Post on 19-Jan-2016
description
1
Eran Yahav and Mooly SagivSchool of Computer Science
Tel-Aviv University
yahave@post.tau.ac.ilhttp://www.cs.tau.ac.il/~yahave
Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic
2
Introduction
Goal: Verification of concurrent Java programs
Support the following Java concurrency-model Dynamic allocation/deallocation of objects Dynamic allocation/deallocation of threads
3
Why Verify Java Programs?
Concurrency is hard to debug deadlocks interference dependence on thread scheduling failures hard to reproduce
Concurrent Programming in Java low-level constructs no compile-time or run-time checks
4
Java Concurrency
Threads and locks are just dynamically allocated objects
synchronized implements mutual exclusion
wait, notify and notifyAll coordinate activities across threads
5
Java Concurrency Challenges
Dynamic allocationData and control are strongly related
Thread-scheduling info may require understanding of heap structure (e.g., scheduling queue)
Heap analysis requires information on thread scheduling
Thread t1 = new Thread();Thread t2 = new Thread();…if (…) t = t1 else t = t2;t.start();
6
Model Checking Approach
Explore the space of possible program configurations
Find configurations that violate the desired safety property
How do you guarantee finiteness ?
7
l_0: while (true) {l_1: synchronized(sharedLock) {l_C: // critical actionsl_2: }l_3: }
Two threads: (pc1,pc2,lockAcquired1,lockAcquired2)
Example - Mutual Exclusion
Allocate new lock ?Allocate new thread ?
8
Existing Approaches for Dynamic Allocation
dSPIN, Java pathfinder, Bandera, All put an a priori bound on number of
allocated objects Abstraction applied when model is
extracted
9
Existing Approaches for Dynamic Allocation
Will fail on many interesting programsExample: http server
Creates a thread for each http request Threads using exclusive shared resource Show mutual exclusion
R T
TR
TR
10
Existing Approaches for Dynamic Allocation
Challenges Guaranteed correctness vs. assumed
correctness Correctly track thread states
R TTR
TR
R TTR
TR
TR
11
Our Approach
Abstract configurations (conservatively) represent multiple program configurations
Compute a finite set of abstract configurations modeling program behavior Every potential concrete configuration is
represented Superfluous configurations might be
represented tooCheck property for every computed
abstract configuration
12
Plan
Concrete Program ModelSafety PropertiesAbstract Program ModelPrototype implementation (3VMC)Summary
13
Program Model
Interleaving model of concurrencyProgram is a collection of thread-type
transition systems
14
Configurations
A program configuration encodes: global store program-location of every thread status of locks and threads
First-order logical structures used to represent program configurations
15
Configurations
is_threadat[l_C]
rval[this]
held_by
blocked
is_threadat[l_1]
rval[this]
is_threadat[l_0]
is_threadat[l_0]
is_threadat[l_1]
rval[this]
blocked
16
Configurations
Predicates model properties of interest is_thread { at[lab](t) : lab Labels } { rval[fld](o1,o2) : fld Fields } held_by(l,t) blocked(t,l) waiting(t,l)
Can use the framework with different predicates
17
Configurations
Program control-flow is not separately represented
Program location for each thread is encoded inside the configuration { at[lab](t) : lab Labels }
18
Structural Operational Semantics - actions
An action consists of: precondition formula update formulae
Precondition formula may use a free variable ts for “currently scheduled” thread
Semantics is non-deterministic
19
Structural Operational Semantics - actions
lock(v)
tts: rval[v](ts,l) held_by(l,t)
held_by’(l1,t1) = held_by(l1,t1) (l1 = l t1 = ts)
blocked’ (t1,l1) = blocked(t1,l1) ((l1 l) (t1 ts))
precondition
predicateupdate
20
Initialize(C0) {for each C C0
push(stack,C)}explore() { while stack is not empty { C = pop(stack) if not member(C,stateSpace) { verify(C) stateSpace = stateSpace {C} for each action ac for each C’ such that C ac C’ push(stack,C’) } }}
State Space Exploration
21
Safety Properties
Configuration-local property as logical formula
Example: no total deadlockt,lb : is_thread(t) blocked(t, lb)
t1,t2: (t1 t2) (at[lcrit](t1) at[lcrit](t2))
Example: mutual exclusion
22
Abstract Program Model
Conservative representation of the concrete model
Use 3-valued logical structures to conservatively represent multiple 2-valued structures
Conservatively apply actions on abstract configurations
23
Abstract Configurations
First-order 3-valued logical structures are used to represent abstract program configurations
3-valued logic 1 = true 0 = false 1/2 = unknown A join semi-lattice, 0 1 = 1/2
24
Concrete Configuration
is_threadat[l_C]
rval[this]
held_by
blocked
is_threadat[l_1]
rval[this]
is_threadat[l_0]
is_threadat[l_0]
is_threadat[l_1]
rval[this]
blocked
25
Abstract Configuration
is_threadat[l_C]
rval[this]
held_byblocked
is_threadat[l_1] rval[this]
is_threadat[l_0]
26
Canonic Abstraction
Merge all nodes with the same unary predicate values into a single summary node
Join predicate valuesConverts a configuration of arbitrary size
into a 3-valued abstract configuration of bounded size
27
Abstract Semantics
Conservatively model the effect of an action use same formulae as in concrete semantics soundness is guaranteed by [SRW99]
Use same state-space exploration algorithm to explore the abstract state space
28
Unbounded Number of Threads
Exploit state-space symmetryPrevious work defined symmetry between
process names (indices)Thread location = thread propertyCanonic names = symmetry between
properties
29
Example - Mutual Exclusion
is_threadat[l_0]
rval[this]
Initial configuration
30
Example - Mutual Exclusion
is_threadat[l_0]
rval[this]
is_threadat[l_C]
rval[this]
held_by
A thread enters the critical section
31
Example - Mutual Exclusion
is_threadat[l_1]
rval[this]
is_threadat[l_C]
rval[this]
held_by
blocked
Other threads may be blocked or just beginning execution
is_threadat[l_0]
rval[this]
32
Safety Properties Revisited
RW interferenceWW interferenceTotal deadlockNested monitorsIllegal thread interactions
33
Prototype Implementation
3VMCUsed to verify several small example
programs concurrent stack queue two-lock queue [PODC96] dining philosophers
only intraproceduralno optimizations used
34
Further Work
Optimizations Partial-order reduction Symbolic representations (BDDs)
Liveness propertiesProviding counter examples
35
Summary
Traditional MC Our Approach
concrete configuration
propositional first order+ transitive closure
abstraction model extraction*abstract interpretation
control flowinternally represented
internally represented
materialization ? basic featureobject number a priori bounded unbounded
thread numberfixed or a priori bounded
unbounded
36
http://www.cs.tau.ac.il/~yahave