AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center HP Labs Page Mill Road Palo Alto CA Microsoft Research One Microsoft Way Redmond WA Abstract - Description

We present assumeguarantee model checking a novel tech nique for verifying correctness properties of looselycoupled multithreaded software systems Assumeguarantee model checking veri64257es each thread of a multithreaded system separately by constra ID: 7784 Download Pdf

Similar presentations

Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA cormacmicrosoft
Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA cormacmicrosoft

com ABSTRACT False positives cause many promising detection tech nologies to be unworkable in practice Attackers we show face this problem too In deciding who to attack true positives are targets successfully attacked while false positives are those

Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA cormacmicrosoft
Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA cormacmicrosoft

com ABSTRACT False positives cause many promising detection tech nologies to be unworkable in practice Attackers we show face this problem too In deciding who to attack true positives are targets successfully attacked while false positives are those

So Long And No Thanks for the Externalities The Rational Rejection of Security Advice by Users Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA cormacmicrosoft
So Long And No Thanks for the Externalities The Rational Rejection of Security Advice by Users Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA cormacmicrosoft

com ABSTRACT It is often suggested that users are hopelessly lazy and unmotivated on security questions They chose weak passwords ignore security warnings and are oblivious to certi64257cates errors We argue that users rejection of the security advic

tdD Cormac Herley Microsoft Research Redmond ow do so
tdD Cormac Herley Microsoft Research Redmond ow do so

Yet things somehow muddle along two billion people use the Internet and seem to derive more good from it than harm If security is only as goo case outcomes happen 5774057630576805778157711576025774057711577995818957347t he answer may lie in economic

Courteous Glass Jaeyeon Jung Microsoft Research One Microsoft Way Redmond WA USA jjungmicrosoft
Courteous Glass Jaeyeon Jung Microsoft Research One Microsoft Way Redmond WA USA jjungmicrosoft

com Matthai Philipose Microsoft Research One Microsoft Way Redmond WA 98052 USA matthaipmicrosoftcom Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are n

Reconsidering Wireless Systems with Multiple Radios Paramvir Bahl Atul Adya Jitendra Padhye Alec Wolman Microsoft Research Microsoft Way Redmond WA ABSTRACT The tremendous popularity of wireless sy
Reconsidering Wireless Systems with Multiple Radios Paramvir Bahl Atul Adya Jitendra Padhye Alec Wolman Microsoft Research Microsoft Way Redmond WA ABSTRACT The tremendous popularity of wireless sy

The lower cost allows us to consider using two or more radios in the same device Given this we argue that wireless systems that use multiple radios in a collaborative manner dramatically improve system performance and functionality over the traditio

MultipleInstance Pruning For Learning Efcient Cascade Detectors Cha Zhang and Paul Viola Microsoft Research One Microsoft Way Redmond WA chazhangviola microsoft
MultipleInstance Pruning For Learning Efcient Cascade Detectors Cha Zhang and Paul Viola Microsoft Research One Microsoft Way Redmond WA chazhangviola microsoft

com Abstract Cascade detectors have been shown to operate extremely rapidly with high ac curacy and have important applications such as face detection Driven by this success cascade learning has been an area of active research in recent years Nev ert

Automated Selection of Materialized Views and Indexes for SQL Databases Sanjay Agrawal Surajit Chaudhuri Vivek Narasayya Microsoft Research Microsoft Research Microsoft Research sagrawalmicrosoft
Automated Selection of Materialized Views and Indexes for SQL Databases Sanjay Agrawal Surajit Chaudhuri Vivek Narasayya Microsoft Research Microsoft Research Microsoft Research sagrawalmicrosoft

com surajitcmicrosoftcom viveknarmicrosoftcom Abstract Automatically selecting an appropriate set of materialized views and indexes for SQL databases is a nontrivial task A judicious choice must be costdriven and influenced by the workload experience

Discriminative Features via Generalized Eigenvectors Nikos Karampatziakis NIKOSK MICROSOFT COM Paul Mineiro PMINEIRO MICROSOFT COM Microsoft CISL Microsoft Way Redmond WA USA Abstract Representing
Discriminative Features via Generalized Eigenvectors Nikos Karampatziakis NIKOSK MICROSOFT COM Paul Mineiro PMINEIRO MICROSOFT COM Microsoft CISL Microsoft Way Redmond WA USA Abstract Representing

