Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)"— Presentation transcript:

1 1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)

2 2 Multithreaded software Operating systems, databases, web servers, file systems, device drivers, GUI,... Correctness problem: –does the program satisfy its specification for all inputs and all interleavings ? Testing particularly weak for multithreaded software Need model checkers for multithreaded software

3 3 State explosion Large/infinite domains –eg. integers Infinite stack Many threads Predicate abstraction + iterative refinement SLAM, BLAST, Verifun Thread Modular Model Checking

4 4 Simple multithreaded program Thread 1 1: acquire(m) 2: x := 0 3: x := x + 1 4: assert x > 0 5: release(m) 6: stop Mutex m; int x := 1; Shared state H = Mutex  int Local state L tid = program counter State space Q = H  L 1 ...  L n Model checking space: O( |H|.|L| n )......... Thread 2 1: acquire(m) 2: assert x > 0 3: release(m) 4: stop Thread n.........

5 5 Avoiding state explosion H L1L1 L2L2 Standard MC Space: O( |H|.|L| n ) Thread modular MC H L2L2 H L1L1 G 1  H  H guaranteeassume G 2  H  H guaranteeassume  Space: O(n.|H|.|L| + n.|H| 2 )

6 6 Mutex implementation Thread tid 1: acquire(m) 2: x := 0; 3: x := x + 1 4: assert x > 0 5: release(m) 6: stop int x := 1; Mutex m := 0; Mutex m = tid, if held by thread tid 0, if unheld ---------- (m=0  m’=tid) m ---------- m := 0 Guarantee G tid : (m!=tid  x’=x)  (m’=0  x’=1)  (m!=0  m!=tid  m’=m)

7 7 H L2L2 H L1L1 G 1  H  H guaranteeassume G 2  H  H guaranteeassume Thread modular checking of Thread 1 Abstraction for Thread 1 (m=0  m’=1) m ; x := 0; x := x + 1; assert x > 0; (m’=0) m ; * * * * * Model check abstraction for Thread 1 Also guarantee steps satisfy G 1 Repeat for other threads  Program is OK Thread tid 1: (m=0  m’=tid) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop G 2  ; (m=0  m’=1) m ; G 2  ; x := 0; G 2  ; x := x + 1; G 2  ; assert x > 0; G 2  ; (m’=0) m ;

8 8 Calvin Checker Thread modular checker for multithreaded software –uses ESC/Java as back end Applications –Apprentice challenge ( 50 LOC) –java.util.Vector ( 400 LOC) –part of Mercator web crawler (1500 LOC) –Daisy file system (1500 LOC) Thread modular reasoning works well...... provided you can write suitable thread guarantees Can we infer thread guarantees?

9 9 Inferring thread guarantees H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer ----------- infer ----------- R 1 = { (m=0,x=1,pc=1) } R 2 = { (m=0,x=1,pc=1) } G 1 = { } G 2 = { } (m=1,x=1)  (m=1,x=0) (m=0,x=1,pc=1)  1 (m=1,x=1,pc=2) (m=1,x=0,pc=3) (m=1,x=1,pc=2) (m=1,x=1,pc=1) (m=0,x=1)  (m=1,x=1)

10 10 Algorithm ----------------- R t (H Init, L t Init ) R t (H, L t ) (H, L t )  t (H’, L t ’) ------------------------------------ R t ( H’, L t ’ ) G t (H, H’) R t (H, L t ) G u (H, H’) u != t ---------------------------------- R t (H’, L t ) Find least R t  H  L t, G t  H  H such that

11 11 Inferring thread guarantees H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer ----------- infer ----------- G 1 = { } G 2 = { } (m=2,x=1)  (m=2,x=1) (m=2,x=1)  (m=0,x=1) (m=0,x=1)  (m=2,x=1) (m=1,x=1)  (m=1,x=0) (m=1,x=0)  (m=1,x=1) (m=1,x=1)  (m=1,x=1) (m=1,x=1)  (m=0,x=1) (m=0,x=1)  (m=1,x=1) Thread 2 1: (m=0  m’=2) m 2: assert x > 0 3: m := 0 4: stop

12 12 Inferring thread guarantees H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer ----------- infer ----------- G 1 = { } G 2 = { } (m=2,x=1)  (m=2,x=1) (m=2,x=1)  (m=0,x=1) (m=0,x=1)  (m=2,x=1) (m=1,x=1)  (m=1,x=0) (m=1,x=0)  (m=1,x=1) (m=1,x=1)  (m=1,x=1) (m=1,x=1)  (m=0,x=1) (m=0,x=1)  (m=1,x=1) Hand-written guarantee G tid : (m!=tid  x’=x)  (m’=0  x’=1)  (m!=0  m!=tid  m’=m)

13 13 Soundness and Completeness Thread modular reasoning is sound Thread modular reasoning is not complete “Complete enough” for loosely-computed threads –no need for tight correlation of PCs Modeling mutexes as Tid + {0} crucial –guarantee G tid : (m!=tid  x’=x)  (m’=0  x’=1)  (m!=0  m!=tid  m’=m) –cannot model mutexes as {0,1}

14 14 One bit mutexes do not work! H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer ----------- infer ----------- G 1 = { } R 2 = { } (m=0,x=1,pc=1) Thread 2 1: (m=0  m’=1) m 2: assert x > 0 3: m := 0 4: stop (m=1,x=1,pc=2) (m=1,x=0,pc=2) (m=1,x=1)  (m=1,x=0)

15 15 Adding procedure calls Standard MC Each thread has stack S tid Q = H  (L 1  S 1 ) ...  (L n  S n ) Undecidable H L 1 L 2 S 1 S 2 H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume guaranteeassume S1S1 S2S2 Thread modular MC Decidable

16 16 Related work Jones 83 –parallel shared-memory programs –requires manual specification of guarantee –plus Hoare-style triples Misra-Chandy 81 Abadi-Lamport 85 Alur-Henzinger 96 McMillan 97

17 17 Future Work Large/infinite domains –eg. integers Infinite stack Many threads Predicate abstraction + iterative refinement SLAM, BLAST, ESC, Verifun, MAGIC Thread Modular Model Checking Combine thread modular checking with predicate abstraction and iterative refinement Verifun BLAST SLAM

Download ppt "1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)"

Similar presentations

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.
© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.

Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.

Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
S CALABLE A ND P RECISE R EFINEMENT OF C ACHE T IMING A NALYSIS VIA M ODEL C HECKING Sudipta Chattopadhyay Abhik Roychoudhury 1.

S CALABLE A ND P RECISE R EFINEMENT OF C ACHE T IMING A NALYSIS VIA M ODEL C HECKING Sudipta Chattopadhyay Abhik Roychoudhury 1.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.

1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.

Similar presentations

Ads by Google