Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic

Paper by: Eran Yahav

Presented by: Avi Yadgar

Overview

Checking safety properties Checked programs:

Multiple threads (unbounded) Dynamic heap (unbounded number of

objects) Use 3 valued logic for abstraction

Outline Concurrent programs (Crash Course)

Important Properties Concurrent Java Challenges

Verifying Safety Properties Verification Algorithm Representation of States Representation of Properties Representation of Functionality Verification Algorithm (again)

3-Value Abstraction Abstract state representation Abstract Functionality

Concurrent Programs

Multiple threadsSome shared resources (memory, code)Some separate resources (PC, locks)

LocksCan be held by a single threadBlocks other threads

Checking Concurrent Programs

Inconsistent updates Deadlocks Violation of data types invariants Illegal thread manipulation

Concurrent Java

ThreadsThreads as objectsCreated, started, blocked, waiting, dead

Objects as locks Synchronized code Wait Notify, notifyall join

Example

class Queue { protected Object head, tail;

public void put(Object o) { synchronized(this) { // lp1 put o into the queue // lp2 } // lp3 }

public void approveHead() { synchronized(this) { //

la1 if (head != null) // la2

head.approve(); } }

} // end of class Queuepublic Object take() { synchronized (this) { //

lt1 o = cut the head of the queue // lt2 } return o; }

class Producer implements Runnable {

protected Queue q;

public void run() {

Object o = produce object;

q.put(o);

class Consumer implements Runnable {

protected Queue q;

public void run() {

Object o = q.get();

consume o

class Approver {

protected Queue q;

public void run() {

p.approveHead();

class Main {

public static void main () {

Queue q = new Queue();

Thread prd = new Thread(new Producer (q));

Thread csm = new Thread(new Consumer (q));

for (int i=3; i<3; i++)

new Tread(new Approver(q).start());

prd.start();

csm.start();

// lm1

// lm2

// lm3

// lm4

// lm5

// lm6

// lm 7

Challenges

Number of threadsPossibly unbounded

Number of objects in heapPossibly unbounded

An abstraction is required

On-the-fly Safety Checking

States of a Concurrent System

Memory map Program locations Status of locks and threads

Represent the states using logical structuresAs first order formulae

Representing States - Configurations

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]

rvalue[head]

rvalue[next] rvalue[next] rvalue[next] rvalue[next]

rvalue[tail] rvalue[this]

rvalue[this]

rvalue[this]rvalue[o]

rvalue[this]

held_by

blocked

<UC,ic>Configuration:

r_by[head] r_by[next] r_by[next] r_by[next] r_by[next]r_by[tail]

r_by[o]

Representing states

States are represented by configurations <U,i> U – Set of current objects i – Set of interpretations to predicates

Each element is a mapping U{0,1}

Predicates – represent properties of objects

Predicates

is_thread(t) at[lab](t) rvalue[fld](t) held_by(l,t) blocked(t,l) waiting(t,l) Idlt(l1,l2)

Representing Safety Properties

As first order formulae

),(_)(_: tlbyheldtthreadist

)]([)]([()(: 212121 tlattlattttt critcrit

Actions

Pre-conditions for the executionAction is ‘taken’ if there is an assignment that

satisfies the preconditions Update the values of the predicates Notation:

C rewrites into C’

'CC ac

Actions

)(vlock

: [ ]( , ) _ ( , ) s st t rvalue v t l held by l t

)(),(),(

111111

llttltblockedltblocked'

llt(t),theld_by(l),theld_by'(l

Actions

)(vblockLock

),(_),]([: tlbyheldltvrvaluett ss

1 1 1 1 1 1 ( , ) ( , ) )sblocked' t l blocked t l (t t l l

Actions

)(vunlock

),]([ ltvrvalue s

)( 111111 lltt),theld_by(l),theld_by'(l s

Actions

)(vnotify

),(:),]([ ltwaitingtltvrvalue wws

)(),(),(

)(),(),('

111111

llttltblockedltblocked'

llttltwaitingltwaiting

Actions

)(vifyignoredNot

),(:),]([ ltwaitingtltvrvalue wws

Actions

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]held_by

blocked

r_by[head] r_by[next] r_by[next] r_by[next] r_by[next]

r_by[o]

r_by[tail]

at[lp_2]held_by

at[lp_3]

synchronized(this) { // lp1 put o into the queue // lp2 } // lp3

Safety Properties

RW interference

, , : _ ( ) _ ( ) ( )

[ ]( , ) [ ]( , )

r w r w r w

r r w w

t t o is thread t is thread t t t

at[lr](t ) at[lw](t )

rvalue x t o rvalue x t o

lr : Obj1 = xr lw : xw = Obj2

Safety Properties

WW interference

),]([),]([

)()(_)(_:,,

212121

otxrvalueotxrvalue

)](tat[lw)](tat[lw

tttthreadistthreadisott

wwwwww

lw1 : xw1 = Obj1 lw2 : xw2 = Obj2

Safety Properties

Missing ownership (when invoking wait/notify)

),(_),]([)]([: tlbyheldltvrvaluetlatt s

ls : wait(v)

Checking Algorithmcheck() { initialize_stack(C0) while stack is not empty { C=stack.pop if C S { verify(C)

for each action ac for each C’ s.t.