In this paper we investigate scalable techniques for inducing discriminative features by taking ad vantage of simple second order structure in the data We focus on multiclass classi64257cation and show that features extracted from the generalized ei

Crosstalk Cascades for FrameRate Pedestrian Detection Piotr Dollar Ron Appel Wolf Kienzle Microsoft Research Redmond California Institute of Technology pdollarwkienzle microsoft
Crosstalk Cascades for FrameRate Pedestrian Detection Piotr Dollar Ron Appel Wolf Kienzle Microsoft Research Redmond California Institute of Technology pdollarwkienzle microsoft

com appelcaltechedu Abstract Cascades help make sliding window object detection fast nevertheless computational demands remain prohibitive for numerous applications Currently evaluation of adjacent windows proceeds inde pendently this is suboptimal a

330K - views

AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center HP Labs Page Mill Road Palo Alto CA Microsoft Research One Microsoft Way Redmond WA Abstract

Published bydanika-pritchard

We present assumeguarantee model checking a novel tech nique for verifying correctness properties of looselycoupled multithreaded software systems Assumeguarantee model checking veri64257es each thread of a multithreaded system separately by constra

Tags : present assumeguarantee model
Embed :
Pdf Download Link

Download Pdf - The PPT/PDF document "AssumeGuarantee Model Checking Cormac Fl..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center HP Labs Page Mill Road Palo Alto CA Microsoft Research One Microsoft Way Redmond WA Abstract






Presentation on theme: "AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center HP Labs Page Mill Road Palo Alto CA Microsoft Research One Microsoft Way Redmond WA Abstract"— Presentation transcript:

