Presentation is loading. Please wait.

Presentation is loading. Please wait.

Specifying Multithreaded Java semantics for Program Verification

Published byToby Mason Modified over 5 years ago

Similar presentations

Presentation on theme: "Specifying Multithreaded Java semantics for Program Verification"— Presentation transcript:

1 Specifying Multithreaded Java semantics for Program Verification
Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)

2 Java Multithreading Threads communicate via shared variables.
Threads run on uni- or multi-processors Semantics given as abstract rules : Java Memory Model (JMM). Any multithreading implementation must respect JMM. Supports locking via synchronized statements Locking may be avoided for performance. ICSE 2002, Orlando FL

3 Unsychronized code if (inst == null) synchronized (Singleton.class){
inst = new Singleton(); return inst ; } if (inst == null) synchronized (Singleton.class){ inst = new Singleton(); } return inst; ICSE 2002, Orlando FL

4 Shared variable access without locks
Initially : A = 0, B = 0 while (A != 1) {}; return B B = 1; A = 1; || Expected returned value = 1 ICSE 2002, Orlando FL

5 What may happen B = 1; A = 1; while (A != 1) {}; return B
|| May happen if threads are executed on different processors, or even by compiler re-ordering A= 1 return B B = 1 Returned value = 0 ICSE 2002, Orlando FL

6 Sequential Consistency
Programmer expects statements within a thread to complete in program order: Sequential Consistency Each thread proceeds in program order Operations across threads are interleaved Op1 Op’’ Op2 Op’ violates SC Op’ ; Op’’ ; Op1; Op2; || ICSE 2002, Orlando FL

7 Is this a problem ? YES !! Programmers expect SC
Verification techniques assume SC execution SC not guaranteed by execution platforms Not demanded by Java language spec. Unrealistic for any future spec. to demand YES !! ICSE 2002, Orlando FL

8 Organization Shared variable access without locks Candidate solutions
Specifying the Java Memory Model (JMM) Using JMM for verification ICSE 2002, Orlando FL

9 1. Program with caution Always synchronize (and acquire lock) before writing a shared object For these programs, any execution is SC Unacceptable performance overheads for low-level libraries Software libraries from other sources cannot be guaranteed to be properly synchronized ICSE 2002, Orlando FL

10 2. Change the Semantics Current semantics called Java Memory Model (JMM). Part of Java language spec. Weaker than Sequential Consistency. Allows certain re-orderings within threads Currently being considered for revision Existing/future JMM bound to be weaker than SC – Does not solve the problem ICSE 2002, Orlando FL

11 3. Use the semantics Develop a formal executable description of the Java Memory Model Use it for program debugging, verification JMM captures all possible behaviors for any implementation – Platform independent reasoning Adds value to existing program verification techniques ICSE 2002, Orlando FL

12 Organization Shared variable access without locks Candidate solutions
Specifying the Java Memory Model (JMM) Using JMM for verification ICSE 2002, Orlando FL

13 JMM Overview Each shared variable v has A master copy
A local copy in each thread Threads read and write local/master copies by actions Imposes ordering constraints on actions Not multithreaded implementation guide ICSE 2002, Orlando FL

14 JMM Actions Master copy of v Local copy of v in t
read(v,t) load(v,t) Master copy of v Local copy of v in t write(v,t) store(v,t) Actions invoked by Program Execution: use/assign(t,v) Read from/ Write into local copy of v in t lock/unlock(t) Acquire/Release lock on shared variables ICSE 2002, Orlando FL

15 Formal Specification Asynchronous concurrent composition
Th1 || Th2 || … || Thn || MM Local state of each thread modeled as cache ( Local copy, Stale bit, Dirty bit ) Queues for incomplete reads/writes Local state of MM ( Master copies, Lock ownership info ) ICSE 2002, Orlando FL

16 Specifying JMM Actions
Each action is a guarded command G  B Evaluate G; If true execute B atomically Example: Use of variable v by thread t  stale[t,v]  return local_copy[t,v] Applicability of action stated as guard In rule-based description, several rules determine the applicability ICSE 2002, Orlando FL

