Uploads Contact
/
Login Upload
AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center

AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center - PDF document

danika-pritchard
danika-pritchard . @danika-pritchard
Follow
677 views
Uploaded On 2014-10-27
About Share Download

AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center - PPT Presentation

We present assumeguarantee model checking a novel tech nique for verifying correctness properties of looselycoupled multithreaded software systems Assumeguarantee model checking veri64257es each thread of a multithreaded system separately by constra ID: 7784

present assumeguarantee model

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "AssumeGuarantee Model Checking Cormac Fl..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

threadseparatelyusinganenvironmentassumptiontomodelinterleavedstepsoftheotherthreads.Theenvironmentassumptionofeachthreadisabinaryrelationoverthesetofglobalstores,andincludesallglobalstoreupdatesthatmaybeperformedbyotherthreads.Inearlierwork,weextendedtheassume-guaranteeproofruleofJonesandimplementeditintheCalvinchecker[FFQ02,FQS02]formultithreadedJavaprograms.OurexperienceusingCalvinindicatesthatthethreadsinmostsoft-waresystemsareloosely-coupled,i.e.,thereislittlecorrelationamongthelocalstatesofthevariousthreads,andassume-guaranteereasoningissucientlypow-erfultoverifythesesystems.However,asigni cantcostofusingCalvinisthattheprogrammerisrequiredtoprovidetheappropriateenvironmentassumption.Theassume-guaranteemodelcheckingtechniqueinthispaperavoidsthiscostbyautomaticallyinferringtheseenvironmentassumptions.Assume-guaranteemodelcheckinginferstheenvironmentassumptionforeachthreadby rstinferingaguaranteeforeachthread,whichmodelsallglobalstoreupdatesperformedbythatthread.Theenvironmentassumptionofathreadisthenthedisjunctionoftheguaranteesofalltheotherthreads.Theguaranteeofeachthreadisinitiallytheemptyrelation,andisiterativelyextendedduringthemodelcheckingprocess.Eachthreadisveri edusingthestandardalgorithmformodelcheckingasequentialpushdownsystemexceptthatateachcontrolpointofthethread,theglobalstateisallowedtomutateaccordingtotheguar-anteesoftheotherthreads.Inaddition,wheneverathreadmodi estheglobalstore,thattransitionontheglobalstatesisaddedtothatthread'sguarantee.Theiterationcontinuesuntilthereachablestatespaceandguaranteeofeachthreadconverges.ThecomplexityofthisprocedureisO(n:G3:L3:F),wherenisthenumberofthreads,Fisthenumberofstacksymbols,Gisthesizeoftheglobalstore,andListhesizeoflocalstoreperthread.Evenifthethreadsdonothaveastackandareconsequently nite-state,assume-guaranteemodelcheckingo erssigni cantsavingsoverstandardmodelchecking.Thenaivemodelcheckingalgorithmexplicitlymodelstheprogramcountersofallthreads.Therefore,itexploresallinterleavingsofthevariousthreadsanditscomplexityisexponentialinthenumberofthreads.However,assume-guaranteemodelcheckingveri eseachthreadseparatelyanditscom-plexityO(n:G2:L:(n+L))issigni cantlybetterthanthatofthenaivealgorithm.1.1ExampleToillustratethebene tsofassume-guaranteemodelchecking,weconsideritsapplicationtoasimplemultithreadedprogram.ThemultithreadedprogramSimple(n)hasnthreadswhichareconcurrentlyexecutingtheprocedurep.Eachthreadisidenti edbyuniqueintegervaluefromthesetTid=f1;:::;ng.Thesethreadsmanipulateasharedintegervariablexinitializedto1.Thevariablexisprotectedbyamutexm,whichiseitherthe(non-zero)identi erofthethreadholdingthelock,orelse0,ifthelockisnotheldbyanythread.Thus,thetypeMutex=f0g[Tid.Themutexmismanipulatedbytwooperations,acquireandrelease.Theoperationacquireblocksuntilm=0andthenatomically Theenvironmentassumptionofthethreadtidcanbecomputedfromtheguar-anteeasfollows:E(tid)def=9t2Tid:t6=tid^G[tid:=t]AnexaminationofRprovesthatSimple(n)satis esitsthreecorrectnessproperties:1.Thethreadwithidenti ertidaccessesxonlywhenitsprogramcounterpc2f2;3;4g.EverymemberofRsatis esthepropertythatifpc2f2;3;4gthenm=tid.Therefore,itisimpossiblefortwodi erentthreadstobeatacontrollocationinf2;3;4gsimulaneously.Consequently,thereisnoraceonthevariablex.2.EverymemberofRsatis esthepropertythatm=1whenpc=4.Therefore,theassertionatcontrollocation4holds.3.EverymemberofRsatis