Eran Yahav and Mooly Sagiv - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Eran Yahav and Mooly Sagiv

Description:

yahave_at_post.tau.ac.il. http://www.cs.tau.ac.il/~yahave. Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic. 2. Introduction ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 37
Provided by: erany4
Category:
Tags: eran | mooly | sagiv | yahav

less

Transcript and Presenter's Notes

Title: Eran Yahav and Mooly Sagiv


1
Verifying Safety Properties of Concurrent Java
Programs Using 3-Valued Logic
  • Eran Yahav and Mooly Sagiv
  • School of Computer Science
  • Tel-Aviv University
  • yahave_at_post.tau.ac.il
  • http//www.cs.tau.ac.il/yahave

2
Introduction
  • Goal Verification of concurrent Java programs
  • Support the following
  • Java concurrency-model
  • Dynamic allocation/deallocation of objects
  • Dynamic allocation/deallocation of threads

3
Why Verify Java Programs?
  • Concurrency is hard to debug
  • deadlocks
  • interference
  • dependence on thread scheduling
  • failures hard to reproduce
  • Concurrent Programming in Java
  • low-level constructs
  • no compile-time or run-time checks

4
Java Concurrency
  • Threads and locks are just dynamically allocated
    objects
  • synchronized implements mutual exclusion
  • wait, notify and notifyAll coordinate activities
    across threads

5
Java Concurrency Challenges
  • Dynamic allocation
  • Data and control are strongly related
  • Thread-scheduling info may require understanding
    of heap structure (e.g., scheduling queue)
  • Heap analysis requires information on thread
    scheduling

Thread t1 new Thread() Thread t2 new
Thread() if () t t1 else t t2 t.start()
6
Model Checking Approach
  • Explore the space of possible program
    configurations
  • Find configurations that violate the desired
    safety property

How do you guarantee finiteness ?
7
Example - Mutual Exclusion
l_0 while (true) l_1 synchronized(sharedLock)
l_C // critical actions l_2 l_3
Two threads (pc1,pc2,lockAcquired1,lockAcquired2)
  • Allocate new lock ?
  • Allocate new thread ?

8
Existing Approaches for Dynamic Allocation
  • dSPIN, Java pathfinder, Bandera, ?
  • All put an a priori bound on number of allocated
    objects
  • Abstraction applied when model is extracted

9
Existing Approaches for Dynamic Allocation
  • Will fail on many interesting programs
  • Example http server
  • Creates a thread for each http request
  • Threads using exclusive shared resource
  • Show mutual exclusion

T
R
T
R
T
R
10
Existing Approaches for Dynamic Allocation
  • Challenges
  • Guaranteed correctness vs. assumed correctness
  • Correctly track thread states

11
Our Approach
  • Abstract configurations (conservatively)
    represent multiple program configurations
  • Compute a finite set of abstract configurations
    modeling program behavior
  • Every potential concrete configuration is
    represented
  • Superfluous configurations might be represented
    too
  • Check property for every computed abstract
    configuration

12
Plan
  • Concrete Program Model
  • Safety Properties
  • Abstract Program Model
  • Prototype implementation (3VMC)
  • Summary

13
Program Model
  • Interleaving model of concurrency
  • Program is a collection of thread-type transition
    systems

14
Configurations
  • A program configuration encodes
  • global store
  • program-location of every thread
  • status of locks and threads
  • First-order logical structures used to represent
    program configurations

15
Configurations
blocked
is_thread atl_1
held_by
is_thread atl_C
rvalthis
blocked
rvalthis
is_thread atl_1
is_thread atl_0
is_thread atl_0
rvalthis
16
Configurations
  • Predicates model properties of interest
  • is_thread
  • atlab(t) lab ? Labels
  • rvalfld(o1,o2) fld ? Fields
  • held_by(l,t)
  • blocked(t,l)
  • waiting(t,l)
  • Can use the framework with different predicates

17
Configurations
  • Program control-flow is not separately
    represented
  • Program location for each thread is encoded
    inside the configuration
  • atlab(t) lab ? Labels

18
Structural Operational Semantics - actions
  • An action consists of
  • precondition formula
  • update formulae
  • Precondition formula may use a free variable ts
    for currently scheduled thread
  • Semantics is non-deterministic

19
Structural Operational Semantics - actions
20
State Space Exploration
Initialize(C0) for each C ? C0 push(stack,C)
explore() while stack is not empty C
pop(stack) if not member(C,stateSpace)
verify(C) stateSpace stateSpace
? C for each action ac for
each C such that C ?ac C
push(stack,C)
21
Safety Properties
  • Configuration-local property as logical formula

22
Abstract Program Model
  • Conservative representation of the concrete model
  • Use 3-valued logical structures to conservatively
    represent multiple 2-valued structures
  • Conservatively apply actions on abstract
    configurations

23
Abstract Configurations
  • First-order 3-valued logical structures are used
    to represent abstract program configurations
  • 3-valued logic
  • 1 true
  • 0 false
  • 1/2 unknown
  • A join semi-lattice, 0 ? 1 1/2

24
Concrete Configuration
blocked
is_thread atl_1
held_by
is_thread atl_C
rvalthis
blocked
rvalthis
is_thread atl_1
is_thread atl_0
is_thread atl_0
rvalthis
25
Abstract Configuration
held_by
blocked
is_thread atl_C
is_thread atl_1
rvalthis
rvalthis
is_thread atl_0
26
Canonic Abstraction
  • Merge all nodes with the same unary predicate
    values into a single summary node
  • Join predicate values
  • Converts a configuration of arbitrary size into a
    3-valued abstract configuration of bounded size

27
Abstract Semantics
  • Conservatively model the effect of an action
  • use same formulae as in concrete semantics
  • soundness is guaranteed by SRW99
  • Use same state-space exploration algorithm to
    explore the abstract state space

28
Unbounded Number of Threads
  • Exploit state-space symmetry
  • Previous work defined symmetry between process
    names (indices)
  • Thread location thread property
  • Canonic names symmetry between properties

29
Example - Mutual Exclusion
is_thread atl_0
rvalthis
Initial configuration
30
Example - Mutual Exclusion
is_thread atl_C
rvalthis
held_by
rvalthis
is_thread atl_0
A thread enters the critical section
31
Example - Mutual Exclusion
is_thread atl_C
rvalthis
held_by
is_thread atl_0
rvalthis
rvalthis
is_thread atl_1
blocked
Other threads may be blocked or just beginning
execution
32
Safety Properties Revisited
  • RW interference
  • WW interference
  • Total deadlock
  • Nested monitors
  • Illegal thread interactions

33
Prototype Implementation
  • 3VMC
  • Used to verify several small example programs
  • concurrent stack
  • queue
  • two-lock queue PODC96
  • dining philosophers
  • only intraprocedural
  • no optimizations used

34
Further Work
  • Optimizations
  • Partial-order reduction
  • Symbolic representations (BDDs)
  • Liveness properties
  • Providing counter examples

35
Summary
36
The End
http//www.cs.tau.ac.il/yahave
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Eran Yahav and Mooly Sagiv" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!