Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic

Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic

Paper by: Eran Yahav

Presented by: Avi Yadgar

Overview

Checking safety properties Checked programs:

Multiple threads (unbounded) Dynamic heap (unbounded number of

objects) Use 3 valued logic for abstraction

Outline Concurrent programs (Crash Course)

Important Properties Concurrent Java Challenges

Verifying Safety Properties Verification Algorithm Representation of States Representation of Properties Representation of Functionality Verification Algorithm (again)

3-Value Abstraction Abstract state representation Abstract Functionality

Concurrent Programs

Multiple threadsSome shared resources (memory, code)Some separate resources (PC, locks)

LocksCan be held by a single threadBlocks other threads

Checking Concurrent Programs

Inconsistent updates Deadlocks Violation of data types invariants Illegal thread manipulation

Concurrent Java

ThreadsThreads as objectsCreated, started, blocked, waiting, dead

Objects as locks Synchronized code Wait Notify, notifyall join

Example

class Queue { protected Object head, tail;

public void put(Object o) { synchronized(this) { // lp1 put o into the queue // lp2 } // lp3 }

public void approveHead() { synchronized(this) { //

la1 if (head != null) // la2

head.approve(); } }

} // end of class Queuepublic Object take() { synchronized (this) { //

lt1 o = cut the head of the queue // lt2 } return o; }

class Producer implements Runnable {

protected Queue q;

public void run() {

Object o = produce object;

q.put(o);

}

}

class Consumer implements Runnable {

protected Queue q;

public void run() {

Object o = q.get();

consume o

}

}

class Approver {

protected Queue q;

public void run() {

p.approveHead();

}

}

class Main {

public static void main () {

Queue q = new Queue();

Thread prd = new Thread(new Producer (q));

Thread csm = new Thread(new Consumer (q));

for (int i=3; i<3; i++)

new Tread(new Approver(q).start());

prd.start();

csm.start();

}

}

// lm1

// lm2

// lm3

// lm4

// lm5

// lm6

// lm 7

Challenges

Number of threadsPossibly unbounded

Number of objects in heapPossibly unbounded

An abstraction is required





On-the-fly Safety Checking

C0

States of a Concurrent System

Memory map Program locations Status of locks and threads

Represent the states using logical structuresAs first order formulae

Representing States - Configurations

<q>

<cns>

<prd> <m1>

<a1><a2>

<a3>

<u4><u3><u2><u1><u0>

UC

Is_thread

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]

rvalue[head]

rvalue[next] rvalue[next] rvalue[next] rvalue[next]

rvalue[tail] rvalue[this]

rvalue[this]

rvalue[this]

rvalue[this]rvalue[o]

rvalue[this]

held_by

blocked

<UC,ic>Configuration:

r_by[head] r_by[next] r_by[next] r_by[next] r_by[next]r_by[tail]

r_by[o]

Representing states

States are represented by configurations <U,i> U – Set of current objects i – Set of interpretations to predicates

Each element is a mapping U{0,1}

Predicates – represent properties of objects

Predicates

is_thread(t) at[lab](t) rvalue[fld](t) held_by(l,t) blocked(t,l) waiting(t,l) Idlt(l1,l2)

Representing Safety Properties

As first order formulae

),(_)(_: tlbyheldtthreadist

)]([)]([()(: 212121 tlattlattttt critcrit

Actions

Pre-conditions for the executionAction is ‘taken’ if there is an assignment that

satisfies the preconditions Update the values of the predicates Notation:

C rewrites into C’

'CC ac

Actions

)(vlock

: [ ]( , ) _ ( , ) s st t rvalue v t l held by l t

)(),(),(

)

111111

111111

llttltblockedltblocked'

llt(t),theld_by(l),theld_by'(l

s

s

Actions

)(vblockLock

),(_),]([: tlbyheldltvrvaluett ss

1 1 1 1 1 1 ( , ) ( , ) )sblocked' t l blocked t l (t t l l

Actions

)(vunlock

),]([ ltvrvalue s

)( 111111 lltt),theld_by(l),theld_by'(l s

Actions

)(vnotify

),(:),]([ ltwaitingtltvrvalue wws

)(),(),(

)(),(),('