stack.push(C’) } }}

'CC ac

C = <U,i>

Check if property holds under i

Abstract States

New logic valueDefinite values: 0,1 Indefinite value : ½ - “might be true”

Abstract Configurations <U,i>U: Each element might represent multiple

objects (summary nodes)

i: Each element is a mapping : U {0, ½,1}

Embedding

Given C=<U,i>, C’=<U’,i’> An embedding f:UU’:

C’ represents C Use Canonical Abstraction

)), ui(p(uufufpi’ 2121 )...))(),(((

21)...))(),((( 21 ufufpi’

Abstract Configurations

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]held_by

blocked

r_by[head] r_by[next] r_by[next] r_by[next] r_by[next]

r_by[o]

r_by[tail]

Abstract Configurations

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]held_by

blocked

r_by[head]

r_by[o]

<u> <u4>r_by[next]r_by[tail]

Rvalue[next]Rvalue[next]

<a>Is_thread

at[la_1]

Rvalue[next](u0,u)=? Rvalue[next](u,u4)=?

Abstract Rewrites

C=<U,i> C’=<U’,i’>

Cc=<Uc,ic>C’c=<U’c,I’c>

Cc rewrites into C’c

C rewrites into C

Abstract Rewrites

<s_t>At[la_1]

Is_thread<u>

rvalue[this]

<s_t_0>At[la_2]

Is_thread

<s_t_1>At[la_1]

Is_thread

rvalue[this]

held_by

head.approve(); } }

} // end of class Queue

Instrumentation Predicates

: ( , ) ?t blocked t l 1: ( , ) 2t blocked t l

head.approve(); } }

} // end of class Queue

<s_t_a>At[la_1]

Is_thread

<s_t_0>is_blockedIs_threadAt[la_1]

<s_t_1>At[la_1]

Is_thread

<u>Is_acquired

<s_t_b>At[la_2]

Is_thread

blocked rvalue[this]

rvalue[this]held_by

is_blocked?

rvalue[this]

blocked

rvalue[this]

: ( , ) 1t blocked t l

l is referenced by the field “fld” of some object

_ [ ]( )r by fld l

: [ ]( , )o rvalue fld o l

The lock l is acquired by some thread

_ ( )is acquired l

: _ ( , )t held by l t

The thread t is blocked by some lock

_ ( )is blocked t

: ( , )l blocked t l

Verifying Safety Properties Verification algorithm Representation of States Representation of Properties Representation of Functionality Verification Algorithm (again)

Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic

Documents

A Foundation for Verifying Concurrent Programs

Verifying a Two-Lock Concurrent Queue

Your Wish is My Commandlara.epfl.ch/~kuncak/talks/wishco.pdf · Beyond Functional: Verifying Imperative C and Concurrent Systems •Key idea: encode program and properties into recursive

Verifying concurrent software using movers in CSPECosdi2018-slides.pdf · Verifying concurrent software using movers in CSPEC Tej Chajed, Frans Kaashoek, Butler Lampson*, Nickolai

Verifying Concurrent Memory Reclamation Algorithms with Gracegotsman/papers/recycling-esop13.pdf · Abstract. Memory management is one of the most complex aspects of mod-ern concurrent

EMPOWERING WORLD-CLASS MARINE · PDF fileprogram included verifying compatibility with Aveva Marine, performance tests with multiple concurrent users, ... EMPOWERING WORLD-CLASS MARINE

Verifying Concurrent Search Structure Templatessiddharth/pubs/2020-pldi-templates.pdf · 2020. 5. 25. · simultaneously about thread safety (i.e., how threads syn-chronize) and memory

On Library Correctness under Weak Memory Consistency · 2018-12-15 · 68 On Library Correctness under Weak Memory Consistency Specifying and Verifying Concurrent Libraries under

Verifying concurrent software using movers in CSPEC · Verifying concurrent software using movers in CSPEC Tej Chajed, Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL

Testing and Verifying Atomicity of Composed Concurrent Operations

Automated and modular re nement reasoning for concurrent ... · 1 Introduction We present a technique for verifying a re nement relation between two concur-rent, shared-memory multithreaded

Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili

Verifying Fine-Grained Concurrent Data Structures · Verifying Fine-Grained Concurrent Data Structures Master Thesis Felix Wolf August 21, 2018 Advisors: Prof. Dr. Peter Muller, Dr

Verifying Funds

Thesis Proposal - Carnegie Mellon School of Computer Sciencerwh/theses/tassarotti-proposal.pdf · Thesis Proposal Verifying Concurrent Randomized Algorithms Joseph Tassarotti August

BOUNDED MODEL CHECKING FOR VERIFYING CONCURRENT …

On Library Correctness under Weak Memory Consistencyorilahav/papers/popl19libraries.pdf · On Library Correctness under Weak Memory Consistency Specifying and Verifying Concurrent

On Library Correctness under Weak Memory Consistencyplv.mpi-sws.org/yacovet/paper.pdf · 68 On Library Correctness under Weak Memory Consistency Specifying and Verifying Concurrent

Verifying concurrent software using movers in CSPECosdi18-slides.pdf · Verifying concurrent software using movers in CSPEC Tej Chajed, Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology