AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center HP Labs Page Mill Road Palo Alto CA Microsoft Research One Microsoft Way Redmond WA Abstract - PDF document

Presentation on theme: "AssumeGuarantee Model Checking Cormac Flanagan and Shaz Qadeer Systems Research Center HP Labs Page Mill Road Palo Alto CA Microsoft Research One Microsoft Way Redmond WA Abstract"— Presentation transcript

threadseparatelyusinganenvironmentassumptiontomodelinterleavedstepsoftheotherthreads.Theenvironmentassumptionofeachthreadisabinaryrelationoverthesetofglobalstores,andincludesallglobalstoreupdatesthatmaybeperformedbyotherthreads.Inearlierwork,weextendedtheassume-guaranteeproofruleofJonesandimplementeditintheCalvinchecker[FFQ02,FQS02]formultithreadedJavaprograms.OurexperienceusingCalvinindicatesthatthethreadsinmostsoft-waresystemsareloosely-coupled,i.e.,thereislittlecorrelationamongthelocalstatesofthevariousthreads,andassume-guaranteereasoningissucientlypow-erfultoverifythesesystems.However,asignicantcostofusingCalvinisthattheprogrammerisrequiredtoprovidetheappropriateenvironmentassumption.Theassume-guaranteemodelcheckingtechniqueinthispaperavoidsthiscostbyautomaticallyinferringtheseenvironmentassumptions.Assume-guaranteemodelcheckinginferstheenvironmentassumptionforeachthreadbyrstinferingaguaranteeforeachthread,whichmodelsallglobalstoreupdatesperformedbythatthread.Theenvironmentassumptionofathreadisthenthedisjunctionoftheguaranteesofalltheotherthreads.Theguaranteeofeachthreadisinitiallytheemptyrelation,andisiterativelyextendedduringthemodelcheckingprocess.Eachthreadisveriedusingthestandardalgorithmformodelcheckingasequentialpushdownsystemexceptthatateachcontrolpointofthethread,theglobalstateisallowedtomutateaccordingtotheguar-anteesoftheotherthreads.Inaddition,wheneverathreadmodiestheglobalstore,thattransitionontheglobalstatesisaddedtothatthread'sguarantee.Theiterationcontinuesuntilthereachablestatespaceandguaranteeofeachthreadconverges.ThecomplexityofthisprocedureisO(n:G3:L3:F),wherenisthenumberofthreads,Fisthenumberofstacksymbols,Gisthesizeoftheglobalstore,andListhesizeoflocalstoreperthread.Evenifthethreadsdonothaveastackandareconsequentlynite-state,assume-guaranteemodelcheckingoerssignicantsavingsoverstandardmodelchecking.Thenaivemodelcheckingalgorithmexplicitlymodelstheprogramcountersofallthreads.Therefore,itexploresallinterleavingsofthevariousthreadsanditscomplexityisexponentialinthenumberofthreads.However,assume-guaranteemodelcheckingverieseachthreadseparatelyanditscom-plexityO(n:G2:L:(n+L))issignicantlybetterthanthatofthenaivealgorithm.1.1ExampleToillustratethebenetsofassume-guaranteemodelchecking,weconsideritsapplicationtoasimplemultithreadedprogram.ThemultithreadedprogramSimple(n)hasnthreadswhichareconcurrentlyexecutingtheprocedurep.EachthreadisidentiedbyuniqueintegervaluefromthesetTid=f1;:::;ng.Thesethreadsmanipulateasharedintegervariablexinitializedto1.Thevariablexisprotectedbyamutexm,whichiseitherthe(non-zero)identierofthethreadholdingthelock,orelse0,ifthelockisnotheldbyanythread.Thus,thetypeMutex=f0g[Tid.Themutexmismanipulatedbytwooperations,acquireandrelease.Theoperationacquireblocksuntilm=0andthenatomically