threadseparatelyusinganenvironmentassumptiontomodelinterleavedstepsoftheotherthreads.Theenvironmentassumptionofeachthreadisabinaryrelationoverthesetofglobalstores,andincludesallglobalstoreupdatesthatmaybeperformedbyotherthreads.Inearlierwork,weextendedtheassume-guaranteeproofruleofJonesandimplementeditintheCalvinchecker[FFQ02,FQS02]formultithreadedJavaprograms.OurexperienceusingCalvinindicatesthatthethreadsinmostsoft-waresystemsareloosely-coupled,i.e.,thereislittlecorrelationamongthelocalstatesofthevariousthreads,andassume-guaranteereasoningissucientlypow-erfultoverifythesesystems.However,asigni cantcostofusingCalvinisthattheprogrammerisrequiredtoprovidetheappropriateenvironmentassumption.Theassume-guaranteemodelcheckingtechniqueinthispaperavoidsthiscostbyautomaticallyinferringtheseenvironmentassumptions.Assume-guaranteemodelcheckinginferstheenvironmentassumptionforeachthreadby rstinferingaguaranteeforeachthread,whichmodelsallglobalstoreupdatesperformedbythatthread.Theenvironmentassumptionofathreadisthenthedisjunctionoftheguaranteesofalltheotherthreads.Theguaranteeofeachthreadisinitiallytheemptyrelation,andisiterativelyextendedduringthemodelcheckingprocess.Eachthreadisveri edusingthestandardalgorithmformodelcheckingasequentialpushdownsystemexceptthatateachcontrolpointofthethread,theglobalstateisallowedtomutateaccordingtotheguar-anteesoftheotherthreads.Inaddition,wheneverathreadmodi estheglobalstore,thattransitionontheglobalstatesisaddedtothatthread'sguarantee.Theiterationcontinuesuntilthereachablestatespaceandguaranteeofeachthreadconverges.ThecomplexityofthisprocedureisO(n:G3:L3:F),wherenisthenumberofthreads,Fisthenumberofstacksymbols,Gisthesizeoftheglobalstore,andListhesizeoflocalstoreperthread.Evenifthethreadsdonothaveastackandareconsequently nite-state,assume-guaranteemodelcheckingo erssigni cantsavingsoverstandardmodelchecking.Thenaivemodelcheckingalgorithmexplicitlymodelstheprogramcountersofallthreads.Therefore,itexploresallinterleavingsofthevariousthreadsanditscomplexityisexponentialinthenumberofthreads.However,assume-guaranteemodelcheckingveri eseachthreadseparatelyanditscom-plexityO(n:G2:L:(n+L))issigni cantlybetterthanthatofthenaivealgorithm.1.1ExampleToillustratethebene tsofassume-guaranteemodelchecking,weconsideritsapplicationtoasimplemultithreadedprogram.ThemultithreadedprogramSimple(n)hasnthreadswhichareconcurrentlyexecutingtheprocedurep.Eachthreadisidenti edbyuniqueintegervaluefromthesetTid=f1;:::;ng.Thesethreadsmanipulateasharedintegervariablexinitializedto1.Thevariablexisprotectedbyamutexm,whichiseitherthe(non-zero)identi erofthethreadholdingthelock,orelse0,ifthelockisnotheldbyanythread.Thus,thetypeMutex=f0g[Tid.Themutexmismanipulatedbytwooperations,acquireandrelease.Theoperationacquireblocksuntilm=0andthenatomically Theenvironmentassumptionofthethreadtidcanbecomputedfromtheguar-anteeasfollows:E(tid)def=9t2Tid:t6=tid^G[tid:=t]AnexaminationofRprovesthatSimple(n)satis esitsthreecorrectnessproperties:1.Thethreadwithidenti ertidaccessesxonlywhenitsprogramcounterpc2f2;3;4g.EverymemberofRsatis esthepropertythatifpc2f2;3;4gthenm=tid.Therefore,itisimpossiblefortwodi erentthreadstobeatacontrollocationinf2;3;4gsimulaneously.Consequently,thereisnoraceonthevariablex.2.EverymemberofRsatis esthepropertythatm=1whenpc=4.Therefore,theassertionatcontrollocation4holds.3.EverymemberofRsatis esthepredicatem=0)x=1,whichisthereforeaninvariantofSimple(n).ToverifytheprogramSimple(n),theassume-guaranteemodelcheckingalgo-rithmanalyzeseachthreadseparately.Whenanalyzingthreadtid,eachglobalstatestoredbythealgorithmcontainsvaluesform,x,andtheprogramcounterofthreadtid.ThealgorithmexploresO(n)statesandtransitionsforeachthread.Sincetherearenthreads,thenumberofexploredstatesandtransitionsisO(n2).Ontheotherhand,eachstatestoredbyanaivemodelcheckingalgorithmwillprovidevaluesform,x,andtheprogramcountersofallthethreads.Consequently,thenumberofstatesandtransitionsexploredareO(2n).Thus,forthisexample,theassume-guaranteemodelcheckingalgorithmprovidesexponentialsavingsinthetimeandspacerequiredforstate-spaceenumeration.Ourmodelofthemutexmisanimportantreasonforthesuccessofassume-guaranteemodelcheckingonthisexample.Althoughamutexcanbemodeledasasinglebit,wechosetomodelmasavariablewhosevalueindicatestheidenti