Model Checking Software: 17th International SPIN Workshop, Enschede, The Netherlands, September 27-29, 2010, Proceedings (Lecture Notes in Computer ... Computer Science and General Issues)

∀la , lb : la

is the initial value of the corresponding memory location. The first three rules specify that the memory order has to be compatible with the program order, except that a store can be postponed after a load, i.e. the store → load order relaxation. The last rule specifies that the value retrieved by a load is the one of the last store in memory order that precedes the load in memory or in program order, the latter ensuring that a process can see the last value it has stored. If there is no such store, the initial value of that memory location is loaded.

216

A. Linden and P. Wolper

P1

Pn

P2 Stores

Stores Loads

Loads

Stores Loads

FIFO Store Buffers

Switch Single Port Memory Fig. 1. Operational definition of TSO of Appendix K of [2]

For example, the following is a valid TSO memory order for the program of Table 1 that allows the program to terminate: load(p1 , x, 1), load(p1 , y, 0), load(p2 , y, 1), load(p2 , x, 0), store(p1 , x, 1), store(p2 , y, 1). Note that in SC, memory order has to be fully compatible with program order, and thus this memory order is not possible. The characterization of TSO we have just given is useful in dealing with TSO axiomatically, but not adapted for applying state-space exploration verification techniques. Fortunately, there exists a natural equivalent operational description of TSO. In this description (see Fig. 1), stores from each process are buffered and eventually committed to main memory in an interleaved way. When a process executes a load, it reads the most recent value in its store buffer or, if there is none, the value present in the shared memory. This model can be formalized as follows. One introduces a set B = {bp1 , . . . , bpn } of store buffers, one for each process1 . A global state is thus composed of the content of the memory, and, for each process, a control location and a store buffer. The content [bp ] of a buffer bp is then a word in (M, D)∗ and the program executes load and store operations on these buffers. Furthermore a commit operations that removes the oldest store operations from a buffer and writes the corresponding value to memory can nondeterministically be executed at all times. The precise semantics of these operations can be described as follows. 1

Note that we introduce a buffer per process rather than by processor. This is a safe approach for verification since it allows more behaviors than a model in which some processes share the same buffer. Furthermore, when analyzing a program it is usually impossible to know which processes will run on the same processor.

An Automata-Based Symbolic Approach

217

store operation: store(p, m, d): [bp ] ← [bp ](m, d). load operation: load(p, m, d): Let [bp ] = (m1 , d1 )(m2 , d2 ) . . . (mf , df ) and let i = max{j ∈ {1 . . . f } | mj = m}. If i exists, then the result of the load is the test di == d. If not, it is the result of the test [m] == d, where [m] denotes the content of the memory location m. commit operation: commit(p): Let [bp ] = (m1 , d1 )(m2 , d2 ) . . . (mf , df ). Then, if [bp ]  = ε, the result of the commit operation is [bp ] ← (m2 , d2 ) . . . (mf , df ) and [m1 ] ← d1 . If [bp ] = ε, the commit operation has no effect. Finally, in programs we will also use an operation sync whose effect is to commit to memory the full content of all buffers.

3

Representing Sets of Buffer Contents

If store buffers are unbounded, introducing them leads to a potentially infinite state space. Furthermore, even if store buffers are bounded, they very quickly lead to unmanageably large state spaces, even for very simple programs. To cope with this problem, we turn to the techniques that have been proposed in [15] and in [7] to represent sets of buffer contents by finite automata. In this approach, sets of possible buffer contents are represented by finite automata and the state-space of the system is explored by manipulating sets of possible contents for each control location as a single object. It is clear that while exploring the state-space of a system, one can combine into a single representation the buffer contents corresponding to identical control locations. However, this will only lead to finite sets of contents being represented as a single object, whereas real gains can only come from manipulating together infinite sets of buffer contents. For achieving this, acceleration techniques are needed. Similarly to what is done in the previously cited work, we will focus on cycles in the program code and provide algorithms for directly computing the effect of iterating a sequence of operations and unbounded numbers. Before turning to this, we will first introduce the representation of sets of buffer contents by automata and see how load store and commit operations can be extrapolated to operations on automata representing sets of buffer contents. We represent the possible contents of each buffer by a separate automaton over the alphabet M × D and use the following definition.

218

A. Linden and P. Wolper

Definition 1. A buffer automaton associated to a process p is a finite automaton Ap = (S, Σ, Δ, S0 , F ), where – – – – –

S is a finite set of states, Σ = M × D is the alphabet of buffer elements, Δ ⊆ S × (Σ ∪ {ε}) × S is the transition relation, S0 ⊆ S is a set of initial states, and F is a set of final states.

A buffer automaton Ap represents a set of buffer contents L(Ap ), which is the language of the words accepted by the automaton according to the usual definition. We have defined buffer automata to be nondeterministic, but for implementation purposes we will usually work with reduced deterministic automata. In this case, the transition relation becomes a transition function δ : S × Σ → S and the set of initial states becomes a single state s0 . Operations on buffers can be extrapolated to operations on buffer automata as follows. store operation: store(p, m, d): The result of the operation is an automaton Ap such that L(Ap ) = L(Ap ) · {(m, d)} One thus simply concatenates that new stored value to all words in the language of the automaton. load operation: load(p, m, d): Load operations are nondeterministic since a buffer automaton can represent several possible buffer contents. Thus it is possible that a load operation can succeed on some represented buffer contents and fail on others. If this is the case, the load operation must lead to a state in which the set of possible buffer contents has been restricted to those on which the load operation succeeds. For a load operation to succeed, the tested value must be found either in the store buffer or in main memory. Precisely, a load operation succeeds when at least one of the following two conditions is satisfied: 1. The language L1 = L(Ap ) ∩ (Σ ∗ · (m, d) · (Σ\{(y, v) | y  = m ∧ v ∈ D})∗ ) is nonempty. 2. The language L2 = L(Ap ) ∩ (Σ\{(m, v) | v ∈ D})∗ is nonempty and [m] = d.

An Automata-Based Symbolic Approach

219

The load operation then leads to a state with a modified store buffer automaton Ap such that L(Ap ) = L1 ∪ L2 if [m] = d and

L(Ap ) = L1

otherwise. Of course, if L1 ∪L2 = ∅, the load operation is simply not possible. commit operation: commit(p): For the commit operation, we first extract the stores that can be committed to memory. These are the stores (m, α) such that (m, α) ∈ first(L(Ap )), where first(L) denotes the language of the first symbols of the words of L. Since there can be more than one such store, we need to modify the store buffer automaton according to the committed store (m, α). We have L(Ap ((m, α))) = suffix1 (L(Ap ) ∩ ((m, α) · Σ ∗ )), where suffix1 (L) denotes the language obtained by removing the first symbol of the words of L.

4

State Space Exploration and Cycle Detection

Our state-space exploration algorithm is based on a classical depth-first search. The major modification we introduce is the detection of cycles and an acceleration technique for directly computing the effect of repeatedly executing a detected cycle. The cycles we detect are those that only modify a single store buffer. This might seem restrictive, but notice that the use of store buffers introduces a lot of independence between processes and experiments show that considering only single process cycles is sufficient. The independence induced by store buffers has however a drawback, which is that it makes the same cycles possible from many different global control locations. Proceeding naively thus results in detecting the same cycle many times over, which is unnecessary and very wasteful. To avoid this, we used the sleep set partial order reduction of [9]. This reduction avoids re-exploring transitions after executing other independent transitions. In general, the sleep set reduction does not reduce the number of states visited, but only the number of transitions followed. This is already very valuable when working with automata symbolic representations, since these increase the cost of comparing states. Furthermore, the fact that we are working with sets of states and not individual states does make sleep sets yield a reduction of the size of the state graph that needs to be explored, as we will illustrate by an example further down.

220

A. Linden and P. Wolper

In the sleep set exploration algorithm, a set of transitions, called a sleep set, is associated with each state. Initially, the sleep set is empty. Once a transition is executed, it is added to the sleep set of the resulting state, but transitions in the sleep set that are not independent with respect to the executed transition are removed. Transitions in the sleep set associated to a state are not executed from that state. The basic depth-first search algorithm using sleep sets is given in Algorithm 1 and Algorithm 2. We will use a crude but sufficient notion of independence. In a state s, 1. transitions of the same process are never independent; 2. transitions of different processes other than commit or sync are always independent; 3. a commit(p) transition of a process p is independent with the transitions of a process p , provided that, for every memory location m affected by this commit operation, either p does not use m, or p has a value for m in its store buffer, i.e., all words of the language L(Ap ) contain an occurrence of (m, v) for some v ∈ D. 4. a sync operation is not independent with any other transition. Algorithm 1. Initialization of depth first search 1: 2: 3: 4: 5: 6:

init(Stack) init(H) /* Table of visited states */ s0 = initial state s0 .Sleep = ø push s0 onto Stack DFS()

What we add to this is cycle detection and acceleration. Cycle detection is done when there is a state on the current search stack that only differs from the state being generated by the content of one store buffer. The modified recursive procedure called within the initialization process is the procedure given in Algorithm 3, DFS() cycle(). First, we need to define when a state is included in another. A state s is included in another state s if 1. s and s are identical with respect to control locations and memory content, and 2. for each process p, L(Ap (s)) is included in L(Ap (s )) Next, we need to make explicit the cycleCondition(ss,s) predicate. For this predicate to be true, three conditions have to be satisfied by the pair of global states ss, s. Remembering that global states are composed of the control location of each process, the content of the memory and the buffer automata of each process, these conditions can be defined as follows. 1. s and ss are identical, except for the store buffer automaton of a single process p.

An Automata-Based Symbolic Approach

221

Algorithm 2. Recursive DFS() procedure using sleep sets 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20:

s = top(Stack) if (s ∈ H) then Texecuted = enabled(s) \ H(s).Sleep s.Sleep = s.Sleep ∩ H(s).Sleep H(s).Sleep = s.Sleep else enter s in H Texecuted = ø end if T = (enabled(s) \ s.Sleep) \ Texecuted for all t ∈ T do ssucc = succ(s,t) ssucc.Sleep = {tt | tt ∈ s.Sleep ∧ (t, tt) independant in s} push ssucc onto Stack DFS() end for pop(Stack)

2. The languages represented by the store buffer automaton of p in ss can be extended to match the language of the store buffer automaton of p in s, i.e. there exists a word w such that (L(Ap (s)) = L(Ap (ss)) · {w}. 3. The store buffer automaton obtained for s is load equivalent to the one of ss, i.e. the results of loads will be the same, whether starting from s or ss. Since the only difference between L(Ap (s)), and L(Ap (ss)) is the suffix w, this will be verified by checking the following condition. For all memory locations m for which there is a store operation store(p, m, v) in w, let vlast be the value in the last store operation in w. Then the operation load(p, m, vlast ) must be simultaneously possible in both s and ss and must not modify the store buffer automata Ap (s) and Ap (ss). Finally, once a possible cycle content w has been detected and the conditions for a cycle are satisfied, we need to store the buffer automaton representing the buffer contents that can be obtained by repeating the cycle, eventually interleaved with previously detected cycles. For a language L, let Wic (L) be the maximal sets of suffixes of words in L that can be repeated while remaining in L, i.e. each Wic (L) is a maximal set such that L · (Wic (L))∗ ⊆ L. In practice, one computes the Wic (L) as the languages that allow an accepting state to be reached from itself. The  modified store buffer automaton will then be the automaton Acycle (ss) p accepting i L(Ap (ss)) · (Wic (L(Ap (ss)) ∪ {w})∗ . The operation cycle(ss, s) of our search algorithm thus simply replaces the store buffer automaton for process p in state s by the automaton Acycle (ss). p

222

A. Linden and P. Wolper

Algorithm 3. Recursive DFS cycle() procedure using sleep sets, cycle detection and acceleration 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33:

s = top(Stack) /* Go through stack from top to bottom */ for all ss in (Stack \ top(Stack)) do if (cycleCondition(ss,s)) then s = cycle(ss,s) break end if end for if (∃sI ∈ H  | s ⊆ sI) then iSleep = ∀sI∈H|s⊆sI H(sI).Sleep Texecuted = enabled(s) \ iSleep s.Sleep = s.Sleep ∩ iSleep if (s ∈ H) then H(s).Sleep = s.Sleep else enter s in H end if else enter s in H Texecuted = ø end if T = (enabled(s) \ s.Sleep) \ Texecuted for all t ∈ T do ssucc = succ(s,t) ssucc.Sleep = {tt | tt ∈ s.Sleep ∧ (t, tt) independant in s} push ssucc onto Stack DFS cycle() end for pop(Stack)

Example 1. We illustrate the state-space reduction that can be obtained by the use of sleep sets. Fig. 2 shows the control graph of two processes p0 and p1 . In Fig. 3, part of the global state graph of this system is shown. In state 4, a cycle has been detected for the store buffer of p0 , yielding (x, 1)((x, 0)(x, 1))∗ as set of possible contents. In state 6, the buffer has become (x, 1)(x, 0)(x, 1)((x, 0)(x, 1))∗ , and thus, state 6 is included in state 4. In state 5, if we don’t add the transition st (p0 , x, 1) (which led to state 6) to the sleep set of state 7, we will end up

An Automata-Based Symbolic Approach

p0

223

p1 st(p1 , y, 1)

st(p0 , x, 1) 2

2

1

1 st(p1 , y, 0)

st(p0 , x, 0)

Fig. 2. Control graphs of two processes p0 and p1

1 st(p0 ,x,1)

st(p1 ,y,1) ···

2 st(p0 ,x,0) 3 st(p0 ,x,1)

st(p1 ,y,1)

4

···

st(p0 ,x,0)

st(p1 ,y,1)

st(p1 ,y,1)

4⊃ 6

7 st(p0 ,x,1) 8

st(p0 ,x,0)

st(p1 ,y,0) 13

st(p1 ,y,0)

st(p1 ,y,1)

st(p0 ,x,1) 10

st(p0 ,x,0)

st(p1 ,y,1)

11

···

st(p0 ,x,1) 10 ⊃ 12

···

···

5 st(p0 ,x,1)

7⊃ 9

st(p1 ,y,1)

st(p1 ,y,1)

···

···

Fig. 3. Global exploration graph showing reduction using sleep sets

generating states 8 and 9 before detecting any state inclusion and add many more states to the search graph.

