thread modular model checking

/ 23Hong,Shin @ PSWLAB

Thread Modular Model Checking

by Cormac Flanagan and Shaz Qadeer(published in Spin’03)

Hong,Shin

23年 4月 21日

1Thread Modular Model Checking


Contents

• Introduction

• Concurrent Finite-State Systems

• Concurrent Pushdown Systems

• Conclusion

23年 4月 21日

Thread Modular Model Checking 2


Introduction 1/8

• Designing multithreaded software system is difficult due to subtle interactions among threads operating concurrently on shared data.

• Model checking is a promising technique for verifying correctness properties of multithreaded software system.

• However, a multithreaded software system is difficult to model check due to its large state space.

Approach

Verify each thread separately using an environment assumption to model interleaved steps of the other threads.

– The environment assumption of each thread is a binary relation over the set of global stores.

– The environment assumption includes all global store updates that may be performed by other threads.

23年 4月 21日



Introduction 2/8

• Target multithreaded program.

– There is a finite number of threads in a system.

– There is a finite number of global store in a system.

– There is a finite number of local store in each thread.

– The multithreaded software system is loosely-coupled.

• There is little co-relation among the local states of the various

threads.

– Requirement properties are safety properties.

(e.g. assertion, global invariant)

23年 4月 21日



Introduction 3/8

Thread-modular model checking overview• A guarantee models all global store updates performed by a thread.• For a thread, its environment assumption is the disjunction of the

guarantees of all the other threads.• The guarantee of each thread is initially the empty relation, and is

iteratively extended during the model checking process.

• Each thread is verified using the standard algorithm for sequential model checking except that at each control point of the thread, the global state is allowed to mutate according to the guarantees of the other threads.

• Whenever a thread modifies the global store, that transition on the global states is added to that thread’s guarantee.

• The iteration continues until the reachable state space and guarantee of each thread converges.

23年 4月 21日



Introduction 4/8Example

Simple(n) : A multithreaded program with n threads executing procedure p concurrently.

• Each thread is identified by unique integer value from Tid = {1,…, n}.• x : A shared integer variable. Its initial value is 1.• m : The mutex which protects the shared variable x.

– The type is Mutex = {0} [ Tid.– m is manipulated by two operations: acquire and release.

• acquire blocks until m=0 and then automatically set m to the identifier of the current thread.

• release sets m back to 0.• For each thread, there is an implicit local variable called pc, the program

counter of the thread.– A pc takes values from the set Loc={1,…,6} of control location.– We denote the program counter of thread tid by pc[tid].

23年 4月 21日



Introduction 5/8• A simple multithreaded program

int x := 1 ;Mutex m := 0 ;

void p() {1: acquire ;2: x := 0 ;3: x := 1 ;4: assert x > 0 ;5: release ;6: }Simple(n) = p() | … | p()

23年 4月 21日


n times• Correctness properties

(1) There should be no data race.Error set: 9 i, j 2 Tid. i j Æ pc[i]2{2, 3, 4} Æ pc[j]2{2, 3, 4}

(2) The assertion at control location 4 does not fail for any thread.Error set: 9 i 2 Tid . pc[i] = 4 Æ x · 0

(3) Every reachable state staisfies the invariant m=0 x = 1. Error set: m = 0 Æ x 1


Introduction 6/8

23年 4月 21日


• In this program, the domain of global store is (Mutex £ int).

• Thread-modular model checking algorithm computes the guarantee

G µ Tid £ (Mutex £ int) £ (Mutex £ int).

– If the thread whose identifier is tid ever takes a step where the global

variables is modified from (m1,x1) to (m2,x2),

then (tid, (m1, x1), (m2, x2)) 2 G.

• The thread-local reachable set is R µ Tid £ (Mutex £ int) £ Loc.

– If there is a reachable state where its global store is (m,x), and the

program counter of thread whose identifier is tid has the value pc,

then (tid, (m,x),pc) 2 R.


Introduction 7/8

23年 4月 21日


• A simple multithreaded program

int x := 1 ;

Mutex m := 0 ;

void p() {

For thread 1

1: acquire ;

2: x := 0 ;

3: x := 1 ;

4: assert x > 0 ;

5: release ;

6: }

<Guarantee> (tid, <m,x> , <m’,x’>)

(1,<0,1>,<1,1>)

(1,<1,1>,<1,0>)

(1,<1,0>,<1,1>)

(1,<1,1>,<0,1>)

<Reachable set> (pc, <m,x>)

(1,<0,1>)

(2,<1,1>)

(3,<1,0>)

(4,<1,1>)

(5,<1,1>)

(6,<0,1>)


Introduction 7/8

23年 4月 21日


• A simple multithreaded program

int x := 1 ;

Mutex m := 0 ;

void p() {

For thread 2

1: acquire ;

2: x := 0 ;

3: x := 1 ;

4: assert x > 0 ;

5: release ;

6: }

<Guarantee>

(1,<0,1>,<1,1> )

(1,<1,1>,<1,0>)

(1,<1,0>,<1,1>)

(1,<1,1>,<0,1>)

<Reachable>

(1,<0,1>)

(2,<2,1>)

(3,<2,0>)

(4,<2,1>)

(5,<2,1>)

(6,<0,1>)

(2,<0,1>,<2,1>)

(2,<2,1>,<2,0>)

(2,<2,0>,<2,1>)

(2,<2,1>,<0,1>)

(1,<1,1>)

(1,<1,0>)


Introduction 8/8• Limitation

– Thread-modular model checking avoids the overhaed of correlating the local stores of the threads by checking each thread separately.

– This approach works if the global store contains sufficient information about the overall system state.

• If the global store does not contain sufficient information about the overall system state, it may yield false alarms.

• In previous example, if the value of m is {0, 1}, it reports false alarms.

– General approach to alleviate false alarms is to include a suitable abstraction of the local store of each thread in the global store.

23年 4月 21日


Ex. int x = 0 ;ThreadA() { ThreadB() { int i = 0 ; int i = 0 ; for i = 0 to 5 { for i = 0 to 6 { while(x==0) ; while (x == 1) ; x=0 ; } x=1 ; }} assert(x != 1) ;

}


Concurrent Finite-State Systems 1/5

• A concurrent finite-state system consists of a finite number of concurrently executing threads.– The threads communicate through a global store.

– Each thread has its own local store.

– Each thread has its own thread identifier.

• A state of the concurrent finite-state system consists of a global store g and a mapping ls from thread identifiers to local stores– ls[ t :=l ] denotes a mapping that is identical to ls except that it maps

thread identifier t to local store l.

• Domains

23年 4月 21日




• The behavior of the individual threads can be modeled as the transition

relation T :

T µ Tid £ (GlobalStore£LocalStore) £

(GlobalStore£LocalStore)

• We assume that program execution starts in an initial state Σ0 = (g0 , l0 ).

• The correctness condition for the program in a system is provided by an

error set E µ GlobalStore £ LocalStores.

– A state (g, ls) is erroneous if E(g, ls) is true.

– The goal of model checking is to determine if, when started from the

initial state Σ0 , the system can reach an erroneous state.23年 4月 21日




Standard model checking• The least solution R µ State to the following inference rules describes the

set of reachable states.

23年 4月 21日


• Having computed R, it is straightforward to determine if any erroneous state is reachable.

- An erroneous state is reachable If there exist g and ls such that

R(g, ls) Æ E(g, ls)

• The size of R(the space complexity) is O(|GlobalStore|£|LocalStore||Tid| ).

• The time complexity is O(|Tid|£|GlobalStore|2£|LocalStore||Tid|+1 ).

- For an element R, (BASIC STEP) can be applied

|Tid|£|GlobalStore|£|LocalStore| times.



