Model Checking ofConcurrent Software:

Current Projects

Thomas Reps

University of Wisconsin

Projects and Personnel• University of Wisconsin

– Anne Mulhern– Alexey Loginov

• Tel-Aviv University– Prof. Mooly Sagiv– Eran Yahav– Noam Rinetzky– Greta Yorsh

• University of Saarbrücken– Prof. Reinhard Wilhelm

Verifying Behavioral SubtypingAnne Mulhern

• Inheritance of code vs. inheritance of behavior• Liskov Substitution Principle:

For every object x’ of type t’ there is an object x of type t, such that for all programs P defined in terms of t, the behavior of P is unchanged when x’ is substituted for x. [Liskov 1988]

• Not enforced by compilers• Goal: Build a tool that provides some amount of

checking

Why?class FooNode { FooNode next; . . . many data members . . .};

class Foo { FooNode first; FooNode last; AppendElmt(Datum); . . . many members . . .};

class ListNode { ListNode next;};

class List { ListNode first; ListNode last; AddToEnd(); };

?

Abstraction Refinementfor TVLA/TVMC

Alexey Loginov

• Identify additional abstraction predicates– Nullary? Unary?– Both can be used to refine an abstraction

• Need to be able to automatically create update formulas– Finite differencing of formulas [Reps, Sagiv]

• Semantic minimization of formulas

Semantic Minimization

(A): Value of formula in assignment A

• In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1

p + p’([p ½]) = ½

p + p’([p 1]) = 1

Two- vs. Three-Valued Logic

0 1

Two-valued logic

{0,1}

{0} {1}

Three-valued logic

{0} {0,1}

{1} {0,1}

Two- vs. Three-Valued LogicTwo-valued logic

1 01 1 00 0 0

1 01 1 10 1 0

Three-valued logic

{1} {0,1} {0}

{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}

{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

Two- vs. Three-Valued Logic

0 1

Two-valued logic

{0} {1}

Three-valued logic

{0,1}

Two- vs. Three-Valued Logic

0 1

Two-valued logic

½

0 1

Three-valued logic

0 ½1 ½

• 1: True

• 0: False

• 1/2: Unknown

• A join semi-lattice: 0 1 = 1/2

Three-Valued Logic

/2

Information order

Boolean Connectives [Kleene]

0 1/2 1

0 0 0 01/2 0 1/2 1/21 0 1/2 1

0 1/2 1

0 0 1/2 11/2 1/2 1/2 11 1 1 1

Semantic Minimization

(A): Value of formula in assignment A

• In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1

p + p’([p ½]) = ½

p + p’([p 1]) = 1

Semantic Minimization

(A): Value of formula in assignment A

• In 3-valued logic, (A) may equal ½ p + p’([p 0]) = 1

p + p’([p ½]) = ½

p + p’([p 1]) = 1

• However, 1([p 0]) = 1

1([p ½]) = 1

1([p 1]) = 1

Semantic Minimization

1([p 0]) = 1 = p + p’([p 0])

1([p ½]) = 1 ½ = p + p’([p ½])

1([p 1]) = 1 = p + p’([p 1])

2-valued logic: 1 is equivalent to p + p’

3-valued logic: 1 is better than p + p’

For a given , is there a best formula? Yes!

Semantic MinimizationInput: Propositional formula Output: Propositional formula such that

For all 3-valued assignments A,

(A) = (a) aA, a definite

By the monotonicity of (•),

(A) = (a) (A) aA, a definite

ExampleOriginal formula () xy’+ x’z’+ yz (Note: is an irredundant sum of products)

Minimal formula () y’z’+ yz + x’z’+ x’y + xz + xy’ (x’y’z + xyz’)

For which A’s do we have (A) (A)? A (A) (A)[x ½, y 0, z 0] 1 ½[x 0, y 1, z ½] 1 ½[x 1, y ½, z 1] 1 ½

TVMC: A 3-Valued Model CheckerEran Yahav

• Programming-language features– concurrency– unbounded #’s of threads– pointers/aliasing– unbounded #’s of heap-allocated cells

• Properties to be checked– FOLTL (LTL + quantification)– Safety properties– Liveness properties (at least some forms . . .)

Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis

A memory configuration:

thread3inCritical

lock1isAcquired

thread1atStart

thread2atStart

thread4atStart

csLock

csLock

csLock

csLock

heldBy

An abstract memory configuration:

threadinCritical

lock1isAcquired

thread’atStart

csLock

csLock

heldBy

Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis

Here, model checking means:

Explore the space of possible transitionsamong abstract memory configurations

Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis

Analysis of ADTs Noam Rinetzky

• Analysis of ADTs (classes) and their clients• Objects summarized by finite-state machines

obtained via shape-analysis• Example:

– Class Queue– Four states of a Queue object:

• Not allocated• Empty• Non-empty• Error

Analysis of Trees Greta Yorsh

• Shape analysis of tree-manipulation programs– Binary-search-tree operations– Deutsch-Schorr-Waite tree traversal without a stack

• Challenges– Garbage-collection marking algorithm that uses

Deutsch-Schorr-Waite graph traversal (DSW tree traversal of depth-first-search tree)

– Barnes-Hut: uses an oct-tree with chained leaves

• Improved materialization algorithm for TVLA