5

Experimental Results

We have implemented our method in a prototype tool. This tool takes as input a slightly modified (the store, load and sync instructions have been added) and simplified version of Promela. The prototype has been implemented in Java, and uses the BRICS automata-package [8] to handle our store-buffers.

224

A. Linden and P. Wolper

p0

p1 initially: x = 1; y = 1

st(p0 , x, 1) 1

st(p1 , y, 1) 2

1 ld(p0 , y, 1)

ld(p0 , y, 1) 4

3 st(p0 , x, 0)

2 ld(p1 , x, 0)

ld(p1 , x, 1) 4

3 st(p1 , y, 0)

Fig. 4. Example program unlocking a cycle

We have tested our implementation on several programs and protocols. One of our test programs is a program (see Fig. 4)2 where the first process may cycle indefinitely from the initial state, but where the second depends on the global memory being modified to be able to move. Indeed, p0 can directly cycle indefinitely, writing the infinite sequence (x, 1)(x, 0)(x, 1)(x, 0)(x, 1)(x, 0) . . . to its store buffer. This cycle is detected and all possible contents of p0 ’s store buffer represented. Then, the process p1 can, once the cycle in the buffer of p0 is established, “consume” this cycle, which unlocks its own cycle. For example, a global state such as (1, 1, 0, 0, ((x, 1)(x, 0))∗ , ((y, 1)(y, 0))∗ ) (where the notation is (p0 , p1 , m1 , m2 , b0 , b1 )) will eventually be reached. Consuming means that store operations are committed to the global memory, without the process itself doing any action. Moreover, under SC, if both processes are in state 4, the program is in a deadlock. In TSO, there is the possibility of deadlock, but it is also possible for the program to continue (if there are buffered store operations), and thus the values of x and y may change value. Interestingly, both behaviors have also been observed while running a C implementation of this program on a dual core processor. Other classical algorithms often analyzed in the context of relaxed memory models are Dekker’s and Peterson’s algorithm for mutual exclusion. We have considered single entry and repeated entry versions of these algorithms. In the single entry version, the two processes attempt to enter into their critical section only once. Verifying this can be done with our implementation, as well as with other tools, such as those of [6], [5] or [16]. Verification becomes more difficult when considering the repeated entry version. In these versions, both processes attempt to enter their critical section an arbitrary number of times. Using our prototype, we could complete the exploration, finding the errors, or, when ap2

For readability, the operations store and load are written as st and ld.

An Automata-Based Symbolic Approach

225

Table 2. Experimental results for Dekker’s and Peterson’s Algorithm for mutual exclusion Dekker (2 Proc) States Stored States Visited single entry 183 301 single entry + sync 111 161 repeated entry 3236 6231 repeated entry + sync 343 631

Time Max Depth Nb 2,446 s 22 1,194 s 22 22,881 s 785 3,016 s 79

Errors 2 0 36 0

Peterson (2 Proc) States Stored States Visited single entry 120 173 single entry + sync 54 66 repeated entry 355 432 repeated entry + sync 65 92

Time Max Depth Nb 1,969 s 15 0,399 s 13 3,097 s 50 0,392 s 22

Errors 2 0 10 0

propriately adding sync operations, showing the absence of errors. In Table 2, we give experimental results for Dekker’s and Peterson’s algorithms, both for the single entry and the repeated entry versions, with and without the sync operations needed to make them correct. All experiments were obtained by running our Java-program on a 2.0GHz Intel Core Duo laptop running Ubuntu Linux.

6

Conclusions

Compared to earlier methods used to verify programs under relaxed memory models, ours differs by the techniques being used (automata-based symbolic methods) and the scope of the verification that can be done. Indeed, whereas other methods such as those of [17] are limited to very short executions, we analyse arbitrarily long executions. This is clearly not always necessary for detecting errors, but can be essential for robustly establishing correctness in tricky situations. A natural question about an approach like the one presented in this paper is how well it can scale up. We do not yet have significant data, but our approach will most likely never be usable for large programs. However, this is not the drawback it might at first seem to be. Indeed, while writing larger programs, one uses synchronization primitives that isolate the programmer from the complexity of relaxed memory models. Verifying under relaxed memory will thus only be needed for the rather small programs that implement these primitives, and we believe that this can be handled.

References 1. Lamport, L.: How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans. Computers 28(9), 690–691 (1979) 2. SPARC International, Inc., C.: The SPARC architecture manual: version 8. Prentice-Hall, Inc., Upper Saddle River (1992)

226

A. Linden and P. Wolper

3. SPARC International, Inc., C.: The SPARC architecture manual (version 9). Prentice-Hall, Inc., Upper Saddle River (1994) 4. Owens, S., Sarkar, S., Sewell, P.: A better x86 memory model: x86-TSO. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 391–407. Springer, Heidelberg (2009) 5. Mador-Haim, S., Alur, R., Martin, M.: Plug and play components for the exploration of memory consistency models. Technical report, University of Pennsylvania (2010) 6. Burckhardt, S., Alur, R., Martin, M.M.K.: Checkfence: checking consistency of concurrent data types on relaxed memory models. In: Ferrante, J., McKinley, K.S. (eds.) Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10-13, pp. 12–21. ACM, New York (2007) 7. Boigelot, B., Godefroid, P., Willems, B., Wolper, P.: The power of QDDs (extended abstract). In: Van Hentenryck, P. (ed.) SAS 1997. LNCS, vol. 1302, pp. 172–186. Springer, Heidelberg (1997) 8. Møller, A.: Package dk.brics.automaton (2001-2009) (DFA/NFA Java implementation), http://www.brics.dk/automaton/ 9. Godefroid, P.: Partial-Order Methods for the Verification of Concurrent Systems. LNCS, vol. 1032. Springer, Heidelberg (1996) 10. Park, S., Dill, D.L.: An executable specification, analyzer and verifier for rmo (relaxed memory order). In: SPAA 1995: Proceedings of the Seventh Annual ACM Symposium on Parallel Algorithms and Architectures, pp. 34–41. ACM, New York (1995) 11. Burckhardt, S., Musuvathi, M.: Effective program verification for relaxed memory models. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 107–120. Springer, Heidelberg (2008) 12. Atig, M.F., Bouajjani, A., Burckhardt, S., Musuvathi, M.: On the verification problem for weak memory models. In: Hermenegildo, M.V., Palsberg, J. (eds.) Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, Madrid, Spain, January 17-23, pp. 7–18. ACM, New York (2010) R and IA-32 Architectures Software Developer’s Manual. 13. Intel Corporation: Intel64 Specification (2007), http://www.intel.com/products/processor/manuals/index.htm. 14. Loewenstein, P., Chaudhry, S., Cypher, R., Manovit, C.: Multiprocessor memory model verification. In: AFM (Automated Formal Methods), FLOC Workshop (2006), http://fm.csl.sri.com/AFM06/, http://www.scientificcommons.org/43465152 15. Boigelot, B., Wolper, P.: Symbolic verification with periodic sets. In: Dill, D.L. (ed.) CAV 1994. LNCS, vol. 818, pp. 55–67. Springer, Heidelberg (1994) 16. Hangal, S., et al.: TSOtool: A program for verifying memory systems using the memory consistency model. In: 31st International Symposium on Computer Architecture (ISCA 2004), Munich, Germany, June 19-23, pp. 114–123. IEEE Computer Society, Los Alamitos (2004) 17. Yang, Y., Gopalakrishnan, G., Lindstrom, G., Slind, K.: Analyzing the intel itanium memory ordering rules using logic programming and sat. In: Geist, D., Tronci, E. (eds.) CHARME 2003. LNCS, vol. 2860, pp. 81–95. Springer, Heidelberg (2003)

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation Naghmeh Ghafari1 , Alan J. Hu2 , and Zvonimir Rakamari´c2 1

2

Critical Systems Labs, Vancouver, BC, Canada [email protected] Department of Computer Science, University of British Columbia, Canada {ajh,zrakamar}@cs.ubc.ca

Abstract. Context-Bounded Analysis has emerged as a practical automatic formal analysis technique for fine-grained, shared-memory concurrent software. Two recent papers (in CAV 2008 and 2009) have proposed ingenious translation approaches that promise much better scalability, backed by compelling, but differing, theoretical and conceptual advantages. Empirical evidence comparing the translations, however, has been lacking. Furthermore, these papers focused exclusively on Boolean model checking, ignoring the also widely used paradigm of verification-condition checking. In this paper, we undertake a methodical, empirical evaluation of the three main source-to-source translations for context-bounded analysis of concurrent software, in a verification-condition-checking paradigm. We evaluate their scalability under a wide range of experimental conditions. Our results show: (1) The newest, CAV 2009 translation is the clear loser, with the CAV 2008 translation the best in most instances, but the oldest, brute-force translation doing surprisingly well. Clearly, previous results for Boolean model checking do not apply to verification-condition checking. (2) Disturbingly, confounding factors in the experimental design can change the relative performance of the translations, highlighting the importance of extensive and thorough experiments. For example, using a different (slower) SMT solver changes the relative ranking of the translations, potentially misleading researchers and practitioners to use an inferior translation. (3) SMT runtimes grow exponentially with verification-condition length, but different translations and parameters give different exponential curves. This suggests that the practical scalability of a translation scheme might be estimated by combining the size of the queries with an empirical or theoretical measure of the complexity of solving that class of query.

1 Introduction The original application for model checking was concurrent software, in the form of protocols (e.g., [7,18]), and concurrent software continues to be a major impetus for model checking. With changes in technology, new versions of the software model checking problem emerge. Currently, due to architectural and electrical constraints, Moore’s Law is manifesting itself via an exponential growth in processor cores per chip, 

This work was supported by a Microsoft Research Graduate Fellowship and the Natural Science and Engineering Research Council of Canada.

J. van de Pol and M. Weber (Eds.): SPIN 2010, LNCS 6349, pp. 227–244, 2010. c Springer-Verlag Berlin Heidelberg 2010 

228

N. Ghafari, A.J. Hu, and Z. Rakamari´c

rather than the formerly exponential improvements in single-threaded performance. The result is a push for vastly greater levels of fine-grained, shared-memory concurrent software — in addition to classical message-passing and coarse-grained protocol-level concurrency — even in the most mundane applications. Such software needs verification. It is possible, of course, to model check such software directly, and several pioneering systems provide that capability (e.g., [13,19,10,32]). The state space is the cross product of all program variables, stacks, heaps, and program counters for all threads, and this state space can be explored as a transition system. The obvious challenge is extreme state explosion (if variable domains, stacks, and memories are modeled as finite) and/or theoretical undecidability (if any are modeled as infinite). Context-Bounded Analysis (CBA) [26] promises a way around these challenges. Analogously to bounded model checking [6], the user specifies an integer constant that bounds the maximum number of execution contexts (i.e., periods of a thread running between context swaps) to be considered, and all concurrent executions up to that bound are analyzed. The downside, of course, is that if a bug requires more than that bound to manifest, it will be missed. The upside is that CBA reduces the analysis of concurrent software (under the context bound) to the analysis of sequential software. In theory, the advantage is that CBA is NP-complete [25,23], whereas full concurrent software analysis is undecidable (even with finite variable domains and no heap, due to the call stack). In practice, CBA has proven its ability to detect hard concurrency bugs in real software, and many approaches rely on context-bounding to tackle the complexity of concurrent software (e.g., [26,27,24,17,30,21,20]). The original CBA paper [26] used a source-to-source translation of concurrent to sequential program text, and subsequent work has followed that approach. The approach enables CBA to exploit all of the tools and algorithms for verification of sequential software, e.g., including the use of logics and decision procedures for reasoning about unbounded data domains, arrays, and heap-allocated memory. Recent papers by Lal and Reps [22] and by La Torre, Madhusudan, and Parlato [31] have proposed two ingenious and radically different source-to-source translations for CBA. These translations are more general than the original, but more importantly, they offer compelling theoretical and conceptual arguments for much better scalability. In Lal and Reps’s paper (henceforth referred to as LR in this paper), the key theoretical advance is the elimination of the exponential cross-product of the local states of the threads, at the expense of introducing multiple non-deterministic symbolic variables to guess the values of the shared global variables at context switches. La Torre, Madhusudan, and Parlato’s paper (LMP in this paper) retains the theoretical advantage of LR, but adds “laziness” — instead of non-deterministic guesses, variables can assume only those values that are actually possible during a real concurrent execution — at the expense of needing to recompute the values of local variables at context switches. (More on both translations in Section 2.) Both papers support their arguments with runtimes on a handful of small Boolean programs, e.g., the popular “Windows NT Bluetooth driver”-derived example [26]. Given the very different approaches, with differing trade-offs (local state crossproduct vs. symbolic variables vs. recomputation), and limited experiments (small Boolean programs model-checked with Moped [15]), it is hard to draw more general conclusions about what will work well in practice, under differing conditions. In

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation

229

particular, finite-state (or PDA) model-checking of highly abstracted Boolean programs (e.g., [2,15,9]) is only one of the major approaches for automatic formal software verification. Another main paradigm is verification-condition (VC) generation1, with the resulting VC checked by a SAT or SMT solver (e.g., [16,3,5,29,28] for program verification, and [8,1] for bug finding). SAT/SMT solvers behave very differently from the BDDs used in Boolean model checking, so experimental results in the VC-checking paradigm are especially needed. This paper addresses those needs. We undertake a methodical, empirical evaluation of the three main source-to-source translations for context-bounded analysis of concurrent software, in a VC-checking paradigm. We consider the LMP approach, the LR approach, and a straightforward generalization of the translation given in the original CBA paper [26]. We evaluate how they perform under vastly more experimental conditions than previous work, and also measure scalability versus program length, which was not done before. Some of the results are surprising (e.g., older methods outperforming newer ones), and some are disturbing (e.g., the extent that confounding factors can influence results). Taken altogether, our results highlight the crucial importance of extensive experimental evaluation, provide practical guidance for using context-bounded analysis in a VC-checking paradigm, and outline pitfalls and questions for further research as these and other translations are developed and improved.

2 Context-Bounded Translations We use a standard model of shared-memory concurrent Thread Thread Thread 1 2 3 software. There are T threads, each with its own local variables and program code. The only communication between threads is via a set of global shared variables, which all threads can read or write. (Writes to a global occur atomically: when a thread writes to a global, the new value is immediately visible to all threads.) At all times, exactly one thread is running. At a context switch, the current thread relinquishes control to another thread (determined by the scheduling policy), which proceeds to execute starting from wherever it last gave up control, with whatever values its local variables had at that time and the current values of the global variables. Context switches occur non-deterministically at any point in time. The figure to the right shows the concurrent execution of three threads. The program code executed by each thread is depicted by the sequence of dark, vertical arrows. Each of those arrows represents one “context” — an uninterrupted period when one thread runs its code. The dashed arrows represent context switches, which occur non-deterministically, and transfer control to a different thread. When a context switch occurs, which thread runs next is determined by a scheduling policy. Two policies are common in CBA: round-robin and arbitrary. In round-robin scheduling, the context switch is always to the numerically next thread, modulo T . Hence, execution proceeds in a series of rounds, during which each thread gets a 1

A brief introduction to VC generation is given in Appendix A.

230

N. Ghafari, A.J. Hu, and Z. Rakamari´c

chance to execute once at its turn. In the preceding figure, the schedule is round-robin, and the dotted curved lines demarcate the three rounds. In arbitrary scheduling, a context switch can jump to any thread, non-deterministically chosen. Obviously, the schedules permitted by round-robin with K rounds is a subset of the arbitrary schedules with K · T contexts. Conversely, the schedules permitted by round-robin with K rounds is a superset of the arbitrary schedules with K contexts, since a thread can execute zero instructions before another context switch occurs, so each round of round-robin can simulate one context of an arbitrary-scheduled thread. Between these two bounds, neither policy dominates the other. We now survey the three main source-to-source translations for CBA under this model. For space reasons, we give only some brief intuition for each. 2.1 Explicit Program Counter (EPC) We dub our first translation “Explicit Program Counter” (EPC). This is the obvious, brute-force approach and is a straightforward generalization of the original CBA paper [26] (where they restricted themselves to two context switches in order to permit an efficient implementation via the procedure call mechanism). For the EPC translation, the state of the sequential program includes all of the local variables, including the program counters, of all of the threads. The code of the sequential program consists of the code of all of the threads combined into a single program. However, at each possible location for a context switch (i.e., between every adjacent pair of accesses to global variables), we insert code that can non-deterministically decide to simulate a context switch. The context switch code consists of choosing the next thread to run (based on the scheduling policy), and then jumping to the correct location in that thread based on its stored program counter. The sequential program starts executing at the beginning of Thread1 for round-robin or with a non-deterministic jump to the beginning of an arbitrary thread for arbitrary scheduling. An auxiliary variable k counts how many contexts have run. The sequential program terminates when k reaches the context bound K, or when all threads have executed all of their code. This translation is simple and has linear static and dynamic code size versus the concurrent program. However, at each point during execution, the program state consists of the cross-product of all local variables and the global variables, potentially producing a complexity blow-up. 2.2 Lal-Reps CAV 2008 (LR) The LR translation eliminates the EPC complexity blow-up, at the expense of introducing symbolic prophesy variables to guess the values of results that are not yet known. The basic construction is to execute each thread one-by-one in its entirety, in sequence, i.e., all of Thread1 , then all of Thread2 , then all of Thread3 , etc. Accordingly, the static and dynamic code size are unchanged from the original program. Furthermore, since each thread executes in its entirety, without interruption from the others, there is no need to keep the local state of a thread after it is done, thereby eliminating the blow-up of the local state cross-product.

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation

231

The construction in the preceding paragraph would produce wrong results, since it ignores the fact that in the concurrent program, a context switch could occur at any point and change the value of global variables. Worse, because we are executing the threads sequentially one after another, the results computed by the other threads might not be known until much later in the sequential execution! The solution is to create K copies of the global variables, where K is the bound on the number of round-robin rounds. The ith copy contains the values of the global variables during the ith scheduling round. Since we will not know what values these variables will contain until the program completes, we initialize all K copies with non-deterministic symbolic values. An auxiliary variable k in each thread keeps track of which round is executing; all accesses to globals are indexed through k. A context switch during the execution of a thread, therefore, consists simply of increasing k, which results in a switch to the correct set of global variables for that round. Hence, at each possible location for a context switch, we insert code that non-deterministically increases k. At the end of the program, we use assume statements to enforce that the results in the copy of the globals at the end of round i are equal to the non-deterministic symbolic values we used to initialize the copy of the globals for the start of round i + 1. In effect, the translation is computing symbolic summaries for each round and stitching them together via assume statements at the end. Note that this construction is intrinsically round-robin. Because the threads are executed in order 1, . . . , T , where T is the number of threads, the values of the globals in each round pass automatically from any Threadt to Threadt+1 . The symbolic values and stitching are required only between rounds. 2.3 La Torre-Madhusudan-Parlato CAV 2009 (LMP) Because LR is constructing symbolic summaries from unconstrained symbolic values, it might explore expensive, infeasible regions of the state space, only to eliminate them in the end using the assume statements. LMP avoids this problem by introducing “laziness” — instead of non-deterministic guesses, variables can assume only those values that are actually possible during a real concurrent execution. (For comparison purposes, the LMP paper also introduces an eager translation similar to the LR translation. In this paper, LMP refers to their lazy translation.) LMP with a bound of K contexts starts with a non-deterministic schedule t1 , . . . ,tK , where ti ∈ [1, . . . , T ] contains the identity of the thread to execute during the ith context. As in LR, there are K copies of the global variables, but these are assigned only as their values are computed. Like EPC, execution in the LMP translation follows the same order as the concurrent execution — a context switch is an actual jump to the next thread in the schedule. Unlike EPC, however, the local state of a thread is completely discarded when context-switching away from it, thereby eliminating the local-state cross-product blow-up. How can a thread resume where it left off after a context switch? The solution is to recompute the thread’s local state! In other words, the context-switch code is considerably more complicated, as it will re-execute a thread from the beginning each time a context switch to it occurs, but during re-execution, the values of the global variables at earlier context switches are already known. In the presence of non-determinism,

232

N. Ghafari, A.J. Hu, and Z. Rakamari´c

correctness of this construction is not obvious, since the recomputed local state might be different from the one that occurred when last executing in this thread — a subtle correctness argument is needed to show that no additional behaviors are introduced. The resulting translation has the best attributes of both LR (no local-state blow-up) and EPC (no exploration of infeasible states), but at a cost: a blow-up in the length of the dynamic code paths that must be executed/analyzed. The LMP paper provides some experimental results showing the translation greatly outperforming their version of LR, but only in the Boolean model checking paradigm, and on only two small examples: an artificial example specifically constructed to illustrate the benefit of laziness,2 and the aforementioned “Bluetooth driver” benchmark. How the methods compare as program size grows, and under the VC-checking paradigm, are open questions.

3 Experimental Methodology and Results Obviously, the ultimate test of these translations is their performance in the wild on real software. In our experience applying CBA to real, industrial code [21], a crucial factor was scalability to larger code sizes, so the paramount dimension for our experiments is scalability with respect to code length. For scalability benchmarking, however, real code has a fatal flaw: the code length is not scalable. Accordingly, we crafted a microbenchmark that is scalable along the three key problem parameters: the number of threads T , the context bound K, and the length of the program code in each thread L. To avoid confounding factors, we distilled our benchmark to only the essentials: int x = 0; ⎧ ⎪ ⎨x + +; .. L . ⎪ ⎩ x + +; assert 0 < x; 

        

......  T

        

x + +; .. . x + +; assert 0 < x;

The benchmark has a shared global variable x, which is initialized to 0. Then, T threads are spawned. Each thread consists of L increments of x followed by an assertion that checks if x is greater than 0. Despite its simplicity, this microbenchmark still has the key elements of the concurrent software model: local state (the program counters), shared global state x, and long data-dependency chains that grow with code size and must be inspected in order to prove the assertions, capturing an essential aspect of program scaling. The microbenchmark does not have procedures or loops — in the VC-checking paradigm, these are handled via invariants. Note that this particular microbenchmark could easily be solved via other means, since it has a small finite state 2

In their “permutation” example, an interlock serializes two threads, the first thread zeroes out 16 bits, and the second thread computes all permutations of the 16 bits. With laziness, the bits are all zero, so the permutation is vacuous; without laziness, the second thread explodes.

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation

233

space. That is not the point. This is a “test tube” experiment, to identify and eliminate confounding factors while measuring scalability. If a translation scales poorly on this benchmark, it will not fare well on real code. For each of the three translations, we encoded in BoogiePL [12] multiple instances of this benchmark by varying its T , K, and L parameters. BoogiePL is the input language of the B OOGIE verifier [3], which generates a verification-condition (VC) from the input program. The VC generation in B OOGIE is performed using a variation of the standard weakest precondition transformer [14]. This translation is linear in the input code size; combined with the linear static code-size expansion of the three translations, all three translations produce linear-size VCs, albeit with differing complexity (LMP the most complex; LR the simplest). We checked the VCs generated from our benchmarks using the Z3 SMT solver [11], except where indicated otherwise. The experiments were performed on four identical machines (Intel Xeon 5160 at 3GHz with 2GB RAM), running Z3 continuously for weeks. We report the solver’s running times, and the time out is set to 2 hours. As an additional sanity check, we also performed experiments on the Bluetooth driver example [26]. The original benchmark has two threads: an “adder” and a “stopper”. We artificially scale T by adding adder threads. We artificially scale code length by repeating (i.e. copy-pasting) the body of the adder threads; the parameter L denotes the number of such repetitions. Figs. 1–10 present our main results. Details and interpretation of each experiment are in the accompanying captions. Full experimental data and complete results graphs are available at http://people.cs.ubc.ca/˜naghmehg/spin2010-results.

4 Conclusions The primary, practical take-away conclusion of this paper is that LMP is not competitive in the VC-checking paradigm. This radical reversal of recently published results highlights the difference of Boolean model checking versus VC-checking. Both are important, and our experiments show that they need different translations. Our experiments suggest that LR is likely the best translation for the VC-checking paradigm, under most experimental conditions, and with current state-of-the-art SMT solvers. LR is also particularly easy to implement, making it our recommendation for VC-checking-based research prototypes for CBA. Surprisingly, the superiority of LR to LMP holds even with arbitrary schedules, when LR is at an artificial disadvantage. Given that LR with K round-robin rounds outperforms LR with K arbitrary contexts, there is no efficiency argument for using arbitrary schedules. Another surprise was how well the brute-force EPC translation did, beating LMP in almost all experiments and LR in a few. In the VC-checking paradigm, the power of SMT and SAT solvers to quickly prune irrelevant parts of the search space and to propagate information in any direction perhaps lessens the benefit of translation insights like laziness or state space reductions, benefits that might make a big difference for a Boolean model checker. However, SMT/SAT solver performance is quirky, highly dependent on heuristics, and hard to predict.

234

N. Ghafari, A.J. Hu, and Z. Rakamari´c

T=1, K=1

T=2, K=1

250

250 LMP EPC LR

200 time(sec)

time(sec)

200 150 100 50 0

150 100 50

0

20

40 60 length of thread

80

0

100

0

20

T=1, K=2

time(sec)

time(sec)

EPC timeout

6000

150 100

4000 LMP timeout 2000

50 0

20

40 60 length of thread

80

0

100

0

20

6000

6000

4000 2000

80

100

LMP timeout EPC timeout

LR timeout

4000 2000

0

20

40 60 length of thread

80

0

100

0

20

T=1, K=4

40 60 length of thread

80

100

T=2, K=4

8000

8000

6000 4000 2000

LR timeout

6000

EPC timeout time(sec)

time(sec)

40 60 length of thread T=2, K=3

8000

time(sec)

time(sec)

T=1, K=3 8000

0

100

8000

200

0

80

T=2, K=2

250

0

40 60 length of thread

LMP timed out at L = 5

4000 EPC timeout

2000

0

20

40 60 length of thread

80

100

0

0

20

40 60 length of thread

80

100

Fig. 1. Baseline Comparison. This and Fig. 2 show a representative sample of our baseline comparison (round-robin scheduling, Z3 as SMT solver), with the number of threads T ∈ [1, . . . , 4] (going across the pages), the context bound K ∈ [1, . . . , 4] (going down the page), and the length of each thread’s program code L going from 5, 10, . . . up to 100. (Caption continues on next page.)

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation

T=3, K=1

T=4, K=1

250

8000 LMP EPC LR

150

6000 time(sec)

time(sec)

200

100

0

20

40 60 length of thread T=3, K=2

80

0

100

8000

8000

6000

6000

4000

LMP timeout

2000

EPC timeout

LR timeout

0

0

20

time(sec)

time(sec)

4000 2000

50 0

0

40 60 length of thread T=3, K=3

80

40 60 length of thread T=4, K=2

80

100

LMP timeout

0

100

20

4000 LR timeout

EPC timeout

2000

8000

0

20

40 60 length of thread T=4, K=3

80

100

8000 LMP timeout

LR timeout 6000 time(sec)

6000 time(sec)

235

EPC timeout 4000

LR timeout

4000

2000

2000

0

0

LMP timed out at L = 5 EPC timeout

0

20

40 60 length of thread T=3, K=4

80

100

8000

40 60 length of thread T=4, K=4

80

100

4000 LR timeout 2000

20

40 60 length of thread

4000

LR timeout

2000

EPC timeout

0

LMP and EPC timed out at L = 5

6000 time(sec)

time(sec)

20

8000 LMP timed out at L = 5

6000

0

0

80

100

0

0

20

40 60 length of thread

80

100

Fig. 2. Baseline Comparison (cont’d). Surprisingly, LR beats LMP, contrasting with the results in [31], and furthermore, even EPC beats LMP. The different experimental conditions in [31] likely explain this reversal: (1) While EPC and LMP do not suffer particularly under roundrobin scheduling, LR has an intrinsic advantage. (2) In the VC-checking paradigm, the benefit of laziness is unclear, since the solver can propagate information in any direction. (3) On the other hand, LMP’s longer dynamic code paths generate more complex VCs.

236

N. Ghafari, A.J. Hu, and Z. Rakamari´c

Default Relevancy=2 Results T=2, K=2

T=3, K=2

8000

time(sec)

LMP timeout

2000

time(sec)

LR timeout

EPC timeout

4000

0

20

40 60 length of thread T=2, K=3

80

EPC 2000 timeout 0

100

8000

6000

6000

EPC timeout

LR timeout LMP timed out at L = 5

2000 0

LR timeout

4000

8000

4000

LMP timed out at L = 5

6000

time(sec)

time(sec)

6000

0

8000

LMP EP LR

0

20

40 60 length of thread T=3, K=3

80

100

LMP and EPC timed out at L = 5

4000

LR timeout

2000

0

20

40 60 length of thread

80

0

100

0

20

40 60 length of thread

80

100

Relevancy=1 Results T=2, K=2

T=3, K=2

8000

8000 6000 time(sec)

time(sec)

6000 LMP timeout 4000

EPC timeout

2000

4000

EPC timeout

LR timeout

2000 LMP timeout

0

0

20

40 60 length of thread T=2, K=3

80

0

100

8000

0

20

80

100

8000 LMP timed out at L = 5

LR timeout 6000

6000

EPC timeout

time(sec)

time(sec)

40 60 length of thread T=3, K=3

4000 LMP timed out at L = 5

2000

4000 EPC timeout

2000

LR timeout 0

0

20

40 60 length of thread

80

100

0

0

20

40 60 length of thread

80

100

Fig. 3. Sensitivity to Z3 Parameter Tuning. For the baseline results, we had performed informal tuning of Z3 parameters. The only setting that we changed from the defaults was “relevancy propagation heuristic” that affects quantifier instantiation and assertion of atoms in the solver. We set it to 0 for best performance. Given the surprising results, though, it was imperative to run with different relevancy settings, to ensure we had not inadvertently biased our experiments. For space reasons, we show only four graphs, for T, K ∈ [2, 3], the smallest non-degenerate (T or K = 1) cases. The results are qualitatively the same: LR wins; LMP loses.

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation T=2, K=2

T=3, K=2 8000

4000

EPC timeout

LMP EPC LR

2000

0

0

20

40 60 length of thread T=2, K=3

8000

80

100

0

LMP timed out at L = 10

0

20

0

40 60 length of thread

80

20

40 60 length of thread T=3, K=3

80

100

EPC timeout

6000

4000 2000

LMP timeout

8000

LR timeout

EPC timeout

6000 time(sec)

4000

2000

0

EPC timeout

6000 time(sec)

LMP timeout

time(sec)

time(sec)

8000 6000

237

LR timeout

4000 LMP timed out at L = 10

2000 0

100

0

20

40 60 length of thread

80

100

Fig. 4. Sensitivity to Random Perturbation. SMT solvers, like SAT solvers, are notoriously temperamental. To assess the robustness of our results, we repeated all of the baseline experiments three additional times, with different random number seeds. These graphs show the range of performance across different seeds. Although times vary considerably, there is almost no overlap between the translations. We can conclude that the baseline results are robust. T=1, K=1

T=2, K=1

8000

8000 LMP EPC LR

6000 time(sec)

time(sec)

6000 4000 LMP timeout 2000

4000 2000 LMP timeout

0

20

40 60 length of thread T=1, K=2

80

0

100

8000

8000

6000

6000 time(sec)

time(sec)

0

4000 LR timeout 2000

0

40 60 length of thread T=2, K=2

80

100

LMP timed out at L = 1 EPC timeout

4000 2000 LR timeout

LMP timeout 0

20

0

20

40 60 length of thread

80

100

0

0

20

40 60 length of thread

80

100

Fig. 5. Sensitivity to SMT Solver. A key question is whether our results are specific to Z3. We undertook to re-run our experiments with all publicly available SMT solvers that can handle the needed logic. Because B OOGIE generates VCs with quantifiers, the only other suitable solver from the 2009 SMT Competition is CVC3 [4]. Performance was much worse, so we have results only for the smallest values of T and K. Disturbingly, the performance order changes: EPC is the clear winner in these experiments. The choice of SMT solver determines which translation performs best! Experimental evaluation, therefore, should always include multiple solvers, or at least the fastest one available. Using a slower solver can produce misleading results.

238

N. Ghafari, A.J. Hu, and Z. Rakamari´c

T=1, K=1

T=2, K=1

8

8 LMP EPC LR

6 time(sec)

time(sec)

6 4 2 0

4 2

0

20

40 60 length of thread

80

0

100

0

20

1000

800

800

600 400 200 0

0

20

40 60 length of thread

80

0

100

0

20

40 60 length of thread T=2, K=3

8000

6000

6000 time(sec)

time(sec)

100

200

4000 2000

LR timeout 4000 LMP timeout 2000

0

20

40 60 length of thread

80

0

100

0

20

T=1, K=4 8000

80

100

80

100

T=2, K=4

2000

LMP timeout

6000 time(sec)

LMP EPC timeout timeout

4000

40 60 length of thread

8000

LR timeout

6000 time(sec)

80

400

T=1, K=3

0

100

600

8000

0

80

T=2, K=2

1000

time(sec)

time(sec)

T=1, K=2

40 60 length of thread

LR timeout 4000 EPC timeout 2000

0

20

40 60 length of thread

80

100

0

0

20

40 60 length of thread

Fig. 6. Results with Arbitrary Scheduling Policy. As noted earlier, our baseline results are with round-robin scheduling, and with all translations analyzing the same number of contexts, to be fair. This and Fig. 7 show the results using an arbitrary scheduling policy with K total contexts, also with all translations analyzing the same number of contexts. Now, there is no clear winner. LMP clearly does best in the degenerate T = 1 cases. EPC wins in several of the mid-sized configurations. And LR is the last to timeout as T and K grow larger. (Caption continues on next page.)

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation

T=3, K=1

T=4, K=1

8

8 LMP EPC LR

6 time(sec)

time(sec)

6 4 2 0

4 2

0

20

40 60 length of thread

80

0

100

0

20

T=3, K=2

80

100

8000 LMP timeout

6000 time(sec)

6000 time(sec)

40 60 length of thread T=4, K=2

8000

4000 2000 0

239

4000

LMP timeout EPC timeout

2000

0

20

40 60 length of thread

80

0

100

0

20

T=3, K=3

40 60 length of thread

80

100

80

100

T=4, K=3

8000

8000 LR timeout 6000

4000

LMP timeout EPC timeout LR timeout

2000 0

time(sec)

time(sec)

6000

0

20

40 60 length of thread

LMP timeout EPC timeout

4000 2000

80

0

100

0

20

T=4, K=4

8000

8000

6000

6000

4000

time(sec)

time(sec)

T=3, K=4

LR timeout

2000 0

EPC timed out at L = 5

4000 LR timeout 2000

EPC timeout LMP timeout 0

20

40 60 length of thread

40 60 length of thread

80

100

0

LMP timeout 0

20

40 60 length of thread

80

100

Fig. 7. Results with Arbitrary Scheduling Policy (cont’d). It would be easy to draw incorrect conclusions about algorithmic superiority if only small parts of the experimental space are explored, as is often the case. Interestingly, LR with K arbitrary contexts performs worse than LR with K round-robin rounds! The explanation is that LR is intrinsically round-robin, so the arbitrary-schedule K-context translation is essentially doing a round-robin K-round translation, plus extra work to ensure that only one context executes in each round. We present here results for arbitrary-schedule LR only for fairness; it is pointless in practice.

240

N. Ghafari, A.J. Hu, and Z. Rakamari´c

T=2, K=1

T=3, K=1

250

8000 LMP EPC LR

LMP timeout 6000 time(sec)

time(sec)

200 150 100

2000

50 0

4000

0

20

40 60 length of thread

80

0

100

0

20

8000

6000

6000

4000 LMP timeout

2000 0

0

20

40 60 length of thread

LMP timeout

80

0

100

0

20

40 60 length of thread T=3, K=3

LMP timeout EPC timeout

4000

LMP timed out at L = 5

6000

LR timeout

time(sec)

time(sec)

100

EPC timeout

8000

6000

2000

4000

EPC timeout LR timeout

2000

0

20

40 60 length of thread

80

0

100

0

20

T=2, K=4

40 60 length of thread

80

100

T=3, K=4

8000

8000 EPC timeout

6000

LR timeout LMP timeout

4000

LMP timed out at L = 5

6000 time(sec)

time(sec)

80

LR timeout

4000

T=2, K=3

2000 0

100

2000

8000

0

80

T=3, K=2

8000

time(sec)

time(sec)

T=2, K=2

40 60 length of thread

EPC timeout

4000

LR timeout 2000

0

20

40 60 length of thread

80

100

0

0

20

40 60 length of thread

80

100

Fig. 8. Results for Bluetooth Example. As a check of our results, we also evaluated the three translations on the popular “Bluetooth driver” example. The original example had two threads: an “adder” and a “stopper”. To scale the number of threads, we created additional adder threads. T indicates the total number of threads. (T starts at 2 in these graphs because we need at least 1 adder and 1 stopper.) To artificially scale program length, we duplicated the body of the adder threads. L indicates the number of copies of the original code in each thread. The runs are under the baseline conditions: round-robin scheduling with Z3 as the SMT solver. (Caption continues on next page.)

