1

Eran Yahav and Mooly SagivSchool of Computer Science

Tel-Aviv University

yahave@post.tau.ac.ilhttp://www.cs.tau.ac.il/~yahave

Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic

2

Introduction

Goal: Verification of concurrent Java programs

Support the following Java concurrency-model Dynamic allocation/deallocation of objects Dynamic allocation/deallocation of threads

3

Why Verify Java Programs?

Concurrency is hard to debug deadlocks interference dependence on thread scheduling failures hard to reproduce

Concurrent Programming in Java low-level constructs no compile-time or run-time checks

4

Java Concurrency

Threads and locks are just dynamically allocated objects

synchronized implements mutual exclusion

wait, notify and notifyAll coordinate activities across threads

5

Java Concurrency Challenges

Dynamic allocationData and control are strongly related

Thread-scheduling info may require understanding of heap structure (e.g., scheduling queue)

Heap analysis requires information on thread scheduling

Thread t1 = new Thread();Thread t2 = new Thread();…if (…) t = t1 else t = t2;t.start();

6

Model Checking Approach

Explore the space of possible program configurations

Find configurations that violate the desired safety property

How do you guarantee finiteness ?

7

l_0: while (true) {l_1: synchronized(sharedLock) {l_C: // critical actionsl_2: }l_3: }

Two threads: (pc1,pc2,lockAcquired1,lockAcquired2)

Example - Mutual Exclusion

Allocate new lock ?Allocate new thread ?

8

Existing Approaches for Dynamic Allocation

dSPIN, Java pathfinder, Bandera, All put an a priori bound on number of

allocated objects Abstraction applied when model is

extracted

9

Existing Approaches for Dynamic Allocation

Will fail on many interesting programsExample: http server

Creates a thread for each http request Threads using exclusive shared resource Show mutual exclusion

R T

TR

TR

10

Existing Approaches for Dynamic Allocation

Challenges Guaranteed correctness vs. assumed

correctness Correctly track thread states

R TTR

TR

R TTR

TR

TR

11

Our Approach

Abstract configurations (conservatively) represent multiple program configurations

Compute a finite set of abstract configurations modeling program behavior Every potential concrete configuration is

represented Superfluous configurations might be

represented tooCheck property for every computed

abstract configuration

12

Plan

Concrete Program ModelSafety PropertiesAbstract Program ModelPrototype implementation (3VMC)Summary

13

Program Model

Interleaving model of concurrencyProgram is a collection of thread-type

transition systems

14

Configurations

A program configuration encodes: global store program-location of every thread status of locks and threads

First-order logical structures used to represent program configurations

15

Configurations

is_threadat[l_C]

rval[this]

held_by

blocked

is_threadat[l_1]

rval[this]

is_threadat[l_0]

is_threadat[l_0]

is_threadat[l_1]

rval[this]

blocked

16

Configurations

Predicates model properties of interest is_thread { at[lab](t) : lab Labels } { rval[fld](o1,o2) : fld Fields } held_by(l,t) blocked(t,l) waiting(t,l)

Can use the framework with different predicates

17

Configurations

Program control-flow is not separately represented

Program location for each thread is encoded inside the configuration { at[lab](t) : lab Labels }

18

Structural Operational Semantics - actions

An action consists of: precondition formula update formulae

Precondition formula may use a free variable ts for “currently scheduled” thread

Semantics is non-deterministic

19

Structural Operational Semantics - actions

lock(v)

tts: rval[v](ts,l) held_by(l,t)

held_by’(l1,t1) = held_by(l1,t1) (l1 = l t1 = ts)

blocked’ (t1,l1) = blocked(t1,l1) ((l1 l) (t1 ts))

precondition

predicateupdate

20

Initialize(C0) {for each C C0

push(stack,C)}explore() { while stack is not empty { C = pop(stack) if not member(C,stateSpace) { verify(C) stateSpace = stateSpace {C} for each action ac for each C’ such that C ac C’ push(stack,C’) } }}

State Space Exploration

21

Safety Properties

Configuration-local property as logical formula

Example: no total deadlockt,lb : is_thread(t) blocked(t, lb)

t1,t2: (t1 t2) (at[lcrit](t1) at[lcrit](t2))

Example: mutual exclusion

22

Abstract Program Model

Conservative representation of the concrete model

Use 3-valued logical structures to conservatively represent multiple 2-valued structures

Conservatively apply actions on abstract configurations

23

Abstract Configurations

First-order 3-valued logical structures are used to represent abstract program configurations

3-valued logic 1 = true 0 = false 1/2 = unknown A join semi-lattice, 0 1 = 1/2

24

Concrete Configuration

is_threadat[l_C]

rval[this]

held_by

blocked

is_threadat[l_1]

rval[this]

is_threadat[l_0]

is_threadat[l_0]

is_threadat[l_1]

rval[this]

blocked

25

Abstract Configuration

is_threadat[l_C]

rval[this]

held_byblocked

is_threadat[l_1] rval[this]

is_threadat[l_0]

26

Canonic Abstraction

Merge all nodes with the same unary predicate values into a single summary node

Join predicate valuesConverts a configuration of arbitrary size

into a 3-valued abstract configuration of bounded size

27

Abstract Semantics

Conservatively model the effect of an action use same formulae as in concrete semantics soundness is guaranteed by [SRW99]

Use same state-space exploration algorithm to explore the abstract state space

28

Unbounded Number of Threads

Exploit state-space symmetryPrevious work defined symmetry between

process names (indices)Thread location = thread propertyCanonic names = symmetry between

properties

29

Example - Mutual Exclusion

is_threadat[l_0]

rval[this]

Initial configuration

30

Example - Mutual Exclusion

is_threadat[l_0]

rval[this]

is_threadat[l_C]

rval[this]

held_by

A thread enters the critical section

31

Example - Mutual Exclusion

is_threadat[l_1]

rval[this]

is_threadat[l_C]

rval[this]

held_by

blocked

Other threads may be blocked or just beginning execution

is_threadat[l_0]

rval[this]

32

Safety Properties Revisited

RW interferenceWW interferenceTotal deadlockNested monitorsIllegal thread interactions

33

Prototype Implementation

3VMCUsed to verify several small example

programs concurrent stack queue two-lock queue [PODC96] dining philosophers

only intraproceduralno optimizations used

34

Further Work

Optimizations Partial-order reduction Symbolic representations (BDDs)

Liveness propertiesProviding counter examples

35

Summary

Traditional MC Our Approach

concrete configuration

propositional first order+ transitive closure

abstraction model extraction*abstract interpretation

control flowinternally represented

internally represented

materialization ? basic featureobject number a priori bounded unbounded

thread numberfixed or a priori bounded

unbounded

36

http://www.cs.tau.ac.il/~yahave