erofthethreadthatcurrentlyholdsthemutex.Thismutexmodeliscrucialforinferringthreadguaranteesandenvironmentassumptionsthatarestrongenoughtoverifyeachthreadseparately.1.2RelatedworkWereferthereadertoourearlierpapers[FFQ02,FQS02]foradiscussionoftherelatedworkonveri cationofmultithreadedsoftwarebycompositionalreason-ingandmodelchecking.Cobleighetal.[CGP03]shareourmotivationofreducingtheannotationcostofcompositionalreasoning.Theyuseacounterexample-guidedlearningal-gorithmtoinferenvironmentassumptions,anapproachthatisverydi erentfromours.Ouralgorithmisbasedentirelyonmodelchecking;thecorrectnesspropertiesoftheprogramareveri edandappropriateenvironmentassumptionsareinferredsolelybystate-spaceenumeration. theleastsolutionRStatetothefollowinginferencerulesdescribesthesetofreachablestates.Standardmodelchecking (basicinit) R(g0;ls0)(basicstep)R(g;ls)T(t;g;ls(t);g0;l0) R(g0;ls[t:=l0]) Althoughweprovideadeclarativede nitionofRhere,itiseasilycomputedusingaworklist-basedalgorithm.HavingcomputedR,itisstraightforwardtodetermineifanyerroneousstateisreachable,i.e.,ifthereexistt,g,andlssuchthatR(g;ls)^E(t;g;ls).Unfortunately,thecomputationalcostofthisalgorithmbecomesexcessiveinthepresenceofmultiplethreads.Letn=jTidjbethenumberofthreadsandletG=jGlobalStorejandL=jLocalStorejbethesizesoftheglobalandlocalstores,respectively.ThenthesizeofRisG:Ln.Furthermore,foreachentryinRtheremayben:G:Lapplicationsof(basicstep).HencethetimecomplexityofthisalgorithmisO(n:G2:Ln+1).2.2Assume-guaranteemodelcheckingThecomplexityofstandardmodelcheckingisexponentialinthenumberofthreads,sinceitexplicitlycorrelatesthelocalstates(andprogramcounters)ofallthevariousthreads.However,sincethethreadsinmostsoftwaresystemsarepredominantlyloosely-coupled,thiscorrelationislargelyredundant.Assume-guaranteemodelcheckingprovidesameanstoavoidthisredundancy.Underassume-guaranteemodelchecking,eachthreadischeckedseparately,usingtheguaranteesthatabstractthebehaviorofinterleavedstepsofotherthreads.Thealgorithmworksbycomputingtworelations:R,whichspeci esthereachablestatesofeachthread,andG,whichistheguaranteeofeachthread.Thus,theguaranteeisinferredautomaticallyduringthemodelcheckingprocess.RTidGlobalStoreLocalStoreGTidGlobalStoreGlobalStoreTherelationR(t;g;l)holdsifthesystemcanreachastatewithglobalstoregandwherethethreadthaslocalstorel.Similarly,G(t;g;g0)holdsifastepbythreadtcangofromareachablestatewithglobalstoregtoastatewithglobalstoreg0.Whilemodelcheckingathreadwithidenti erdi erentfromt,weknowthatwhenevertheglobalstoreisgandG(t;g;g0)holds,aninterleavedstepofthreadtcanchangetheglobalstoretog0.TherelationsRandGarede nedastheleastsolutiontothefollowingrules. TherelationTmodelsthreadstepsthatdonotmanipulatethestack.Therela-tionT(t;g;l;g0;l0)holdsifthethreadtcantakeastepfromastatewithglobalandlocalstoresgandl,respectively,yielding(possiblymodi ed)storesg0andl0,andwherethestackisnotaccessedorupdatedduringthisstep.TherelationT+(t;g;l;l0;f)modelsstepsofthreadtthatpushaframeontothestack.Theglobalandlocalstoresareinitiallygandl,theglobalstoreisunmodi edduringthisstep,thelocalstoreisupdatedtol0,andtheframefispushedontothestack.Similarly,therelationT�(t;g;l;f;l0)modelsstepsofthreadtthatpopaframefromthestack.Theglobalandlocalstoresareinitiallygandlandtheframefisinitiallyontopofthestack.Afterthestep,theglobalstoreisunmodi ed,thelocalstoreisupdatedtol0,andtheframefhasbeenpoppedfromthestack.Weassumethatallstacksareemptyintheinitialstate,andletss0mapeachthreadidenti ertotheemptystack.Thesetofreachablestatesisthende