111111

111111

llttltblockedltblocked'

llttltwaitingltwaiting

w

w

Actions

)(vifyignoredNot

),(:),]([ ltwaitingtltvrvalue wws

Actions

<q>

<cns>

<prd> <m1>

<a1><a2>

<a3>

<u4><u3><u2><u1><u0>

Is_thread

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]held_by

blocked

r_by[head] r_by[next] r_by[next] r_by[next] r_by[next]

r_by[o]

r_by[tail]

at[lp_2]held_by

at[lp_3]

synchronized(this) { // lp1 put o into the queue // lp2 } // lp3

Safety Properties

RW interference

, , : _ ( ) _ ( ) ( )

[ ]( , ) [ ]( , )

r w r w r w

r w

r r w w

t t o is thread t is thread t t t

at[lr](t ) at[lw](t )

rvalue x t o rvalue x t o

lr : Obj1 = xr lw : xw = Obj2

Safety Properties

WW interference

),]([),]([

)()(_)(_:,,

2211

2211

212121

otxrvalueotxrvalue

)](tat[lw)](tat[lw

tttthreadistthreadisott

wwww

ww

wwwwww

lw1 : xw1 = Obj1 lw2 : xw2 = Obj2

Safety Properties

Missing ownership (when invoking wait/notify)

),(_),]([)]([: tlbyheldltvrvaluetlatt s

ls : wait(v)

Checking Algorithmcheck() { initialize_stack(C0) while stack is not empty { C=stack.pop if C S { verify(C)

for each action ac for each C’ s.t.

stack.push(C’) } }}

}{CSS

'CC ac

C = <U,i>

Check if property holds under i





Abstract States

New logic valueDefinite values: 0,1 Indefinite value : ½ - “might be true”

Abstract Configurations <U,i>U: Each element might represent multiple

objects (summary nodes)

i: Each element is a mapping : U {0, ½,1}

Embedding

Given C=<U,i>, C’=<U’,i’> An embedding f:UU’:

C’ represents C Use Canonical Abstraction

)), ui(p(uufufpi’ 2121 )...))(),(((

21)...))(),((( 21 ufufpi’

Abstract Configurations

<q>

<cns>

<prd> <m1>

<a1><a2>

<a3>

<u4><u3><u2><u1><u0>

Is_thread

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]held_by

blocked

r_by[head] r_by[next] r_by[next] r_by[next] r_by[next]

r_by[o]



r_by[tail]

Abstract Configurations

<q>

<cns>

<prd> <m1>

<a1><a2>

<a3>

<u0>

Is_thread

Is_thread

Is_threadIs_thread

Is_threadat[la_1]

at[la_1]at[la_1]

at[lt_1]

at[lp_2]held_by

blocked

r_by[head]

r_by[o]

 <u4>r_by[next]r_by[tail]

Rvalue[next]Rvalue[next]

<a>Is_thread

at[la_1]

Rvalue[next](u0,u)=? Rvalue[next](u,u4)=?

Abstract Rewrites

C=<U,i> C’=<U’,i’>

Cc=<Uc,ic>C’c=<U’c,I’c>

Cc rewrites into C’c

C rewrites into C

Abstract Rewrites

<s_t>At[la_1]

Is_thread

rvalue[this]

<s_t_0>At[la_2]

Is_thread

<s_t_1>At[la_1]

Is_thread



rvalue[this]

rvalue[this]

held_by



head.approve(); } }

} // end of class Queue

Instrumentation Predicates

: ( , ) ?t blocked t l 1: ( , ) 2t blocked t l



head.approve(); } }

} // end of class Queue

<s_t_a>At[la_1]

Is_thread

<s_t_0>is_blockedIs_threadAt[la_1]

<s_t_1>At[la_1]

Is_thread

Is_acquired

<s_t_b>At[la_2]

Is_thread

blocked rvalue[this]

rvalue[this]held_by

is_blocked?

rvalue[this]

blocked

rvalue[this]

: ( , ) 1t blocked t l


l is referenced by the field “fld” of some object

_ [ ]( )r by fld l

: [ ]( , )o rvalue fld o l


The lock l is acquired by some thread

_ ( )is acquired l

: _ ( , )t held by l t


The thread t is blocked by some lock

_ ( )is blocked t

: ( , )l blocked t l



Verifying Safety Properties Verification algorithm Representation of States Representation of Properties Representation of Functionality Verification Algorithm (again)


Further Reading

http://www.cs.tau.ac.il/~tvla/ http://www.cs.tau.ac.il/~msagiv/sas00t.ps http://www.cs.tau.ac.il/~msagiv/toplas02.pdf http://www.math.tau.ac.il/~yahave/3vmc

Documents

Verifying Safety Properties of Concurrent Java Programs Using 3-Valued Logic