230 likes | 385 Views
Model Checking of Concurrent Software: Current Projects. Thomas Reps University of Wisconsin. Projects and Personnel. University of Wisconsin Anne Mulhern Alexey Loginov Tel-Aviv University Prof. Mooly Sagiv Eran Yahav Noam Rinetzky Greta Yorsh University of Saarbr ü cken
E N D
Model Checking ofConcurrent Software:Current Projects ThomasReps UniversityofWisconsin
Projects and Personnel • University of Wisconsin • Anne Mulhern • Alexey Loginov • Tel-Aviv University • Prof. Mooly Sagiv • Eran Yahav • Noam Rinetzky • Greta Yorsh • University of Saarbrücken • Prof. Reinhard Wilhelm
Verifying Behavioral SubtypingAnne Mulhern • Inheritance of code vs. inheritance of behavior • Liskov Substitution Principle: For every object x’ of type t’ there is an object x of type t, such that for all programs P defined in terms of t, the behavior of P is unchanged when x’ is substituted for x. [Liskov 1988] • Not enforced by compilers • Goal: Build a tool that provides some amount of checking
Why? class FooNode { FooNode next; . . . many data members . . . }; class Foo { FooNode first; FooNode last; AppendElmt(Datum); . . . many members . . . }; class ListNode { ListNode next; }; class List { ListNode first; ListNode last; AddToEnd(); }; ?
Abstraction Refinementfor TVLA/TVMCAlexey Loginov • Identify additional abstraction predicates • Nullary? Unary? • Both can be used to refine an abstraction • Need to be able to automatically create update formulas • Finite differencing of formulas [Reps, Sagiv] • Semantic minimization of formulas
Semantic Minimization • (A): Value of formula in assignment A • In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1 p + p’([p ½]) = ½ p + p’([p 1]) = 1
Two-valued logic Three-valued logic {0,1} 0 1 {0} {1} Two- vs. Three-Valued Logic {0} {0,1} {1} {0,1}
Two-valued logic Three-valued logic Two- vs. Three-Valued Logic
Two-valued logic Three-valued logic 0 1 {0,1} {0} {1} Two- vs. Three-Valued Logic
Two-valued logic Three-valued logic 0 1 ½ 0 1 Two- vs. Three-Valued Logic 0 ½ 1 ½
1/2 Information order Three-Valued Logic • 1: True • 0: False • 1/2: Unknown • A join semi-lattice: 0 1 = 1/2
Semantic Minimization • (A): Value of formula in assignment A • In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1 p + p’([p ½]) = ½ p + p’([p 1]) = 1
Semantic Minimization • (A): Value of formula in assignment A • In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1 p + p’([p ½]) = ½ p + p’([p 1]) = 1 • However, 1([p 0]) = 1 1([p ½]) = 1 1([p 1]) = 1
1([p 0]) = 1 = p + p’([p 0]) 1([p ½]) = 1 ½ = p + p’([p ½]) 1([p 1]) = 1 = p + p’([p 1]) Semantic Minimization 2-valued logic: 1 is equivalent to p + p’ 3-valued logic: 1 is better thanp + p’ For a given , is there a best formula? Yes!
Semantic Minimization Input: Propositional formula Output: Propositional formula such that For all 3-valued assignments A, (A) = (a) aA, a definite By the monotonicity of (•), (A) = (a) (A) aA, a definite
A(A) (A) [x ½, y 0, z 0] 1 ½ [x 0, y 1, z ½] 1 ½ [x 1, y ½, z 1] 1 ½ Example Original formula () xy’+ x’z’+ yz (Note: is an irredundant sum of products) Minimal formula () y’z’+ yz + x’z’+ x’y + xz + xy’ (x’y’z + xyz’) For which A’s do we have (A) (A)?
TVMC: A 3-Valued Model CheckerEran Yahav • Programming-language features • concurrency • unbounded #’s of threads • pointers/aliasing • unbounded #’s of heap-allocated cells • Properties to be checked • FOLTL (LTL + quantification) • Safety properties • Liveness properties (at least some forms . . .)
A memory configuration: thread1 atStart csLock heldBy thread3 inCritical thread2 atStart lock1 isAcquired csLock csLock thread4 atStart csLock Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis
Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis An abstract memory configuration: heldBy thread inCritical thread’ atStart lock1 isAcquired csLock csLock
Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis Here, model checking means: Explore the space of possible transitions among abstract memory configurations
Analysis of ADTsNoam Rinetzky • Analysis of ADTs (classes) and their clients • Objects summarized by finite-state machines obtained via shape-analysis • Example: • Class Queue • Four states of a Queue object: • Not allocated • Empty • Non-empty • Error
Analysis of TreesGreta Yorsh • Shape analysis of tree-manipulation programs • Binary-search-tree operations • Deutsch-Schorr-Waite tree traversal without a stack • Challenges • Garbage-collection marking algorithm that uses Deutsch-Schorr-Waite graph traversal (DSW tree traversal of depth-first-search tree) • Barnes-Hut: uses an oct-tree with chained leaves • Improved materialization algorithm for TVLA