1 / 23

Model Checking of Concurrent Software: Current Projects

Model Checking of Concurrent Software: Current Projects. Thomas Reps University of Wisconsin. Projects and Personnel. University of Wisconsin Anne Mulhern Alexey Loginov Tel-Aviv University Prof. Mooly Sagiv Eran Yahav Noam Rinetzky Greta Yorsh University of Saarbr ü cken

hermione-woodard
Download Presentation

Model Checking of Concurrent Software: Current Projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking ofConcurrent Software:Current Projects ThomasReps UniversityofWisconsin

  2. Projects and Personnel • University of Wisconsin • Anne Mulhern • Alexey Loginov • Tel-Aviv University • Prof. Mooly Sagiv • Eran Yahav • Noam Rinetzky • Greta Yorsh • University of Saarbrücken • Prof. Reinhard Wilhelm

  3. Verifying Behavioral SubtypingAnne Mulhern • Inheritance of code vs. inheritance of behavior • Liskov Substitution Principle: For every object x’ of type t’ there is an object x of type t, such that for all programs P defined in terms of t, the behavior of P is unchanged when x’ is substituted for x. [Liskov 1988] • Not enforced by compilers • Goal: Build a tool that provides some amount of checking

  4. Why? class FooNode { FooNode next; . . . many data members . . . }; class Foo { FooNode first; FooNode last; AppendElmt(Datum); . . . many members . . . }; class ListNode { ListNode next; }; class List { ListNode first; ListNode last; AddToEnd(); }; ? 

  5. Abstraction Refinementfor TVLA/TVMCAlexey Loginov • Identify additional abstraction predicates • Nullary? Unary? • Both can be used to refine an abstraction • Need to be able to automatically create update formulas • Finite differencing of formulas [Reps, Sagiv] • Semantic minimization of formulas 

  6. Semantic Minimization • (A): Value of formula  in assignment A • In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1 p + p’([p ½]) = ½ p + p’([p 1]) = 1

  7. Two-valued logic Three-valued logic {0,1} 0 1 {0} {1} Two- vs. Three-Valued Logic {0} {0,1} {1}  {0,1}

  8. Two-valued logic Three-valued logic Two- vs. Three-Valued Logic

  9. Two-valued logic Three-valued logic 0 1 {0,1} {0} {1} Two- vs. Three-Valued Logic

  10. Two-valued logic Three-valued logic 0 1 ½ 0 1 Two- vs. Three-Valued Logic 0  ½ 1  ½

  11. 1/2 Information order   Three-Valued Logic • 1: True • 0: False • 1/2: Unknown • A join semi-lattice: 0  1 = 1/2

  12. Boolean Connectives [Kleene]

  13. Semantic Minimization • (A): Value of formula  in assignment A • In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1 p + p’([p ½]) = ½ p + p’([p 1]) = 1

  14. Semantic Minimization • (A): Value of formula  in assignment A • In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1 p + p’([p ½]) = ½ p + p’([p 1]) = 1 • However, 1([p 0]) = 1 1([p ½]) = 1 1([p 1]) = 1

  15. 1([p 0]) = 1 = p + p’([p 0]) 1([p ½]) = 1  ½ = p + p’([p ½]) 1([p 1]) = 1 = p + p’([p 1]) Semantic Minimization 2-valued logic: 1 is equivalent to p + p’ 3-valued logic: 1 is better thanp + p’ For a given , is there a best formula? Yes!

  16. Semantic Minimization Input: Propositional formula  Output: Propositional formula  such that For all 3-valued assignments A, (A) =  (a) aA, a definite By the monotonicity of (•), (A) = (a)  (A) aA, a definite

  17. A(A) (A) [x ½, y 0, z 0] 1 ½ [x 0, y 1, z ½] 1 ½ [x 1, y ½, z 1] 1 ½ Example Original formula () xy’+ x’z’+ yz (Note:  is an irredundant sum of products) Minimal formula () y’z’+ yz + x’z’+ x’y + xz + xy’  (x’y’z + xyz’) For which A’s do we have (A)  (A)?

  18. TVMC: A 3-Valued Model CheckerEran Yahav • Programming-language features • concurrency • unbounded #’s of threads • pointers/aliasing • unbounded #’s of heap-allocated cells • Properties to be checked • FOLTL (LTL + quantification) • Safety properties • Liveness properties (at least some forms . . .)

  19. A memory configuration: thread1 atStart csLock heldBy thread3 inCritical thread2 atStart lock1 isAcquired csLock csLock thread4 atStart csLock Java Threads Are Heap-Allocated Objects Thread Analysis  Shape Analysis

  20. Java Threads Are Heap-Allocated Objects Thread Analysis  Shape Analysis An abstract memory configuration: heldBy thread inCritical thread’ atStart lock1 isAcquired csLock csLock

  21. Java Threads Are Heap-Allocated Objects Thread Analysis  Shape Analysis Here, model checking means: Explore the space of possible transitions among abstract memory configurations

  22. Analysis of ADTsNoam Rinetzky • Analysis of ADTs (classes) and their clients • Objects summarized by finite-state machines obtained via shape-analysis • Example: • Class Queue • Four states of a Queue object: • Not allocated • Empty • Non-empty • Error

  23. Analysis of TreesGreta Yorsh • Shape analysis of tree-manipulation programs • Binary-search-tree operations • Deutsch-Schorr-Waite tree traversal without a stack • Challenges • Garbage-collection marking algorithm that uses Deutsch-Schorr-Waite graph traversal (DSW tree traversal of depth-first-search tree) • Barnes-Hut: uses an oct-tree with chained leaves • Improved materialization algorithm for TVLA

More Related