nedbytheleastrelationRStatesatisfyingthefollowingrules.BasicPDAmodelchecking (basicpdainit) R(g0;ls0;ss0)(basicpdastep)R(g;ls;ss)T(t;g;ls(t);g0;l0) R(g0;ls[t:=l0];ss)(basicpdapush)R(g;ls;ss)T+(t;g;ls(t);l0;f) R(g0;ls[t:=l0];ss[t:=ss(t):f])(basicpdapop)R(g;ls;ss)ss(t)=s:fT�(t;g;ls(t);f;l0) R(g;ls[t:=l0];ss[t:=s]) Sincethestacksizesareunbounded,thesetofreachablestatesmayalsobeunbounded.Consequently,anyalgorithmtocomputeRmaydiverge.Infact,themodelcheckingproblemforconcurrentpushdownsystemsisundecidable,aresultthatcanbeprovedbyreductionfromtheundecidableproblemofdeter-miningiftheintersectionoftwocontext-freelanguagesisempty[Ram00].3.1Assume-guaranteemodelcheckingAlthoughsoundandcompletemodelcheckingofconcurrentpushdownsystemsisundecidable,assume-guaranteereasoningallowsustomodelchecksuchsys-temsanaconservativeyetusefulmanner.Again,wemodelcheckeachthreadseparately,usingtheguaranteestoreasonaboutthee ectofinterleavedstepsofotherthreads.ThealgorithmworksbycomputingtheguaranteerelationGandthereachabilityrelationsPandQ.GTidGlobalStoreGlobalStorePTidGlobalStoreLocalStoreGlobalStoreLocalStoreQTidGlobalStoreLocalStoreFrameGlobalStoreLocalStoreTheguaranteeG(t;g;g0)holdsifastepbythreadtcangofromareachablestateswithglobalstoregtoastatewithglobalstoreg0.ThereachabilityrelationP(t;g;l;g0;l0)holdsif(1)thesystemcanreachastatewithglobalstoregand 4DiscussionWehavepresentedanewtechniquecalledassume-guaranteemodelcheckingforverifyingmultithreadedsoftwaresystems.Althoughincompleteforgeneralsystems,thistechniqueisparticularlye ectiveforloosely-coupledmultithreadedsoftwarewherethethevariousthreadssynchronizeusingprimitivessuchasmutexes,readers-writerlocks,etc.Ifthesynchronizationprimitivesaremodeledwithappropriateauxiliaryinformation,thesesystemscanbeveri edonethreadatatime.Realisticsoftwaresystemsoftenhavedynamicthreadcreationthatmayleadtounboundednumberofthreads.Thisaspectofmultithreadedsoftwareiscur-rentlynothandledbyouralgorithm.However,thesetofthreadidentifers,evenifin nite,isascalarsettype[ID96].Consequently,thesesystemsareamenabletosymmetryreductionwhichweplantoexploitinfuturework.Theassume-guaranteemodelcheckingalgorithmconstructsaparticularab-stractionofmultithreadedsoftwareusingenvironmentassumptions.However,theabstractionmightbetoocoarsetoverifytherelevantcorrectnessproperty.Ifthealgorithmreportsanerror,wewouldlikeanecientproceduretocheckwhethertheviolationisrealorintroducedduetotheabstractionprocess.Inthesecondcase,wewouldliketoautomaticallyre netheenvironmentassump-tionsbypossiblyexplicatingsomeaspectoftheprogramcountersoftheotherthreadsintheenvironment.Afterthere nement,themodelcheckingalgorithmcanberepeated.Thus,theassume-guaranteemodelcheckingalgorithmmaybeconvertedtoasemi-algorithmthatissoundandalsocompleteontermination.References[BET03]A.Bouajjani,J.Esparza,andT.Touili.Agenericapproachtothestaticanalysisofconcurrentprogramswithprocedures.InPOPL03:PrinciplesofProgrammingLanguages,2003.toappear.[CE81]E.M.ClarkeandE.A.Emerson.Designandsynthesisofsynchronizationskeletonsusingbranching-timetemporallogic.InWorkshoponLogicofPro-grams,LectureNotesinComputerScience131,pages52{71.Springer-Verlag,1981.[CGP03]J.M.Cobleigh,D.Giannakopoulou,andC.S.Pasareanu.Learningassump-tionsforcompositionalveri cation.InTACAS03:ToolsandAlgorithmsfortheConstructionandAnalysisofSystems,2003.toappear.[FFQ02]C.Flanagan,S.N.Freund,andS.Qadeer.Thread-modularveri cationforshared-memoryprograms.InESOP02:EuropeanSymposiumonProgram-ming,LectureNotesinComputerScience2305,pages262{277,2002.[FQS02]C.Flanagan,S.Qadeer,andS.Seshia.Amodularcheckerformultithreadedprograms.InCAV02:ComputerAidedVeri cation,LectureNotesinCom-puterScience2404,pages180{194,2002.[HU79]J.E.HopcroftandJ.D.Ullman.IntroductiontoAutomataTheory,Languages,andComputation.Addison-WesleyPublishingCompany,1979.[ID96]C.N.IpandD.L.Dill.Betterveri cationthroughsymmetry.FormalMethodsinSystemDesign,9(1{2):41{75,1996.