17 Understanding JMM A store must intervene between an assign
assign(t,v) < store(t,v) load(t,v) assign(t, v) < load(t,v) A store must intervene between an assign and a load action for a variable v by thread t ICSE 2002, Orlando FL

18 Understanding JMM assign(t, v) < store(t,v) load(t,v) assign(t,v)
< write(t,v) < read(t,v) < load(t,v) assign(t,v) < load(t,v) read/write actions on the master copy of v by thread t are performed in the order of corresponding load/store actions ICSE 2002, Orlando FL

19 Understanding JMM Applicability of an action depends on several rules in the rule-based description This is what makes the model “hard to understand” Operation description specifies applicability as guard assign(t,v) : empty(read_queue[t,v]) -> …. ICSE 2002, Orlando FL

20 Executable model Java threads invoke use,assign,lock,unlock
Action executed by corresponding commands Threads block if the next action not enabled To enable these, store,write,load,read are executed in any order provided guard holds Example: To enable assign, a load is executed (if there was an earlier read) ICSE 2002, Orlando FL

21 Organization Shared variable access without locks Candidate solutions
Specifying the Java Memory Model (JMM) Using JMM for verification ICSE 2002, Orlando FL

22 Verifying Unsynchronized Code
assign(B,1) assign(A,1) While (use(A) !=1){} use(B) || use/assign invoke corresponding guarded commands load/store/read/write executed to enable use/assign Exhaustive state space exploration shows use(B) may return 1 or 0 ICSE 2002, Orlando FL

23 Program verification Composing executable JMM allows search
The state space explosion problem  Most Java programs are “properly synchronized” and hence SC execution Unsynchronized code appears in low-level fragments which are frequently executed These programs are small, so …  ICSE 2002, Orlando FL

24 One possibility User chooses one program path in each thread (Creative step) Exhaustively check all possible execution traces from chosen program paths (Automated state space exploration: Can verify invariants) Choosing program paths requires understanding source code, not JMM ICSE 2002, Orlando FL

25 Case Study: Double Checked Locking
Idiom for lazy instantiation of a singleton Check whether garbage data-fields can be returned by this object initialization routine Verification by composing the JMM reveals: Incompletely instantiated object can be returned Due to re-ordering of writes within constructor Detected by prototype invariant checker in 0.15 sec ICSE 2002, Orlando FL

26 Summary Executable specification of Multithreaded Java semantics
Using the specification for debugging multithreaded programs Similar approach has been studied before in the context of hardware multiprocessors How to correct the bugs found (the harmful re-orderings) ? ICSE 2002, Orlando FL

Download ppt "Specifying Multithreaded Java semantics for Program Verification"

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.

An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
An Case for an Interleaving Constrained Shared-Memory Multi- Processor CS6260 Biao xiong, Srikanth Bala.

An Case for an Interleaving Constrained Shared-Memory Multi- Processor CS6260 Biao xiong, Srikanth Bala.
Jan 200692.3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.

Jan Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
Oct 200592.3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.

Oct Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
Slides 8d-1 Programming with Shared Memory Specifying parallelism Performance issues ITCS4145/5145, Parallel Programming B. Wilkinson Fall 2010.

Slides 8d-1 Programming with Shared Memory Specifying parallelism Performance issues ITCS4145/5145, Parallel Programming B. Wilkinson Fall 2010.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
Specifying Java Thread Semantics Using a Uniform Memory Model Jason Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.

Specifying Java Thread Semantics Using a Uniform Memory Model Jason Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.
Spring 2010ACS-3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.

Spring 2010ACS-3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.

1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
CS510 Concurrent Systems Class 5 Threads Cannot Be Implemented As a Library.

CS510 Concurrent Systems Class 5 Threads Cannot Be Implemented As a Library.
Synchronization CSCI 444/544 Operating Systems Fall 2008.

Synchronization CSCI 444/544 Operating Systems Fall 2008.
Analyzing the CRF Java Memory Model Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.

Analyzing the CRF Java Memory Model Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.
Winter 2007ACS-3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.

Winter 2007ACS-3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Similar presentations

Ads by Google