Model Checking ofConcurrent Software:
Current Projects
Thomas Reps
University of Wisconsin
Projects and Personnel• University of Wisconsin
– Anne Mulhern– Alexey Loginov
• Tel-Aviv University– Prof. Mooly Sagiv– Eran Yahav– Noam Rinetzky– Greta Yorsh
• University of Saarbrücken– Prof. Reinhard Wilhelm
Verifying Behavioral SubtypingAnne Mulhern
• Inheritance of code vs. inheritance of behavior• Liskov Substitution Principle:
For every object x’ of type t’ there is an object x of type t, such that for all programs P defined in terms of t, the behavior of P is unchanged when x’ is substituted for x. [Liskov 1988]
• Not enforced by compilers• Goal: Build a tool that provides some amount of
checking
Why?class FooNode { FooNode next; . . . many data members . . .};
class Foo { FooNode first; FooNode last; AppendElmt(Datum); . . . many members . . .};
class ListNode { ListNode next;};
class List { ListNode first; ListNode last; AddToEnd(); };
?
Abstraction Refinementfor TVLA/TVMC
Alexey Loginov
• Identify additional abstraction predicates– Nullary? Unary?– Both can be used to refine an abstraction
• Need to be able to automatically create update formulas– Finite differencing of formulas [Reps, Sagiv]
• Semantic minimization of formulas
Semantic Minimization
(A): Value of formula in assignment A
• In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1
p + p’([p ½]) = ½
p + p’([p 1]) = 1
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0,1}
{0} {1}
Three-valued logic
{0} {0,1}
{1} {0,1}
Two- vs. Three-Valued LogicTwo-valued logic
1 01 1 00 0 0
1 01 1 10 1 0
Three-valued logic
{1} {0,1} {0}
{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}
{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0} {1}
Three-valued logic
{0,1}
Two- vs. Three-Valued Logic
0 1
Two-valued logic
½
0 1
Three-valued logic
0 ½1 ½
• 1: True
• 0: False
• 1/2: Unknown
• A join semi-lattice: 0 1 = 1/2
Three-Valued Logic
/2
Information order
Boolean Connectives [Kleene]
0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
Semantic Minimization
(A): Value of formula in assignment A
• In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1
p + p’([p ½]) = ½
p + p’([p 1]) = 1
Semantic Minimization
(A): Value of formula in assignment A
• In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1
p + p’([p ½]) = ½
p + p’([p 1]) = 1
• However, 1([p 0]) = 1
1([p ½]) = 1
1([p 1]) = 1
Semantic Minimization
1([p 0]) = 1 = p + p’([p 0])
1([p ½]) = 1 ½ = p + p’([p ½])
1([p 1]) = 1 = p + p’([p 1])
2-valued logic: 1 is equivalent to p + p’
3-valued logic: 1 is better than p + p’
For a given , is there a best formula? Yes!
Semantic MinimizationInput: Propositional formula Output: Propositional formula such that
For all 3-valued assignments A,
(A) = (a) aA, a definite
By the monotonicity of (•),
(A) = (a) (A) aA, a definite
ExampleOriginal formula () xy’+ x’z’+ yz (Note: is an irredundant sum of products)
Minimal formula () y’z’+ yz + x’z’+ x’y + xz + xy’ (x’y’z + xyz’)
For which A’s do we have (A) (A)? A (A) (A)[x ½, y 0, z 0] 1 ½[x 0, y 1, z ½] 1 ½[x 1, y ½, z 1] 1 ½
TVMC: A 3-Valued Model CheckerEran Yahav
• Programming-language features– concurrency– unbounded #’s of threads– pointers/aliasing– unbounded #’s of heap-allocated cells
• Properties to be checked– FOLTL (LTL + quantification)– Safety properties– Liveness properties (at least some forms . . .)
Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis
A memory configuration:
thread3inCritical
lock1isAcquired
thread1atStart
thread2atStart
thread4atStart
csLock
csLock
csLock
csLock
heldBy
An abstract memory configuration:
threadinCritical
lock1isAcquired
thread’atStart
csLock
csLock
heldBy
Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis
Here, model checking means:
Explore the space of possible transitionsamong abstract memory configurations
Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis
Analysis of ADTs Noam Rinetzky
• Analysis of ADTs (classes) and their clients• Objects summarized by finite-state machines
obtained via shape-analysis• Example:
– Class Queue– Four states of a Queue object:
• Not allocated• Empty• Non-empty• Error
Analysis of Trees Greta Yorsh
• Shape analysis of tree-manipulation programs– Binary-search-tree operations– Deutsch-Schorr-Waite tree traversal without a stack
• Challenges– Garbage-collection marking algorithm that uses
Deutsch-Schorr-Waite graph traversal (DSW tree traversal of depth-first-search tree)
– Barnes-Hut: uses an oct-tree with chained leaves
• Improved materialization algorithm for TVLA