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation T=4, K=1

T=4, K=2

8000

8000 LMP EPC LR

6000 time(sec)

6000 time(sec)

241

4000 LMP timeout 2000

EPC timeout 4000 LR timeout 2000 LMP timeout

0

0

20

40 60 length of thread

80

0

100

0

20

T=4, K=3

100

8000 LMP timed out at L = 5

4000 LR timeout EPC timeout

2000

0

20

LMP, EPC, and LR timed out at L = 5

6000 time(sec)

6000 time(sec)

80

T=4, K=4

8000

0

40 60 length of thread

4000 2000

40 60 length of thread

80

100

0

0

20

40 60 length of thread

80

100

Fig. 9. Results for Bluetooth Example (cont’d). The results are similar: LMP clearly loses, but as with the results for arbitrary schedules (Figs. 6 and 7), EPC wins in several configurations. 10

8

log10(time)

6

4

2

0 LMP EPC LR

−2

−4

0

1

2

3

4 VC length

5

6

7 5

x 10

Fig. 10. Runtime vs. VC Length. One hypothesis is that VC length (and therefore static code size and complexity produced by the translation) is crucial for performance in the VC-checking paradigm. To test this hypothesis, we collected all the baseline runs, for both the microbenchmark and the Bluetooth queries, and plotted runtimes versus the size of the VC, as reported in “words” by the Unix utility wc to normalize for different variable naming conventions. In this plot, each translation is shown with a different symbol (and color). The size of the symbol is proportional to the context bound K. The data appear to cluster into multiple straight lines, indicating exponential growth, but with different bases for the different translations and problem instances. For example, LMP compensates somewhat for vastly bigger VCs with a lower-based exponent. There appears to be some correlation between K and the exponential growth rate, although this is imperfect. We observed even less correlation with T . We conjecture that some complexity measure, such as number of program paths, could predict which exponential curve a given problem family and translation approach would exhibit. (The graph is much easier to interpret in color.)

242

N. Ghafari, A.J. Hu, and Z. Rakamari´c

Fortunately, our experiments suggest an avenue for predicting performance. SMT runtimes tend to grow exponentially with VC length, but the different translations and parameters give different exponential curves. This suggests that the practical scalability of a translation scheme might be predicted by combining the size of the queries generated with an empirical or theoretical measure of the complexity of solving that class of query. As a crude heuristic, pick translations that keep VCs short and simple. Disturbingly, our experiments also highlight experimental pitfalls and confounding factors. For example, using an older, slower SMT solver changes the relative ranking of the translations, implying that practical performance depends more on the interaction of a translation with a given SMT solver than on theoretical properties of the translation in isolation. If another revolution in SMT solving occurred, these translations would need to be re-evaluated. Similarly, the relative ranking of translations was sometimes different in small, degenerate corners of the parameter space. Performing only a few experiments, as if often done in this research area, could easily give misleading results. Our results can be used as a cautionary map, clarifying the landscape (e.g., VC-checking vs Boolean model checking) and highlighting pitfalls (e.g., use the fastest solver, conduct thorough experiments). These are not happy results, but they are critically important, since they challenge the assumptions and methodologies underpinning further research. Finally, it is thought-provoking to consider how poorly all three translations scale on our microbenchmark. As noted earlier, the microbenchmark is easily solvable by other means, e.g., even the largest parameter configuration we considered (T = 4, K = 4, L = 100) yields a state space of roughly only 1.6 billion states (100 program counter locations for each of 4 threads times a 4-valued context counter times a 4-valued pointer that indicates the active thread), within the reach of even explicit-state model checking. Yet, none of the translations, under any experimental setup, came anywhere close to those parameter values. There is an odd disparity between the ample empirical proof of the practical success of CBA (including our own work, finding real bugs in real industrial software, using the same LR-B OOGIE-Z3 tool chain, albeit augmented with some abstraction techniques [21]) and its poor scalability here. The explanation, we believe, is that the power of CBA with VC-checking comes from the ability to reason about and soundly abstract software features like large memories, heaps, and recursion, but not from the core exploration of interleavings, which is where classical model checking excels. We speculate there may be promising hybrids between the two approaches, or that CBA will dominate bug-finding in low-level software implementations with explicit-state model checking dominating protocol-level software verification, much as bounded model checking and explicit-state model checking complement each other in hardware verification.

References 1. Babi´c, D., Hu, A.J.: Calysto: Scalable and precise extended static checking. In: Intl. Conf. on Software Engineering (ICSE), pp. 211–220 (2008) 2. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: Conf. on Programming Language Design and Implementation (PLDI), pp. 203–213 (2001) 3. Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)

Context-Bounded Translations for Concurrent Software: An Empirical Evaluation

243

4. Barrett, C., Tinelli, C.: CVC3. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 298–302. Springer, Heidelberg (2007) 5. Chatterjee, S., Lahiri, S.K., Qadeer, S., Rakamari´c, Z.: A reachability predicate for analyzing low-level software. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 19–33. Springer, Heidelberg (2007) 6. Clarke, E.M., Biere, A., Raimi, R., Zhu, Y.: Bounded model checking using satisfiability solving. Formal Methods in System Design (FMSD) 19(1), 7–34 (2001) 7. Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Logic of Programs, Workshop, pp. 52–71 (1981) 8. Clarke, E.M., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004) 9. Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: Predicate abstraction of ANSI–C programs using SAT. Formal Methods in System Design (FMSD) 25, 105–127 (2004) 10. Corbett, J.C., Dwyer, M.B., Hatcliff, J., Laubach, S., Pasareanu, C.S., Robby, Zheng, H.: Bandera: Extracting finite-state models from Java source code. In: Intl. Conf. on Software Engineering (ICSE), pp. 439–448 (2000) 11. de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008) 12. DeLine, R., Leino, K.R.M.: BoogiePL: A typed procedural language for checking objectoriented programs. Technical Report MSR-TR-2005-70, Microsoft Research (2005) 13. Demartini, C., Iosif, R., Sisto, R.: A deadlock detection tool for concurrent Java programs. Software — Practice and Experience 29(7), 577–603 (1999) 14. Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Communications of the ACM 18, 453–457 (1975) 15. Esparza, J., Schwoon, S.: A BDD-based model checker for recursive programs. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 324–336. Springer, Heidelberg (2001) 16. Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: Conf. on Programming Language Design and Implementation (PLDI), pp. 234–245 (2002) 17. Ganai, M.K., Gupta, A.: Efficient modeling of concurrent systems in BMC. In: Havelund, K., Majumdar, R., Palsberg, J. (eds.) SPIN 2008. LNCS, vol. 5156, pp. 114–133. Springer, Heidelberg (2008) 18. Holzmann, G.J.: Design and Validation of Computer Protocols. Prentice-Hall, Englewood Cliffs (1991) 19. Holzmann, G.J., Smith, M.H.: Software model checking. In: Formal Methods for Protocol Engineering and Distributed Systems (FORTE), pp. 481–497 (1999) 20. Kahlon, V., Sankaranarayanan, S., Gupta, A.: Semantic reduction of thread interleavings in concurrent programs. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 124–138 (2009) 21. Lahiri, S.K., Qadeer, S., Rakamari´c, Z.: Static and precise detection of concurrency errors in systems code using SMT solvers. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 509–524. Springer, Heidelberg (2009) 22. Lal, A., Reps, T.W.: Reducing concurrent analysis under a context bound to sequential analysis. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 37–51. Springer, Heidelberg (2008) 23. Lal, A., Touili, T., Kidd, N., Reps, T.W.: Interprocedural analysis of concurrent programs under a context bound. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 282–298. Springer, Heidelberg (2008)

244

N. Ghafari, A.J. Hu, and Z. Rakamari´c

24. Musuvathi, M., Qadeer, S.: Iterative context bounding for systematic testing of multithreaded programs. In: Conf. on Programming Language Design and Implementation (PLDI), pp. 446–455 (2007) 25. Qadeer, S., Rehof, J.: Context-bounded model checking of concurrent software. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 93–107. Springer, Heidelberg (2005) 26. Qadeer, S., Wu, D.: KISS: Keep it simple and sequential. In: Conf. on Programming Language Design and Implementation (PLDI), pp. 14–24 (2004) 27. Rabinovitz, I., Grumberg, O.: Bounded model checking of concurrent programs. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 82–97. Springer, Heidelberg (2005) 28. Rakamari´c, Z., Hu, A.J.: A scalable memory model for low-level code. In: Jones, N.D., M¨uller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 290–304. Springer, Heidelberg (2009) 29. Schulte, W., Xia, S., Smans, J., Piessens, F.: A glimpse of a verifying C compiler (extended abstract). In: C/C++ Verification Workshop, CCV (2007) 30. Suwimonteerabuth, D., Esparza, J., Schwoon, S.: Symbolic context-bounded analysis of multithreaded Java programs. In: Havelund, K., Majumdar, R., Palsberg, J. (eds.) SPIN 2008. LNCS, vol. 5156, pp. 270–287. Springer, Heidelberg (2008) 31. Torre, S.L., Madhusudan, P., Parlato, G.: Reducing context-bounded concurrent reachability to sequential reachability. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 477–492. Springer, Heidelberg (2009) 32. Visser, W., Havelund, K., Brat, G.P., Park, S., Lerda, F.: Model checking programs. Automated Software Engineering 10(2), 203–232 (2003)

A Verification-Condition (VC) Generation A VC is a logical formula whose validity implies partial correctness of the code for which it was generated. VCs are typically constructed via weakest precondition or symbolic execution. For example, consider the code x=0; x=x+1; assert x>0. By symbolic execution, we would determine that x is 0, then 0 + 1, and then that the VC is 0 + 1 > 0, which is valid. By weakest precondition, we would go backward from the assert, starting with x > 0, then by substitution x + 1 > 0, and again by substitution 0 + 1 > 0, which is the same VC and is valid. Naive VC computation can blow-up, but modern algorithms create VCs that are linear in the original code size. In contrast, a model checker would typically impose a finite domain for x, and could go forward or backward, computing sets of values of x at each program point. In the extreme case of Boolean model checking, we could abstract x down to a single bit, representing the two possibilities {x > 0, x  > 0}. The VC-checking paradigm can be viewed as an extremely lazy, symbolic model checking algorithm, which very efficiently computes symbolic formulas representing sets of states at program points, but defers all reasoning about those formulas to the decision procedure, after the program is completely analyzed. Because of this delayed analysis, VC-checking methods have difficulty with fixpoint iterations and instead typically rely on user-provided or heuristically generated invariants to break loops. On the positive side, VC generation is very efficient, good decision procedures exist that directly handle infinite domains. The decision procedures can propagate information from the entire program in any direction when solving the VC, unlike the one-step-at-a-time image computations in ordinary model checking.

One Stack to Run Them All Reducing Concurrent Analysis to Sequential Analysis under Priority Scheduling Nicholas Kidd, Suresh Jagannathan, and Jan Vitek Purdue University {nkidd,suresh,jv}@cs.purdue.edu

Abstract. We present a reduction from a concurrent real-time program with priority preemptive scheduling to a sequential program that has the same set of behaviors. Whereas many static analyses of concurrent programs are undecidable, our reduction enables the application of any sequential program analysis to be applied to a concurrent real-time program with priority preemptive scheduling.

1

Introduction

Embedded systems are pervasive and are becoming ever more dependent on complex software with significant correctness and reliability requirements. From automobiles to the space shuttle, software is rapidly becoming the most significant part of development time of new devices. Due to the drastic costs of software errors, it is crucial that verification techniques handle the demands and specific requirements of embedded systems. The goal of this work is to broaden the applicability of known software verification techniques from sequential programs to a large class of real-time concurrent programs. The programming model used in the vast majority of deployed devices defines a set of periodic tasks—tasks that perform computation at a regular interval (period)—that respond to or monitor events. Each task is typically assigned a priority, and tasks are scheduled by a priority preemptive scheduler —a scheduler that always chooses to schedule the highest-priority task that is currently runnable. A lower-priority task is preempted when a higher-priority task becomes runnable, and is rescheduled only when the higher-priority task has finished. The main contribution of our work is a general reduction from a concurrent program with priority preemptive scheduling to a sequential program, which makes the concurrent program amenable to recent research on automated testing of sequential programs (e.g., DART [1], EXE [2], and KLEE [3], to name a few such systems). Our only two restrictions are that the concurrent program has a finite number of tasks, and that the tasks execute with interleaved semantics (e.g., on a uniprocessor). In the embedded world, these restrictions are the norm as they ensure predictability, which is oftentimes more important than absolute performance. 

Supported by NSF under grants CCF-0811631 and CCF-0701832.

J. van de Pol and M. Weber (Eds.): SPIN 2010, LNCS 6349, pp. 245–261, 2010. c Springer-Verlag Berlin Heidelberg 2010 

246

N. Kidd, S. Jagannathan, and J. Vitek

For the important case of finite-data concurrent programs, (i.e., can be modeled as a Boolean program or multi-pushdown system), our reduction shows that the problem of determining the set of all possible reachable program configurations is decidable. (Deciding the set of reachable configurations subsumes many testing notions such as statement and condition coverage). While finite-data may seem restrictive, for embedded systems and especially safety-critical systems, it is often the case that a program will pre-allocate the required amount of memory to provide greater predictability (i.e., to remove unpredictable and potentially costly invocations of the memory allocator). The reason that it is not readily apparent that a concurrent program with priority preemptive scheduling could be reduced to a sequential program is because all of the characteristics of traditional concurrent programs that make analysis difficult are still present. There are multiple threads of execution, shared state, locks, and preemption. Furthermore, each thread is likely to be non-terminating as it must execute once per period. The key insight behind our reduction is that because a preempted lower-priority thread is not rescheduled until the higherpriority thread has finished, the two threads can share the same stack. That is, preemption can be modeled as merely a function call. Thus, a concurrent (multi-stack) program can be reduced to a sequential (one-stack) program. Another important aspect of real-time programming is avoiding priority inversion. Priority inversion occurs when a higher-priority thread th cannot make progress because a lower-priority thread tl has ownership of a shared resource, such as a lock. Even worse, a medium-priority thread tm can preempt tl , in effect giving tm priority over th . Overall, priority inversion causes th ’s priority to be lowered to that of tl so long as tl owns the resource. Coupled with priority scheduling, priority inversion can lead to deadlock. Two common protocols [4] for addressing priority inversion include: 1. Priority Ceiling Protocol (PCP) statically associates with each shared resource (lock) the priority of the highest-priority thread that may acquire that resource. When a thread t acquires a resource r, t’s priority is temporarily raised to r’s priority, and is restored when r is released. Note that due to the way priorities are assigned to resources, r’s priority must be at least as high as t. 2. Priority Inheritance Protocol (PIP) temporarily elevates the priority of a lower-priority thread tl that owns a resource r required by a higher-priority thread th to that of th until tl has released r. In comparison, PCP is an eager (or pessimistic) protocol, while PIP is a lazy (or optimistic) protocol that avoids elevating priorities until strictly necessary. Moreover, PCP guarantees dead-lock freedom [4], whereas PIP does not. Our second contribution is to show that configuration reachability of a concurrent finite-data program with a priority preemptive scheduler (i) remains decidable for a PCP-extended programming model, (ii) is undecidable in general for a PIP-extended programming model, and (iii) is decidable for a PIP-extended programming model with properly nested locks.

