n copies of F n copies of L initialized to IL 1 copy of G initialized to IG Global configuration : [g,l1, …, ln] Each copy of F executes asynchronously but only one copy executes at a time

26 Outline Motivation Context – SLAM Models: LGFSMs and PLS Reachability for PLS Beacon and Rockall

27 PLS Reachability Global state g is reachable in F(n) if and only if some configuration [g,l1, … ln] is reachable Given a LGFSM F and a global state g, is there a positive integer n such that g is reachable in F(n) ? Parameterized reachability problem This problem is decidable

28 L1 G1 L1 L2 G2 L1 G2 L2 L1 G3 L1

29 G1 L1 L2 G2 L1 G2 L2 L1 G3 L1 (Global state, #of processes in L1, #of processes in L2) (G1,2,0) (G2,1,1) (G3,2,0) Configurations: an alternate representation

30 Relations on configurations (g,l1, …, ln) = (g’,l1’, …, ln’) iff g = g’ and li = li’ for each I (g,l1, …, ln)  (g’,l1’, …, ln’) iff g = g’ and li  li’ for each i C < C’ iff C  C’ and C != C’

31 Reachability on configurations Start with initial configuration Keep exploring new configurations from current configurations. Follow two rules!

32 Rule 1 If C1 is a new configuration and there exists a reachable configuration C2 such that C1  C2 drop C1 !

33 Example (g,1,2) (g,0,2)

34 Example (g,1,2)

35 Example (g,1,2) (…)

36 Rule 2 If C1 is a new configuration and there exists an ancestor C2 such that C2  C1 Replace ancestor with “*”s appropriately !

37 Example (g,1,2) (g,1,3)

38 Example (g,1,*)

39 Example (g,1,*) (…)

40 Claim The procedure is sound and complete Every reachable state is discovered Every discovered state is reachable The procedure always terminates Dickson’s lemma

41 Complexity The reachability tree traversal can take non-primitive recursive space in # of local states Space lower bound O(2^sqrt(n)) Lipton 1976 Algorithm with space O(2^n.log(n)) exists Rackoff 1978 Impractical – most people use some form of reachability tree traversal Closely related with Petri nets and VAS Coverability problem for Petri nets

42 Outline Motivation Context – SLAM Models: LGFSMs and PLS Reachability for PLS Beacon and Rockall

43 Beacon An implementation of the above algorithm Inputs : a LGFSM and a global state transitions expressed by guarded commands Output : answer to the parameterized reachability problem

44 Implementation tricks Construct reachability tree (instead of graph) Need to check subsumption only on parents along one path Represent * as largest unsigned integer Check for overflows Data structure tricks to check subsumption quickly Represent state sets as trees as well

45 Rockall Thread-safe O-O memory manager developed at MSR by Michael Parkes Memory organized in buckets Each bucket manages memory blocks of a given size Buckets arranged in a tree like hierarchy. Each bucket gets memory from a bigger bucket Topmost bucket gets memory from the OS Several locks are used

46 Rockall LGFSM was constructed manually Worst case # of steps O(10 ^ 10 ^ 600) Checked that no memory location was allocated or freed more than once in a row 4 hours on a 800 MHz Pentium III with 512 MB Explored 2 million configurations Finite version with 4 threads did not terminate with SMV !!

47 What about Java? Parameterized verification of Java libraries Can model: Synchronized Wait Notify Cannot model Notify-all Can be handled using backward reachability starting with updward closed sets

48 Conclusions Applying parameterized verification to a new domain Major challenge is getting an LGFSM from source code Manual construction mostly infeasible Efficient implementation - BEACON Lots of other optimizations could be tried Work in relation to coverability graphs for PNs

Download ppt "Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani."

Similar presentations

A Technique for Parallel Reachability Analysis of Java Programs Raghuraman R. Sridhar Iyer G. Sajith.

A Technique for Parallel Reachability Analysis of Java Programs Raghuraman R. Sridhar Iyer G. Sajith.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Keeping a Crowd Safe On the Complexity of Parameterized Verification Javier Esparza Technical University of Munich.

Keeping a Crowd Safe On the Complexity of Parameterized Verification Javier Esparza Technical University of Munich.
The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.

The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Stack and Queue Dr. Bernard Chen Ph.D. University of Central Arkansas.

Stack and Queue Dr. Bernard Chen Ph.D. University of Central Arkansas.
(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.

(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.
CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman

CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
The Theory of NP-Completeness

The Theory of NP-Completeness
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:

CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Similar presentations

Ads by Google