Theenvironmentassumptionofthethreadtidcanbecomputedfromtheguar-anteeasfollows:E(tid)def=9t2Tid:t6=tid^G[tid:=t]AnexaminationofRprovesthatSimple(n)satisesitsthreecorrectnessproperties:1.Thethreadwithidentiertidaccessesxonlywhenitsprogramcounterpc2f2;3;4g.EverymemberofRsatisesthepropertythatifpc2f2;3;4gthenm=tid.Therefore,itisimpossiblefortwodierentthreadstobeatacontrollocationinf2;3;4gsimulaneously.Consequently,thereisnoraceonthevariablex.2.EverymemberofRsatisesthepropertythatm=1whenpc=4.Therefore,theassertionatcontrollocation4holds.3.EverymemberofRsatisesthepredicatem=0)x=1,whichisthereforeaninvariantofSimple(n).ToverifytheprogramSimple(n),theassume-guaranteemodelcheckingalgo-rithmanalyzeseachthreadseparately.Whenanalyzingthreadtid,eachglobalstatestoredbythealgorithmcontainsvaluesform,x,andtheprogramcounterofthreadtid.ThealgorithmexploresO(n)statesandtransitionsforeachthread.Sincetherearenthreads,thenumberofexploredstatesandtransitionsisO(n2).Ontheotherhand,eachstatestoredbyanaivemodelcheckingalgorithmwillprovidevaluesform,x,andtheprogramcountersofallthethreads.Consequently,thenumberofstatesandtransitionsexploredareO(2n).Thus,forthisexample,theassume-guaranteemodelcheckingalgorithmprovidesexponentialsavingsinthetimeandspacerequiredforstate-spaceenumeration.Ourmodelofthemutexmisanimportantreasonforthesuccessofassume-guaranteemodelcheckingonthisexample.Althoughamutexcanbemodeledasasinglebit,wechosetomodelmasavariablewhosevalueindicatestheidentierofthethreadthatcurrentlyholdsthemutex.Thismutexmodeliscrucialforinferringthreadguaranteesandenvironmentassumptionsthatarestrongenoughtoverifyeachthreadseparately.1.2RelatedworkWereferthereadertoourearlierpapers[FFQ02,FQS02]foradiscussionoftherelatedworkonvericationofmultithreadedsoftwarebycompositionalreason-ingandmodelchecking.Cobleighetal.[CGP03]shareourmotivationofreducingtheannotationcostofcompositionalreasoning.Theyuseacounterexample-guidedlearningal-gorithmtoinferenvironmentassumptions,anapproachthatisverydierentfromours.Ouralgorithmisbasedentirelyonmodelchecking;thecorrectnesspropertiesoftheprogramareveriedandappropriateenvironmentassumptionsareinferredsolelybystate-spaceenumeration. theleastsolutionRStatetothefollowinginferencerulesdescribesthesetofreachablestates.Standardmodelchecking (basicinit) R(g0;ls0)(basicstep)R(g;ls)T(t;g;ls(t);g0;l0) R(g0;ls[t:=l0]) AlthoughweprovideadeclarativedenitionofRhere,itiseasilycomputedusingaworklist-basedalgorithm.HavingcomputedR,itisstraightforwardtodetermineifanyerroneousstateisreachable,i.e.,ifthereexistt,g,andlssuchthatR(g;ls)^E(t;g;ls).Unfortunately,thecomputationalcostofthisalgorithmbecomesexcessiveinthepresenceofmultiplethreads.Letn=jTidjbethenumberofthreadsandletG=jGlobalStorejandL=jLocalStorejbethesizesoftheglobalandlocalstores,respectively.ThenthesizeofRisG:Ln.Furthermore,foreachentryinRtheremayben:G:Lapplicationsof(basicstep).HencethetimecomplexityofthisalgorithmisO(n:G2:Ln+1).2.2Assume-guaranteemodelcheckingThecomplexityofstandardmodelcheckingisexponentialinthenumberofthreads,sinceitexplicitlycorrelatesthelocalstates(andprogramcounters)ofallthevariousthreads.However,sincethethreadsinmostsoftwaresystemsarepredominantlyloosely-coupled,thiscorrelationislargelyredundant.Assume-guaranteemodelcheckingprovidesameanstoavoidthisredundancy.Underassume-guaranteemodelchecking,eachthreadischeckedseparately,usingtheguaranteesthatabstractthebehaviorofinterleavedstepsofotherthreads.Thealgorithmworksbycomputingtworelations:R,whichspeciesthereachablestatesofeachthread,andG,whichistheguaranteeofeachthread.Thus,theguaranteeisinferredautomaticallyduringthemodelcheckingprocess.RTidGlobalStoreLocalStoreGTidGlobalStoreGlobalStoreTherelationR(t;g;l)holdsifthesystemcanreachastatewithglobalstoregandwherethethreadthaslocalstorel.Similarly,G(t;g;g0)holdsifastepbythreadtcangofromareachablestatewithglobalstoregtoastatewithglobalstoreg0.Whilemodelcheckingathreadwithidentierdierentfromt,weknowthatwhenevertheglobalstoreisgandG(t;g;g0)holds,aninterleavedstepofthreadtcanchangetheglobalstoretog0.TherelationsRandGaredenedastheleastsolutiontothefollowingrules. TherelationTmodelsthreadstepsthatdonotmanipulatethestack.Therela-tionT(t;g;l;g0;l0)holdsifthethreadtcantakeastepfromastatewithglobalandlocalstoresgandl,respectively,yielding(possiblymodied)storesg0andl0,andwherethestackisnotaccessedorupdatedduringthisstep.TherelationT+(t;g;l;l0;f)modelsstepsofthreadtthatpushaframeontothestack.Theglobalandlocalstoresareinitiallygandl,theglobalstoreisunmodiedduringthisstep,thelocalstoreisupdatedtol0,andtheframefispushedontothestack.Similarly,therelationT�(t;g;l;f;l0)modelsstepsofthreadtthatpopaframefromthestack.Theglobalandlocalstoresareinitiallygandlandtheframefisinitiallyontopofthestack.Afterthestep,theglobalstoreisunmodied,thelocalstoreisupdatedtol0,andtheframefhasbeenpoppedfromthestack.Weassumethatallstacksareemptyintheinitialstate,andletss0mapeachthreadidentiertotheemptystack.ThesetofreachablestatesisthendenedbytheleastrelationRStatesatisfyingthefollowingrules.BasicPDAmodelchecking (basicpdainit) R(g0;ls0;ss0)(basicpdastep)R(g;ls;ss)T(t;g;ls(t);g0;l0) R(g0;ls[t:=l0];ss)(basicpdapush)R(g;ls;ss)T+(t;g;ls(t);l0;f) R(g0;ls[t:=l0];ss[t:=ss(t):f])(basicpdapop)R(g;ls;ss)ss(t)=s:fT�(t;g;ls(t);f;l0) R(g;ls[t:=l0];ss[t:=s]) Sincethestacksizesareunbounded,thesetofreachablestatesmayalsobeunbounded.Consequently,anyalgorithmtocomputeRmaydiverge.Infact,themodelcheckingproblemforconcurrentpushdownsystemsisundecidable,aresultthatcanbeprovedbyreductionfromtheundecidableproblemofdeter-miningiftheintersectionoftwocontext-freelanguagesisempty[Ram00].3.1Assume-guaranteemodelcheckingAlthoughsoundandcompletemodelcheckingofconcurrentpushdownsystemsisundecidable,assume-guaranteereasoningallowsustomodelchecksuchsys-temsanaconservativeyetusefulmanner.Again,wemodelcheckeachthreadseparately,usingtheguaranteestoreasonabouttheeectofinterleavedstepsofotherthreads.ThealgorithmworksbycomputingtheguaranteerelationGandthereachabilityrelationsPandQ.GTidGlobalStoreGlobalStorePTidGlobalStoreLocalStoreGlobalStoreLocalStoreQTidGlobalStoreLocalStoreFrameGlobalStoreLocalStoreTheguaranteeG(t;g;g0)holdsifastepbythreadtcangofromareachablestateswithglobalstoregtoastatewithglobalstoreg0.ThereachabilityrelationP(t;g;l;g0;l0)holdsif(1)thesystemcanreachastatewithglobalstoregand 4DiscussionWehavepresentedanewtechniquecalledassume-guaranteemodelcheckingforverifyingmultithreadedsoftwaresystems.Althoughincompleteforgeneralsystems,thistechniqueisparticularlyeectiveforloosely-coupledmultithreadedsoftwarewherethethevariousthreadssynchronizeusingprimitivessuchasmutexes,readers-writerlocks,etc.Ifthesynchronizationprimitivesaremodeledwithappropriateauxiliaryinformation,thesesystemscanbeveriedonethreadatatime.Realisticsoftwaresystemsoftenhavedynamicthreadcreationthatmayleadtounboundednumberofthreads.Thisaspectofmultithreadedsoftwareiscur-rentlynothandledbyouralgorithm.However,thesetofthreadidentifers,evenifinnite,isascalarsettype[ID96].Consequently,thesesystemsareamenabletosymmetryreductionwhichweplantoexploitinfuturework.Theassume-guaranteemodelcheckingalgorithmconstructsaparticularab-stractionofmultithreadedsoftwareusingenvironmentassumptions.However,theabstractionmightbetoocoarsetoverifytherelevantcorrectnessproperty.Ifthealgorithmreportsanerror,wewouldlikeanecientproceduretocheckwhethertheviolationisrealorintroducedduetotheabstractionprocess.Inthesecondcase,wewouldliketoautomaticallyrenetheenvironmentassump-tionsbypossiblyexplicatingsomeaspectoftheprogramcountersoftheotherthreadsintheenvironment.Aftertherenement,themodelcheckingalgorithmcanberepeated.Thus,theassume-guaranteemodelcheckingalgorithmmaybeconvertedtoasemi-algorithmthatissoundandalsocompleteontermination.References[BET03]A.Bouajjani,J.Esparza,andT.Touili.Agenericapproachtothestaticanalysisofconcurrentprogramswithprocedures.InPOPL03:PrinciplesofProgrammingLanguages,2003.toappear.[CE81]E.M.ClarkeandE.A.Emerson.Designandsynthesisofsynchronizationskeletonsusingbranching-timetemporallogic.InWorkshoponLogicofPro-grams,LectureNotesinComputerScience131,pages52{71.Springer-Verlag,1981.[CGP03]J.M.Cobleigh,D.Giannakopoulou,andC.S.Pasareanu.Learningassump-tionsforcompositionalverication.InTACAS03:ToolsandAlgorithmsfortheConstructionandAnalysisofSystems,2003.toappear.[FFQ02]C.Flanagan,S.N.Freund,andS.Qadeer.Thread-modularvericationforshared-memoryprograms.InESOP02:EuropeanSymposiumonProgram-ming,LectureNotesinComputerScience2305,pages262{277,2002.[FQS02]C.Flanagan,S.Qadeer,andS.Seshia.Amodularcheckerformultithreadedprograms.InCAV02:ComputerAidedVerication,LectureNotesinCom-puterScience2404,pages180{194,2002.[HU79]J.E.HopcroftandJ.D.Ullman.IntroductiontoAutomataTheory,Languages,andComputation.Addison-WesleyPublishingCompany,1979.[ID96]C.N.IpandD.L.Dill.Bettervericationthroughsymmetry.FormalMethodsinSystemDesign,9(1{2):41{75,1996.