One Stack to Run Them All

2

247

Reduction

A concurrent program is a shared-memory computation by a finite number of threads t1 , . . . , tn that execute with interleaved semantics. Associated with each thread ti , 1 ≤ i ≤ n, is a priority, priority(ti ), and a period, period(ti ), in which ti must perform its computation. We assume that each thread completes its task once per period (i.e., all deadlines are met). In addition, our abstraction of time is a hyperperiod H, which is the least common multiple of the periods of all threads. Observe that each thread ti , 1 ≤ i ≤ n, must execute ai  H/period(ti ) times per hyperperiod H. Thus, we reduce a concurrent program with heterogeneous periods to a concurrent program with a single period, namely H, by extending the concurrent program to have ai copies of ti , where each copy has the same priority. For the remainder of the paper, all threads are assumed to have the same period H. Finally, each thread (copy) becomes schedulable (i.e., is awoken) non-deterministically. Remark 1. The reduction to a single hyperperiod is a sound over-approximation. For example, a system with threads T1 and T2 with periods 2 resp. 3 will have three copies of T1 and two copies of T2 because the l.c.m. of the periods is H = 6. The reduction to a single period H allows the schedule T1 T1 T1 T2 T2 which is not allowed in the original system. A more precise reduction can be easily encoded by adding additional scheduling constraints (i.e., a finite amount of data) to the program. The key insight behind our reduction is that because of priority preemptive scheduling, all running threads can share the same stack. Consider the case where a thread t is executing with current stack contents u, and another thread t , such that priority(t) < priority(t ) is awoken non-deterministically. At this point, and with a traditional non-deterministic scheduler, a concurrent program must maintain two active and distinct stacks, namely u and u , because t could be preempted at any time to allow t to resume execution. However, with priority preemptive scheduling, it is guaranteed that t will not be preempted by t, or by any thread t where priority(t ) < priority(t ). Thus, t can share the same stack at t (see Fig. 1). The reduction is then as follows. First, the priority preemptive scheduler is made exu' u' u plicit by adding to the program the code ⊕ shown in Fig. 2. The Hyperperiod procedure in Fig. 2 executes each thread one time, choosing non-deterministically a sleepu ing thread to execute via the choose opera㱺 tion, which returns an index that satisfies the supplied guard. An infinite cycle of hyperperiods is simulated by invoking Hyperperiod Fig. 1. Sharing stacks u and u in a non-terminating loop and ensuring to reset the array Sleeping (see below) before doing so. During each hyperperiod, the scheduler has two tasks: (i) it must ensure

248

N. Kidd, S. Jagannathan, and J. Vitek

// Sleeping flags Sleeping[n] = {true,...,true}; // Thread priorities Priorities[n] = ...; // Thread entry points Threads[n] = ...; // 0 => choose any thread Prio = 0; void Hyperperiod() {  while ( i Sleeping[i]) { j = choose j: Sleeping[j]; Sleeping[j] = false; Threads[j].entry(); } }

// Wake-up higher-priority thread void Schedule() { // Save current priority int prevPrio = Prio; for i in (1..n) { if (Priorities[i] <= Prio) continue; if (nondet() && Sleeping[i]) { Prio = i; Sleeping[i]=false; Threads[i].entry(); break; } } // Restore priority Prio = prevPrio; }

Fig. 2. Pseudo-code to execute one hyperperiod

that each thread t is awoken so that t can execute its task; and (ii) the wakeups should happen non-deterministically. The first task is handled by defining a Boolean array of size n, where each entry in the array denotes whether a thread t is sleeping or not. (In Fig. 2, the array is named Sleeping.) The scheduler loops until all threads have been awoken and completed their periodic task. The second task is handled by performing a source-to-source transformation on the code of each thread so that it non-deterministically invokes Schedule before each statement st. That is, if a thread is comprised of program statements st1 ,. . . ,stk , then the transformed program will have program statements st1 ,. . . ,stk , where each st is defined as: st  Schedule(); st. In the definition of Schedule in Fig. 2, the function nondet non-deterministically returns true or false. When Schedule is invoked, the code of a higher-priority thread ti than the thread ti whose code is currently executing may be invoked, which corresponds to ti being preempted by ti . Before executing a thread ti by invoking Threads[i].entry(), the flag Sleeping[i] is set to false to ensure that ti is executed exactly once per hyperperiod H. Non-determinism plays a second role, namely, to enumerate all possible orderings of same-priority threads. With priority-preemptive scheduling, a thread will only be preempted by a higher -priority thread. If two threads t and t have the same priority, and because our programming model uses non-deterministic wakeups, schedules in which t executes before t and vice versa must both be considered. Non-determinism allows for both schedules to occur. Moreover, in the finite-data case that is discussed next, pushdown-system reachability algorithms naturally consider both schedules.

One Stack to Run Them All

249

Table 1. The encoding of an ICFG’s edges as PDS rules PDS Rule

Control flow modeled

p, n1  → p, n2  Intraprocedural edge n1 → n2 p, nc  → p, ef rc  Call to f , with entry ef , from nc that returns to rc p, xf  → p,  Return from f at exit xf

By reducing a concurrent program with priority preemptive scheduling to a sequential program, existing automated techniques for sequential programs, such as model checkers [5,6] and code-coverage techniques [1,2,3], can be applied to the generated sequential program.

3

Reduction for Multi-PDSs

For the important case of a finite-data programs, each thread can be modeled by a pushdown system (PDS), and the concurrent program as a multi-PDS [7,8,9]. (We will use the term thread and PDS interchangeably.) Definition 1. A pushdown system (PDS) is a tuple P = (P, Γ, γ0 , Δ), where P is a finite set of control states, Γ is a finite stack alphabet, γ0 is the initial stack symbol of P specifying the entry point of the modeled thread, and Δ ⊆ (P × Γ )× (P × Γ ∗ ) is a finite set of rules. A rule r ∈ Δ is denoted by p, γ → p , u . A PDS configuration p ∈ P, u ∈ Γ ∗  is a control state along with a stack. Δ defines a transition system over the set of all configurations. From c = p, γu, P can make a transition to c = p , u u, denoted by c ⇒ c , if there exists a rule p, γ → p , u  ∈ Δ. The reflexive transitive closure of ⇒ is denoted by ⇒∗ . Without loss of generality, a pushdown rule is restricted to have at most two stack symbols appear on the right-hand side, i.e., for p, γ → p , u  ∈ Δ, |u | ≤ 2 [10]. A PDS naturally captures the interprocedural control flow of a thread (see Tab. 1). To model the program state, one typically encodes the global state of the program in P and the local state (i.e., local variables to a function) in Γ . In addition, parameter passing and returning a value from a callee to its caller is modeled by introducing global variables and their corresponding assignments. We direct the reader to Schwoon’s thesis [10] for a detailed description. A concurrent program consists of a set of PDSs P1 , . . . , Pn that share a common set of control states P . For PDS synchronization, any finite-state synchronization protocol can be embedded in P . Because in §4 we consider protocols for addressing priority-inversion in finite-data programs, we will require a mechanism to associate priorities to sections of code that manipulate shared resources (i.e., critical sections). A natural choice—and one common to real-time programming—is to use locks to synchronize execution of critical sections. Thus,

250

N. Kidd, S. Jagannathan, and J. Vitek

we will facilitate these extensions by distinguishing the set L, a finite set of nonreentrant locks.1 We now require a mechanism to specify when a thread acquires and releases a lock. We assume that for a PDS P = (P, Γ, γ0 , Δ) and for each lock l in L, the following subsets of Δ are defined: – – – – –

acq(l ∈ L, P) is the set of rules that acquire l; rel(l ∈ L, P)  is the set of rules that release l; acq(P)  l∈L acq(l, P) is the set of rules that acquire any lock;  rel(P)  l∈L rel(l, P) is the set of rules that release any lock; and   nolock(P)  Δ \ acq(P) ∪ rel(P) is the set of non-locking rules.

Altogether, a concurrent program consists of a global state space P , a finite set of threads P1 , . . . , Pn that share the same state space P , and a finite set of locks L. Because a concurrent program consists of a finite number of threads P1 , . . . , Pn , we assume that the threads are sorted according to their priority. Definition 2. A multi-PDS is a tuple Π = (P, p0 , P1 , . . . , Pn , L), where P is the shared control state of each PDS Pi = (P, Γi , γ0i , Δi ), 1 ≤ i ≤ n; p0 ∈ P is the initial control state; and L = {l1 , . . . , l|L| } is a finite set of |L| non-reentrant locks. A global configuration p, u1 , . . . , un , o¯ is a tuple consisting of: – a control state p ∈ P modeling the global state of Π; – a stack ui for each PDS Pi , 1 ≤ i ≤ n, where ui ∈ Γi∗ ∪ { γ0i } and ∈ / Γi is a unique stack symbol that is used to denote a sleeping thread (discussed below); and – an ownership array o¯ of length |L|, in which each entry indicates the owner of a given lock: for each 1 ≤ j ≤ |L|, o¯[j] ∈ {0, 1, . . . , n} indicates the identity i of the PDS Pi that holds lock lj (0 signifies that lj is free). Given o¯, a state change in which Pi acquires lock lj is denoted by o¯[j  → i], and a state change in which Pi releases lock lj —setting lj ’s owner to 0—is denoted by o¯[j  → 0]. Let o¯0 denote o¯ with all entries set to 0. The set of all global configurations is denoted by G. The initial global configuration is g0 = p0 , γ01 , . . . , γ0n , o¯0 . Pi is active in a global configuration g, denoted active(g, Pi ) if its stack contents ui = γ0k ∨ , which stipulates that Pi is neither waiting to begin execution—ui = γ0i —nor has finished execution— ui = . The priority of g, denoted priority(g), is the maximum of the active threads: priority(g) = max({priority(Pi ) | active(g, Pi )}). A global configuration g = p, u1 , . . . , un , o¯ can be thought of as representing the set of (local) PDS configurations {p, ui  | 1 ≤ i ≤ n}. For the initial global configuration g0 = p0 , γ01 , . . . , γ0n , o¯0 , the special stack symbol denotes that each thread is waiting to begin execution. Interleaved execution of Π is defined by the transition relation ⊆ G × G on global configurations. As is customary, we will use g  g  to denote that 1

Reentrant locks that are acquired and released at procedure boundaries are reducible to non-reentrant locks [11].