esthepredicatem=0)x=1,whichisthereforeaninvariantofSimple(n).ToverifytheprogramSimple(n),theassume-guaranteemodelcheckingalgo-rithmanalyzeseachthreadseparately.Whenanalyzingthreadtid,eachglobalstatestoredbythealgorithmcontainsvaluesform,x,andtheprogramcounterofthreadtid.ThealgorithmexploresO(n)statesandtransitionsforeachthread.Sincetherearenthreads,thenumberofexploredstatesandtransitionsisO(n2).Ontheotherhand,eachstatestoredbyanaivemodelcheckingalgorithmwillprovidevaluesform,x,andtheprogramcountersofallthethreads.Consequently,thenumberofstatesandtransitionsexploredareO(2n).Thus,forthisexample,theassume-guaranteemodelcheckingalgorithmprovidesexponentialsavingsinthetimeandspacerequiredforstate-spaceenumeration.Ourmodelofthemutexmisanimportantreasonforthesuccessofassume-guaranteemodelcheckingonthisexample.Althoughamutexcanbemodeledasasinglebit,wechosetomodelmasavariablewhosevalueindicatestheidenti erofthethreadthatcurrentlyholdsthemutex.Thismutexmodeliscrucialforinferringthreadguaranteesandenvironmentassumptionsthatarestrongenoughtoverifyeachthreadseparately.1.2RelatedworkWereferthereadertoourearlierpapers[FFQ02,FQS02]foradiscussionoftherelatedworkonveri cationofmultithreadedsoftwarebycompositionalreason-ingandmodelchecking.Cobleighetal.[CGP03]shareourmotivationofreducingtheannotationcostofcompositionalreasoning.Theyuseacounterexample-guidedlearningal-gorithmtoinferenvironmentassumptions,anapproachthatisverydi erentfromours.Ouralgorithmisbasedentirelyonmodelchecking;thecorrectnesspropertiesoftheprogramareveri edandappropriateenvironmentassumptionsareinferredsolelybystate-spaceenumeration. theleastsolutionRStatetothefollowinginferencerulesdescribesthesetofreachablestates.Standardmodelchecking (basicinit) R(g0;ls0)(basicstep)R(g;ls)T(t;g;ls(t);g0;l0) R(g0;ls[t:=l0]) Althoughweprovideadeclarativede nitionofRhere,itiseasilycomputedusingaworklist-basedalgorithm.HavingcomputedR,itisstraightforwardtodetermineifanyerroneousstateisreachable,i.e.,ifthereexistt,g,andlssuchthatR(g;ls)^E(t;g;ls).Unfortunately,thecomputationalcostofthisalgorithmbecomesexcessiveinthepresenceofmultiplethreads.Letn=jTidjbethenumberofthreadsandletG=jGlobalStorejandL=jLocalStorejbethesizesoftheglobalandlocalstores,respectively.ThenthesizeofRisG:Ln.Furthermore,foreachentryinRtheremayben:G:Lapplicationsof(basicstep).HencethetimecomplexityofthisalgorithmisO(n:G2:Ln+1).2.2Assume-guaranteemodelcheckingThecomplexityofstandardmodelcheckingisexponentialinthenumberofthreads,sinceitexplicitlycorrelatesthelocalstates(andprogramcounters)ofallthevariousthreads.However,sincethethreadsinmostsoftwaresystemsarepredominantlyloosely-coupled,thiscorrelationislargelyredundant.Assume-guaranteemodelcheckingprovidesameanstoavoidthisredundancy.Underassume-guaranteemodelchecking,eachthreadischeckedseparately,usingtheguaranteesthatabstractthebehaviorofinterleavedstepsofotherthreads.Thealgorithmworksbycomputingtworelations:R,whichspeci esthereachablestatesofeachthread,andG,whichistheguaranteeofeachthread.Thus,theguaranteeisinferredautomaticallyduringthemodelcheckingprocess.RTidGlobalStoreLocalStoreGTidGlobalStoreGlobalStoreTherelationR(t;g;l)holdsifthesystemcanreachastatewithglobalstoregandwherethethreadthaslocalstorel.Similarly,G(t;g;g0)holdsifastepbythreadtcangofromareachablestatewithglobalstoregtoastatewithglobalstoreg0.Whilemodelcheckingathreadwithidenti erdi erentfromt,weknowthatwhenevertheglobalstoreisgandG(t;g;g0)holds,aninterleavedstepofthreadtcanchangetheglobalstoretog0.TherelationsRandGarede nedastheleastsolutiontothefollowingrules. TherelationTmodelsthreadstepsthatdonotmanipulatethestack.Therela-tionT(t;g;l;g0;l0)holdsifthethreadtcantakeastepfromastatewithglobalandlocalstoresgandl,respectively,yielding(possiblymodi ed)storesg0andl0,andwherethestackisnotaccessedorupdatedduringthisstep.TherelationT+(t;g;l;l0;f)modelsstepsofthreadtthatpushaframeontothestack.Theglobalandlocalstoresareinitiallygandl,theglobalstoreisunmodi edduringthisstep,thelocalstoreisupdatedtol0,andtheframefispushedontothestack.Similarly,therelationT�(t;g;l;f;l0)modelsstepsofthreadtthatpopaframefromthestack.Theglobalandlocalstoresareinitiallygandlandtheframefisinitiallyontopofthestack.Afterthestep,theglobalstoreisunmodi ed,thelocalstoreisupdatedtol0,andtheframefhasbeenpoppedfromthestack.Weassumethatallstacksareemptyintheinitialstate,andletss0mapeachthreadidenti ertotheemptystack.Thesetofreachablestatesisthende nedbytheleastrelationRStatesatisfyingthefollowingrules.BasicPDAmodelchecking (basicpdainit) R(g0;ls0;ss0)(basicpdastep)R(g;ls;ss)T(t;g;ls(t);g0;l0) R(g0;ls[t:=l0];ss)(basicpdapush)R(g;ls;ss)T+(t;g;ls(t);l0;f) R(g0;ls[t:=l0];ss[t:=ss(t):f])(basicpdapop)R(g;ls;ss)ss(t)=s:fT�(t;g;ls(t);f;l0) R(g;ls[t:=l0];ss[t:=s]) Sincethestacksizesareunbounded,thesetofreachablestatesmayalsobeunbounded.Consequently,anyalgorithmtocomputeRmaydiverge.Infact,themodelcheckingproblemforconcurrentpushdownsystemsisundecidable,aresultthatcanbeprovedbyreductionfromtheundecidableproblemofdeter-miningiftheintersectionoftwocontext-freelanguagesisempty[Ram00].3.1Assume-guaranteemodelcheckingAlthoughsoundandcompletemodelcheckingofconcurrentpushdownsystemsisundecidable,assume-guaranteereasoningallowsustomodelchecksuchsys-temsanaconservativeyetusefulmanner.Again,wemodelcheckeachthreadseparately,usingtheguaranteestoreasonaboutthee ectofinterleavedstepsofotherthreads.ThealgorithmworksbycomputingtheguaranteerelationGandthereachabilityrelationsPandQ.GTidGlobalStoreGlobalStorePTidGlobalStoreLocalStoreGlobalStoreLocalStoreQTidGlobalStoreLocalStoreFrameGlobalStoreLocalStoreTheguaranteeG(t;g;g0)holdsifastepbythreadtcangofromareachablestateswithglobalstoregtoastatewithglobalstoreg0.ThereachabilityrelationP(t;g;l;g0;l0)holdsif(1)thesystemcanreachastatewithglobalstoregand 4DiscussionWehavepresentedanewtechniquecalledassume-guaranteemodelcheckingforverifyingmultithreadedsoftwaresystems.Althoughincompleteforgeneralsystems,thistechniqueisparticularlye ectiveforloosely-coupledmultithreadedsoftwarewherethethevariousthreadssynchronizeusingprimitivessuchasmutexes,readers-writerlocks,etc.Ifthesynchronizationprimitivesaremodeledwithappropriateauxiliaryinformation,thesesystemscanbeveri edonethreadatatime.Realisticsoftwaresystemsoftenhavedynamicthreadcreationthatmayleadtounboundednumberofthreads.Thisaspectofmultithreadedsoftwareiscur-rentlynothandledbyouralgorithm.However,thesetofthreadidentifers,evenifin nite,isascalarsettype[ID96].Consequently,thesesystemsareamenabletosymmetryreductionwhichweplantoexploitinfuturework.Theassume-guaranteemodelcheckingalgorithmconstructsaparticularab-stractionofmultithreadedsoftwareusingenvironmentassumptions.However,theabstractionmightbetoocoarsetoverifytherelevantcorrectnessproperty.Ifthealgorithmreportsanerror,wewouldlikeanecientproceduretocheckwhethertheviolationisrealorintroducedduetotheabstractionprocess.Inthesecondcase,wewouldliketoautomaticallyre netheenvironmentassump-tionsbypossiblyexplicatingsomeaspectoftheprogramcountersoftheotherthreadsintheenvironment.Afterthere nement,themodelcheckingalgorithmcanberepeated.Thus,theassume-guaranteemodelcheckingalgorithmmaybeconvertedtoasemi-algorithmthatissoundandalsocompleteontermination.References[BET03]A.Bouajjani,J.Esparza,andT.Touili.Agenericapproachtothestaticanalysisofconcurrentprogramswithprocedures.InPOPL03:PrinciplesofProgrammingLanguages,2003.toappear.[CE81]E.M.ClarkeandE.A.Emerson.Designandsynthesisofsynchronizationskeletonsusingbranching-timetemporallogic.InWorkshoponLogicofPro-grams,LectureNotesinComputerScience131,pages52{71.Springer-Verlag,1981.[CGP03]J.M.Cobleigh,D.Giannakopoulou,andC.S.Pasareanu.Learningassump-tionsforcompositionalveri cation.InTACAS03:ToolsandAlgorithmsfortheConstructionandAnalysisofSystems,2003.toappear.[FFQ02]C.Flanagan,S.N.Freund,andS.Qadeer.Thread-modularveri cationforshared-memoryprograms.InESOP02:EuropeanSymposiumonProgram-ming,LectureNotesinComputerScience2305,pages262{277,2002.[FQS02]C.Flanagan,S.Qadeer,andS.Seshia.Amodularcheckerformultithreadedprograms.InCAV02:ComputerAidedVeri cation,LectureNotesinCom-puterScience2404,pages180{194,2002.[HU79]J.E.HopcroftandJ.D.Ullman.IntroductiontoAutomataTheory,Languages,andComputation.Addison-WesleyPublishingCompany,1979.[ID96]C.N.IpandD.L.Dill.Betterveri cationthroughsymmetry.FormalMethodsinSystemDesign,9(1{2):41{75,1996.