Thread-modular model checking• Under thread-modular model checking, each thread is checked

separately, using guarantees that abstract the behavior of interleaved steps of other threads.

• This algorithm works by computing two relations:

– R specifies the reachable states of each thread.

R µ Tid £ GlobalStore £ LocalStore– G specifies the guarantee of each thread.

G µ Tid £ GlobalStore £ GlobalStore– Inference rules

23年 4月 21日




• Lemma1.For all global store g and local store maps ls, if R(g, ls) then for all thread identifier t, R(t, g, ls(t)).If a software error causes an erroneous state to be reachable,

then the thread-modular algorithm will catch that error.

9g,ls.(E(g,ls)ÆR(g,ls)) ! 9g,ls.(E(g,ls)Æ8t.R(t,g,ls(t)))

• Space complexity

O(|Tid|£|GlobalStore|£|GlobalStore|+|Tid|£|GlobalStore|£|LocalStore| )

• Time complexity

O(|Tid|2£|GlobalStore|2£|LocalStore|+|Tid|£|GlobalStore|2£|LocalStore|2 )

23年 4月 21日


Guarantee Reachable states


Concurrent Pushdown Systems 1/6• Realistic software systems are typically constructed using

procedures and procedure calls.• For this reason, we extend the previous approach to handle

concurrent pushdown systems.• A state of concurrent pushdown systems consists of a global store,

a collection of local stores, and a collection of stacks(one for each thread).

• Domains

23年 4月 21日



Concurrent Pushdown Systems 2/6• We model the behavior of the individual threads using following

three relations:

23年 4月 21日


- T models thread steps that do not manipulate the stack.- T + models steps of thread t that push a frame onto the stack.- T - models steps of thread t that pop a frame from the stack

• The correctness condition is specified by an error set E µ GlobalStore £ LocalStores.


Concurrent Pushdown Systems 3/6

• Assume that all stacks are empty in the initial state (ss0)

• The set of reachable states is defined by the least relation

R µ State satisfying the following rules:

23年 4月 21日



Concurrent Pushdown Systems 4/6• Although sound and complete model checking of concurrent pushdown

systems is undecidable, thread-modular reasoning allows us to model check such systems an conservative yet useful manner.

• The algorithm works by computing the guarantee relation G and the reachability relation P and Q.

23年 4月 21日


- P (t, g, l, g’, l’) holds if (1) (g, l) is reachable where l is a local store of t, (2) from any such state, the system can later reach a state with (g’,l’) where l’ is a local store of t.- Q (t,g,l,f,g’,l’) holds if (1) (g,l) is reachable where l is a local store of t, and (2) from any such state, the system can later reach a state with g’ and l’ where l’ is a local store of t, and where the stack is identical to that in first state except that the frame f has been added to it.


Concurrent Pushdown Systems 5/6• The relation G, P, Q are defined as the least solution to the following rules.

23年 4月 21日



Concurrent Pushdown Systems 6/6

• Lemma 2For all global stores g and local store maps ls and stack maps ss,

if R(g, ls, ss) then for all thread identifier t, there exists some g’ , l’ such that P (t, g’, l’, g, ls(t)). If a software error causes an erroneous state to be reachable, then thread-modular algorithm will catch that error.

9 g,ls,ss. (E(g,ls) Æ R(g, ls, ss)) !9 g,ls.E(g,ls) Æ 8t.9g’,l’. P ( t, g’, l’, g, ls(t) )

• Space complexity

O(|Tid|£|GlobalStore|2£|LocalStore|2£|Frame|)• Time complexity

O(|Tid|2£|GlobalStore|3£|LocalStore|3£|Frame|)

23年 4月 21日



Conclusion• This work presents thread-modular model checking for

verifying multithreaded software system.

• The thread-modular model checking algorithm constructs an abstraction of multithreaded software system using environment assumptions.

• This technique is particularly effective for the verification of loosely-coupled multithreaded software systems.

23年 4月 21日


thread modular model checking

Documents