One Stack to Run Them All

251

(g, g  ) ∈. Intuitively, there are two types of transitions that Π can perform to go from g to g  . The first transition type is that a sleeping thread is awoken non-deterministically. In the initial global configuration g0 , the stack contents of each PDS Pi , 1 ≤ i ≤ n, is γ0i , where the special stack symbol denotes that Pi is sleeping. For Pi to be awoken, the special stack symbol must be popped from the top of Pi ’s stack. We observe that at a global configuration g where Pi is sleeping, delaying the wake-up of Pi until after all currently-running higherpriority threads (i.e., {Pi | i = i ∧ priority(Pi ) < priority(Pi ) ∧ active(g, Pi )}) have finished execution results in the same set of configurations being reachable from g—{g  | g ∗ g  }—modulo  , where modulo denotes that the stacks γ0i and γ0i are considered equal. The reasoning is straightforward: even if Pi were to be awoken, it would not be able to perform any computation steps until Pi has finished execution, at which point non-determinism in  would allow Pi to be awoken resulting in the same set of reachable configurations modulo . The second transition type is that the highest-priority thread that has already been awoken is able to update the global state and its (local) stack. Only the highest-priority thread is able to make a transition because the programming model uses a priority preemptive scheduler. We now formally define exactly when g  g  holds for Π. 1. p, u1 , . . . , γ0i , . . . , un , o¯  p, u1 , . . . , γ0i , . . . , un , o¯ iff priority(g) < priority(Pi ). Thread Pi is only awoken if Pi has a higher-priority than the currently executing thread. 2. p, u1 , . . . , γi ui , . . . , un , o¯  p , u1 , . . . , u ui , . . . , un , o¯  iff priority(g) = priority(Pi ) and ri = p, γ → p , u  ∈ Δi and: (a) If ri ∈ nolock(Pi ), then o¯ = o¯. The transition enabled by ri does not update the state of any lock lj ∈ L. → i]. The lock lj must (b) If ri ∈ acq(lj ∈ L, Pi ) and o¯[j] = 0, then o¯ = o¯[j  be free in g, and is owned by Pi in g  . (c) If ri ∈ rel(lj ∈ L, Pi ) and o¯[j] = i, then o¯ = o¯[j  → 0]. The lock lj must be owned by Pi in g, and is free in g  . The reflexive transitive closure of  is denoted by ∗ . 3.1

Model Checking Problem

As is common in PDS-based model checking [12,13,7,8], the problem of interest is to compute reachability. Problem 1. Given Π and g ∈ G, compute the set of forwards reachable configurations G = {g  | g ∗ g  }. We restrict ourselves to reachability from a single global configuration g not for any technical reason, but because of the nature of embedded software. As discussed in §2, the target application consists of a finite set of periodic tasks (threads), and it is assumed that each thread has the same period and completes one task each period (i.e., makes its deadline). Hence, the concurrent program

252

N. Kidd, S. Jagannathan, and J. Vitek

consists of an infinite cycle of periods, where for the finite-data case, the only difference between starting configurations is the initial state p, which is p0 at program onset. Given a black box to solve Problem 1 (i.e., to compute the set of single-period reachable configurations G from g ∈ G), then the set of all reachable configurations can be computed via repeated queries—there are only a finite number of states p to start from because P is finite, the stack of each PDS Pi always begins in the initial stack γ0i , and a successive period can only begin from a state p in the set {p | p, 1 , . . . , n , o¯0  ∈ G }.2 Problem 1 is decidable for Π, and shown by reduction to context-bounded analysis (CBA) [7,14].3 Theorem 1. Given Π = (P, p0 , P1 , . . . , Pn , L) and g ∈ G, the set G = {g  | g ∗ g  } of single-period forwards reachable configurations from g is computable in at most O(n) execution contexts. Proof. A thread Pi can preempt another thread Pj at most one time because once Pi preempts Pj , by definition Pj cannot restart execution until Pi has finished execution. Thus, the number of preemptions is bounded by O(n) which also bounds the number of execution contexts by O(n).   3.2

A More Efficient Reduction

We now present a reduction from a multi-PDS Π with priority preemptive scheduling to a single PDS PΠ , the benefit of which is that all of the known existing techniques for model checking PDSs, including those for expressive logics both linear and branching [12,15], can be used for model checking multi-PDSs with priority preemptive scheduling. Moreover, the most efficient algorithms for CBA [14] require creating a copy of the global state space for each execution con¯ 2n ), text, resulting in an algorithm to solve Problem 1 with complexity O(|P × O| 4 ¯ is the finite set of all ownership arrays. Because of priority preempwhere O tive scheduling, our reduction avoids the need to create copies, resulting in a ¯ 2 2n ), where the 2n factor accounts for the complexity on the order of O(|P × O| n bits in the array Sleeping that track whether a thread has run during the (current) hyperperiod. In other words, our reduction adds n bits, whereas [14] would add n copies of P . (We note that [14] solves a harder problem because it allows for the non-deterministic preemption of any thread, i.e., a stack must be maintained for each thread.) 2

3

4

We assume that each thread releases its acquired locks before completing the desired task. Otherwise, one would also have to possibly enumerate over the ownership arrays when starting a new period as well. CBA is a program analysis that only considers executions with a bounded number of execution contexts, where an execution context is one continuous (sequential) execution of a single thread (albeit there can be many execution contexts of a thread due to context switching). ¯ is finite because there are a finite number of locks and threads (indices), and can O thus be encoded in the control state of a PDS.

One Stack to Run Them All

253

Combining P1 ,. . . ,Pn , and ownership arrays. The first part of the reduction follows naturally from the definition of Π, G, and  from §3. Recall that the PDSs of Π and, in particular, their constituent stack contents in a configuration g = p, u1 , . . . , un , o¯ ∈ G are sorted based on priority. Because of priority preemptive scheduling, one can view g as having a stack of stacks. For example, consider a concurrent program Π3 that consists of three PDSs P1 , P2 , and P3 and set of locks L3 , and let g3 = p, u1 , u2 , u3 , o¯ be a configuration of Π3 . To represent g3 as a single-PDS configuration c3 , we must rearrange the stacks into a single stack as follows: c3 = p, u3 u2 u1 . We must also store the ownership array o¯ somewhere in c3 , and the natural solution is to pair it with the control state p, yielding c3 = (p, o¯), u3 u2 u1 . Of course, if a thread has yet to be awoken (e.g., u3 = γ03 ), then it must not be included in c3 , for otherwise threads of lesser priority (e.g., P1 and P2 ) would not be able to make progress. Our first step towards defining PΠ is to define the PDS P1n that models the execution of PDSs P1 , . . . , Pn of Π. From the above example configuration c3 , we can see that the ownership array o¯ must be encoded in the control state, and the PDS rules of P1n must perform updates to the embedded ownership array. With ¯ being the set of all ownership arrays, we define for each PDS Pi , 1 ≤ i ≤ n, O the PDS Pi whose PDS rules have been modified to account for ownership arrays as follows: ¯ define P  as Definition 3. Given a PDS Pi and set of ownership arrays O, i  i  ¯ Γi , γ , Δ ), where P × O ¯ encodes an ownership array in follows: Pi = (P × O, 0 i each control state of Pi , Γi and γ0i are unchanged from the definition of Pi , and Δi contains a set of rules for each rule r = p, γ → p , u  ∈ Δi , where each set is r extended to update ownership arrays, defined as follows: – If r ∈ acq(lj ∈ L, Pi ), then Δi contains the set of rules: {(p, o¯), γ → ¯ ∧ o¯[j] = 0 ∧ o¯ = o¯[j  (p , o¯ ), u  | o¯ ∈ O → i]}. – If r ∈ rel(lj ∈ L, Pi ), then Δi contains the set of rules: {(p, o¯), γ → ¯ ∧ o¯[j] = i ∧ o¯ = o¯[j  (p , o¯ ), u  | o¯ ∈ O → 0]}. – If r ∈ nolock(Pi ), then Δi contains the set of rules: {(p, o¯), γ → ¯ (p , o¯), u  | o¯ ∈ O}. Definition 4. Given Π = (P, p0 , P1 , . . . , Pn , L), and for each Pi = ¯ Γi , γ i , Δ ) according to Defn. 3, (P, Γi , γ0i , Δi ), 1 ≤ i ≤ n, define Pi = (P × O, 0 i n then the PDS P1 that models the execution of Π’s constituent PDSs is defined ¯ Γ n = n Γi , γ 1 , Δn = n Δ ). as: P1n = (P × O, 1 0 1 i=1 i=1 i From Defn. 4, we can see that a control state (p, o¯) of P1n is a pair that models a control state p ∈ P from Π, as well as an ownership array o¯. The stack alphabet is merely the union of the stack alphabets of the constituent PDSs. By defining Pi for PDS Pi , the set of PDS rules have been modified to properly update the ownership array when a PDS transition is made. Overall, P1n models the execution of each PDS, as well as tracking the ownership status of each lock l ∈ L. What is missing is the priority preemptive scheduler that non-deterministically awakens threads and schedules the highest-priority active thread.

254

N. Kidd, S. Jagannathan, and J. Vitek

Explicit Scheduler. The scheduler shown in Fig. 2 on page 248 is finite-data (i.e., a Boolean program [16]), and thus convertible into a PDS [10], which we will refer to as Psched = (Psched , Γsched , γH , Δsched ), where – Psched = {1 . . . n} × {0, 1}n is a pair where the first component holds the current value of Prio, and the second component is the Boolean array Sleeping.5 – Γsched = {1 . . . n} × Locs is a pair where the first component is the current value of prevPrio and the second component is the set of program locations for the code in Fig. 2. – γH is the program location for the start of the Hyperperiod procedure in Fig. 2. – Δsched is defined using standard Boolean program-to-PDS conversion [10]. (Essentially, interprocedural control flow is encoded via the template in Tab. 1, and global resp. local Boolean variables are encoded in the PDS control state P resp. stack alphabet Γ .) Combining P1n with Psched . We now define from P1n and Psched , the PDS PΠ whose transition system ⇒ simulates the multi-PDS Π with transition system . Observe that the transition system of PΠ must include both P1n and Psched , and thus to the first degree the two PDSs are joined together. The only modification to either PDS is to stitch the set of control states together, and reflect this join in the final set of PDS rules of PΠ . Definition 5. Given P1n = (P1n , Γ1n , γ, Δn1 ) and Psched = (Psched , Γsched , γH , Δsched ), define PΠ = (PΠ , ΓΠ , γH , ΔΠ ), where – PΠ = Psched × P1n is a pair where each component holds a value from its constituent set of control states. Recall that Psched = {1 . . . n} × {0, 1}n is a priority and an array that determines whether a PDS is sleeping or not, and ¯ is P , the original set of control states of Π, paired with O, ¯ the P1n = P × O set of ownership arrays. – ΓΠ = Γ1n ∪ Γsched is the union of the constituent stack symbols. – γH is the program location for the start of the Hyperperiod procedure in Fig. 2. – ΔΠ consists of the following two sets of rules: 1. For each rule r = (p, o¯), γ → (p , o¯ ), u  ∈ Δn1 and control state (ς, ¯b) ∈ Psched , ΔΠ contains the set of rules: {(ς, ¯b, p, o¯), γ → (ς, ¯b, p , o¯ ), u , (ς, ¯b, p, o¯), γ → (ς, ¯b, p, o¯), γn5 γ} In the set, the first rule is r extended with a control state from Psched . The control state is not modified as the rules from Δn1 do not modify the state of the scheduler. The second rule implements a function call to Schedule in Fig. 2, which will non-deterministically invoke the code of a higher-priority thread or return. Moreover, from a configuration (ς, ¯b, p, o¯), γu of PΠ , PΠ non-deterministically chooses to simulate P1n or Psched depending on which rule is invoked. 5

The number of distinct priorities is bounded by n because there are only n threads.

One Stack to Run Them All

255

2. For each rule r = (ς, ¯b), γ → (ς  , ¯b ), u  ∈ Δsched and control state (p, o¯) ∈ P1n , ΔΠ contains the set of rules: {(ς, ¯b, p, o¯), γ → (ς  , ¯b , p, o¯), u }. These rules combine the rules of Psched with the control states P1n of P1n . Similar to the above set of rules, the control state of P1n is “passed through” unmodified because the scheduler does not affect that control state of P1n . 3.3

Correctness

Correctness of the reduction is established by defining a weak bisimulation between the transition systems of Π and PΠ . Weak bisimulation is used because in PΠ , the scheduler is made explicit whereas it is implicit in the definition of  for Π. Thus, configurations of PΠ should only be considered visible if the top-of-stack symbol is not a member of Γsched . Formally, for a configuration c = (ς, ¯b, p, o¯), γu of PΠ , we define vis(c) = γ ∈ / (Γsched \ {γH }), and extend vis to sets of configurations in the usual way. Finally, we define the transition relation ⇒vis between visible configurations of PΠ as follows: ⎧ ⎫ ⎨ ⎬ c ⇒vis c | vis(c) ∧ vis(c ) ∧ ∃c1 , . . . , ck : c ⇒ c1 ⇒ . . . ⇒ ck ⇒ c ¬vis(ci ) ⎩ ⎭ 1≤i≤k

We define the relation ⊆ G × vis(C) from the set G of all global configurations of Π to the set vis(C) of all visible configurations of PΠ as follows: g  c iff g = p, u1 , . . . , un , o¯ ∧ c = (priority(g), ¯b, p, o¯), un ◦ · · · ◦ u1 , where ¯b[i]  ui = γ0i , ◦ denotes stack concatenation with the exception that the “sleeping stack” γ0i for thread Pi is considered a neutral element with respect to concatenation. In addition, we special case the initial global configuration by defining g0  (0, ¯b, p0 , o¯0 ), γH  (note that ¯b is true in each position because ui = γ0i for all i in g0 ). Theorem 2. The binary relation ⊆ G × vis(C) is a weak bisimulation between the transition systems (G, ) and (C, ⇒vis ) of Π and PΠ , respectively. Proof (Sketch). The proof proceeds by showing that for g  c and g  g  , then there exists a configuration c ∈ vis(C) such that c ⇒vis c and g   c . Likewise, if g  c and c ⇒vis c , then there exists a global configuration g  such that g  g  and g   c . The complete proof is given in the accompanying technical report [17].  