Related Contents


Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One
Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One PDF document
627 views
Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One
Why do Nigerian Scammers Say They are from Nigeria Cormac Herley Microsoft Research One PDF document
540 views
So Long And No Thanks for the Externalities The Rational Rejection of Security Advice
So Long And No Thanks for the Externalities The Rational Rejection of Security Advice PDF document
513 views
tdD Cormac Herley Microsoft Research Redmond ow do so
tdD Cormac Herley Microsoft Research Redmond ow do so PDF document
460 views
Reconsidering Wireless Systems with Multiple Radios Paramvir Bahl Atul Adya Jitendra Padhye
Reconsidering Wireless Systems with Multiple Radios Paramvir Bahl Atul Adya Jitendra Padhye PDF document
582 views
Courteous Glass Jaeyeon Jung Microsoft Research One Microsoft Way Redmond WA USA jjungmicrosoft
Courteous Glass Jaeyeon Jung Microsoft Research One Microsoft Way Redmond WA USA jjungmicrosoft PDF document
538 views
MultipleInstance Pruning For Learning Efcient Cascade Detectors Cha Zhang and Paul Viola
MultipleInstance Pruning For Learning Efcient Cascade Detectors Cha Zhang and Paul Viola PDF document
730 views
Automated Selection of Materialized Views and Indexes for SQL Databases Sanjay Agrawal
Automated Selection of Materialized Views and Indexes for SQL Databases Sanjay Agrawal PDF document
662 views
Discriminative Features via Generalized Eigenvectors Nikos Karampatziakis NIKOSK MICROSOFT
Discriminative Features via Generalized Eigenvectors Nikos Karampatziakis NIKOSK MICROSOFT PDF document
673 views
Password Portfolios and the FiniteEffort User Sustainably Managing Large Numbers of Accounts
Password Portfolios and the FiniteEffort User Sustainably Managing Large Numbers of Accounts PDF document
541 views
Crosstalk Cascades for FrameRate Pedestrian Detection Piotr Dollar Ron Appel Wolf Kienzle
Crosstalk Cascades for FrameRate Pedestrian Detection Piotr Dollar Ron Appel Wolf Kienzle PDF document
582 views
Spacetime Constraints Andrew Witkin Michael Kass Schlumberger Palo Alto Research Hillview
Spacetime Constraints Andrew Witkin Michael Kass Schlumberger Palo Alto Research Hillview PDF document
565 views
Next Show more