4

Priority Inversion

In systems with priority preemptive scheduling, a situation known as priority inversion occurs when a higher-priority thread Ph cannot make progress because

256

N. Kidd, S. Jagannathan, and J. Vitek

it waits on a resource (lock) currently owned by a lower-priority thread Pl . Two protocols for addressing priority inversion are Priority Ceiling Protocol (PCP) and Priority Inheritance Protocol (PIP). We next define each protocol, and show that Problem 1 is (i) decidable for PCP-extended semantics, (ii) undecidable in general for PIP-extended semantics, and (iii) decidable for PIP-extended semantics when lock usage is properly nested. 4.1

Priority Ceiling Protocol

Priority Ceiling Protocol (PCP) statically associates with each shared resource (lock) the priority of the highest-priority thread that may acquire that resource. When a thread acquires a resource, that thread’s priority is temporarily set to the priority of the resource, and is restored when the resource is released. A multi-PDS Π is extended as follows to define the PCP-extended semantics: 1. Π is equipped with a map ML from (sets of) locks to (sets of) priorities. 2. For a global configuration g = p, u1 , . . . , un , o¯, define LocksHeld(Pi ) = {lj | o¯[j] = i} to be the set of locks held by Pi at configuration g. 3. The PCP-extended priority of Pi , denoted by priorityPCP (Pi ), is the maximum of Pi ’s statically determined priority and of the set of locks held by Pi : priorityPCP = max(priority(Pi ), ML (LocksHeld(Pi )). We now show that for the PCP-extended semantics, Problem 1 remains decidable. Decidability follows from Thm. 1. Though not presented here, it is also possible to extend the construction of PΠ to support PCP-extended semantics, which would benefit from the improved complexity. Theorem 3. For concurrent program Π = (P, p0 , P1 , . . . , Pn , L, ML ) with priority preemptive scheduling and PCP-extended semantics, Problem 1 is decidable. Proof. Thm. 3 follows from Thm. 1. PCP-extended semantics reduces the number of threads that can preempt the currently executing thread Pi : if Pi has acquired a lock lj such that ML (lj ) > priority(Pi ), then fewer threads can preempt Pi until Pi releases lj . Thus, the number of execution contexts remains bounded by O(n) because the number of valid schedules (i.e., preemptions) of PCP-extended semantics is a subset of non-extended semantics, and the problem is decidable.   4.2

Priority Inheritance Protocol

Priority Inheritance Protocol (PIP) temporarily elevates the priority of a lowpriority thread that owns a resource required by a high-priority thread to that of the high-priority thread until it has released the resource. The PIP-extended semantics is defined by extending Π in the following ways:  1. Let Γ = i Γi . Extend each Γi , 1 ≤ i ≤ n, with the set of fresh stack symbols {⊥l | l ∈ L} where for each l ∈ L, ⊥l ∈ / Γ . The new symbol ⊥l is used to denote that a thread is waiting to acquire the lock l.

One Stack to Run Them All

257

2. For a global configuration g = p, u1 , . . . , un , o¯ and lock l, define Waiting(l) to be the set of threads whose top-of-stack symbol is ⊥l , i.e., Waiting(l) = {Pi | ui = ⊥l ui ∧ ui ∈ Γi∗ }. The set Waiting(l) is the set of threads that are blocked waiting to acquire the lock l. We extend Waiting to operate over sets of locks in the natural way. 3. The PIP-extended priority of thread Pi , denoted by priorityPIP (Pi ), is defined as the maximum of Pi ’s statically determined priority and of the threads that wait on a lock owned by Pi : priorityPIP (Pi ) = max(priority(Pi ), priorityPIP (Waiting(LocksHeld(Pi )))). The recurrence of priorityPIP in its own definition ensures that Pi ’s priority includes the transitive closure of all threads that are blocked because of the locks Pi holds, i.e., the threads waiting on locks held by Pi , the threads waiting on locks held by those threads, and so on. 4. Extend  to include transitions to and from global configurations where threads are waiting to acquire a lock l as follows: (a) g = p, u1 , . . . , γi ui , . . . , un , o¯  p, u1 , . . . , ⊥l γi ui , . . . , un , o¯ iff priority(g) = priority(Pi ) and ri ∈ acq(l ∈ L, Pi ) and o¯[l] = 0. This rule defines a set of transitions where the highest-priority thread in global configuration g attempts to acquire a currently held lock l. Because l is held by another thread, Pi makes a transition to the waiting state by pushing ⊥l on the top of its stack.6 (b) g = p, u1 , . . . , γi ui , . . . , un , o¯  p , u1 , . . . , u ui , . . . , un , o¯  iff priority(g) = priority(Pi ) and ri = p, γi  → p , u  and ri ∈ rel(l, Pi ), where o¯ = o¯[l  → 0] and uk = uk if uk = ⊥l uk and uk otherwise. By removing ⊥l from the top of the stack of all threads, those threads that were waiting to acquire l can now re-attempt to do so (while still adhering to priority scheduling). Each of the listed modifications extends Π by only a finite amount of data and hence the same effect could be achieved by augmenting Π with additional state and PDS rules to encode the scheduling logic. We consider two cases, that of non-nested and nested lock usage, where lock usage is said to be properly nested if for all program paths, locks are released in the opposite order in which they were acquired. We show that Problem 1 for a concurrent program with PIP-extended semantics is undecidable in general, and decidable for properly nested locks. Non-nested locks. When lock usage is not restricted to proper nesting, Problem 1 for a concurrent program with PIP-extended semantics is undecidable. The 6

We assume that if PDS Pi attempts to acquire a lock it has no other transition that can fire from (local) configuration p, γi ui . (Such can be made the case via the addition of new stack symbols and rules.) Otherwise, when Pi is released from waiting (see the next item), it could non-deterministically decide to not acquire the lock and hence violate priority scheduling.

258

N. Kidd, S. Jagannathan, and J. Vitek

proof of undecidability follows from Kahlon et al. [8]. Consider a 2-PDS with three locks (P, p0 , P1 , P2 , {l1 , l2 , l3 }), where P2 has a higher priority (2) than P1 (1). One way to show that reachability analysis is undecidable in general for such a system is to develop a scenario where P1 and P2 move in lock-step, which would allow the 2-PDS to determine the emptiness of the intersection of two context-free languages—a well-known undecidable problem. To make P1 and P2 move in lock-step we must use the PIP-extended semantics. Namely, the PDSs need to acquire and release locks in such a fashion that P2 , which has a higher priority than P1 , repeatedly needs to acquire a lock that is held by P1 . Thus, P1 will repeatedly inherit P2 ’s priority so that it can release the lock. In [8], this is accomplished by acquiring and releasing the three locks l1–3 in a cycle using hand-over-hand locking. Assume that P1 currently owns l1 , then P1 will first acquire l2 before releasing l1 , and subsequently will acquire l3 before releasing l2 , and so on ad infinitum. In the same scenario, assume that P2 , which in our programming model has a higher priority than P1 , currently owns l2 and acquires and releases the locks in the same fashion. We can see then that P2 will acquire l3 , release l2 , and then attempt to acquire l1 , which causes P1 to inherit the priority of P2 . However, instead of reaching a state when P1 releases the resources needed by P2 , P1 acquired l2 and then releases l1 , which will cause P2 to again wait on P1 then next time it completes the cycle and needs l2 . The end result is that P1 and P2 chase each other around the lock cycle, which leads to an unbounded number of execution contexts and the ability to solve undecidable problems.7 Theorem 4. For concurrent program Π = (P, p0 , P1 , . . . , Pn , L) with priority preemptive scheduling and PIP-extended semantics, Problem 1 is undecidable. Proof. The proof follows from the proof of Theorem 8 [8, Section 11].

 

Nested locks. When lock usage is properly nested, Problem 1 is decidable for the PIP-extended semantics. The proof is by reduction to CBA. Theorem 5. For concurrent program Π = (P, p0 , P1 , . . . , Pn , L) with priority preemptive scheduling, PIP-extended semantics, and nested locks, Problem 1 is decidable. Proof. From Thm. 1, each thread Pi can still perform at most one preemption. Once Pi is executing, it can cause lower-priority threads to inherit its priority at most |L| times because lock usage is properly nested and hence the number of locks held by a lower-priority thread is monotonically decreasing with each priority inheritance. Thus, for n threads there is at most one preemption and |L| inheritances per thread which bounds the number of execution contexts by O(n|L|).   7

For the reader concerned with reaching a configuration where P1 owns l1 and P2 owns l2 , refer to [8, Appendix].

One Stack to Run Them All

5

259

Related Work

Lal and Reps [14] gave a reduction from analysis of a concurrent program under a context bound to analysis of a sequential program. A context bound is required because reachability analysis is undecidable in general for their programming model. By considering only programs that run under priority preemptive scheduling (and not the general preemption model considered by Lal and Reps), the problem becomes decidable. Hence, our reduction is sound and complete, i.e., it is not an under-approximation aimed at bug-finding but a technique for verifying properties of concurrent real-time programs. Jhala and Majumdar [18] showed that interprocedural analysis of concurrent asynchronous programs is decidable. Whereas they take advantage of asynchrony, we take advantage of having a priority preemptive scheduler. Atig et al. [19] generalized the asynchronous programming model to allow for a finite number of priority levels. They show that reachability analysis of the more general programming model is decidable by reduction to the reachability problem of Petri nets with inhibitor arcs. Their model is more general; however, they do not consider important protocols for addressing priority inversion and moreover our reduction to a single-PDS is more efficient. KISS [20] coined the merging of two-threaded programs into single-threaded programs. Our scheduler concretization is the generalization of their technique where thread T1 non-deterministically invokes thread T2 and the return to T1 is also non-deterministic. We take advantage of the properties of priority preemptive scheduling to show that the model checking problem is in fact decidable. Lindstrom et al. [21] use Java PathFinder (JPF) [22] to model check RealTime Java [23]. While they also consider priority preemptive scheduling, and other RTSJ details not covered here, their approach is a bug-finding approach because JPF is an explicit state model checker that in general cannot explore the entire state space.

6

Concluding Remarks

Our reduction shows that a concurrent real-time program is, in essence, a sequential program under the covers. By reducing the multi-PDS Π to a PDS PΠ , we are able to leverage efficient algorithms for sequential program analysis to an important class of concurrent ones. A limitation of our approach is the lack of a model of time. For future work, we intend to consider how timed automata [24] could be integrated with Π, and how it would affect the reduction to PΠ . Acknowledgements. The authors would like to thank Tomas Kalibera, Akash Lal, and Pavel Parizek.

References 1. Godefroid, P., Klarlund, N., Sen, K.: Dart: Directed automated random testing. In: PLDI 2005: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 213–223. ACM, New York (2005)

260

N. Kidd, S. Jagannathan, and J. Vitek

2. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: Exe: Automatically generating inputs of death. ACM Trans. Inf. Syst. Secur. 12(2), 1–38 (2008) 3. Cadar, C., Dunbar, D., Engler, D.R.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: 8th USENIX Symposium on Operating Systems Design and Implementation, pp. 209–224. USENIX Association (2008) 4. Sha, L., Rajkumar, R., Lehoczky, J.P.: Priority inheritance protocols: An approach to real-time synchronization. IEEE Trans. Comput. 39(9), 1175–1185 (1990) 5. Ball, T., Rajamani, S.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, pp. 103–122. Springer, Heidelberg (2001) 6. Henzinger, T., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Symposium on Principles of Programming Languages, pp. 58–70. ACM, New York (2002) 7. Qadeer, S., Rehof, J.: Context-bounded model checking of concurrent software. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 93–107. Springer, Heidelberg (2005) 8. Kahlon, V., Ivancic, F., Gupta, A.: Reasoning about threads communicating via locks. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 505–518. Springer, Heidelberg (2005) 9. Kahlon, V., Gupta, A.: On the analysis of interacting pushdown systems. In: Symposium on Principles of Programming Languages, pp. 303–314. ACM, New York (2007) 10. Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis, Technische Universit¨ at M¨ unchen (2002) 11. Kidd, N., Lal, A., Reps, T.: Language strength reduction. In: Alpuente, M., Vidal, G. (eds.) SAS 2008. LNCS, vol. 5079, pp. 283–298. Springer, Heidelberg (2008) 12. Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: Mazurkiewicz, A., Winkowski, J. (eds.) CONCUR 1997. LNCS, vol. 1243, pp. 135–150. Springer, Heidelberg (1997) 13. Finkel, A., Willems, B., Wolper, P.: A direct symbolic approach to model checking pushdown systems. Elec. Notes in Theor. Comp. Sci. 9 (1997) 14. Lal, A., Reps, T.: Reducing concurrent analysis under a context bound to sequential analysis. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 37–51. Springer, Heidelberg (2008) 15. Walukiewicz, I.: Model checking CTL properties of pushdown systems. In: Kapoor, S., Prasad, S. (eds.) FST TCS 2000. LNCS, vol. 1974, pp. 127–138. Springer, Heidelberg (2000) 16. Ball, T., Rajamani, S.K.: Bebop: a path-sensitive interprocedural dataflow engine. In: PASTE 2001: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 97–103. ACM, New York (2001) 17. Kidd, N., Jagannathan, S., Vitek, J.: One stack to run them all. Technical Report 10-005, Purdue University (May 2010) 18. Jhala, R., Majumdar, R.: Interprocedural analysis of asynchronous programs. In: POPL 2007: Proceedings of the 34th annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 339–350. ACM, New York (2007) 19. Atig, M.F., Bouajjani, A., Touili, T.: Analyzing asynchronous programs with preemption. In: IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, Schloss Dagstuhl - Leibniz-Zentrum Fuer Informatik, pp. 37–48 (2008)

One Stack to Run Them All

261

20. Qadeer, S., Wu, D.: Kiss: Keep it simple and sequential. In: PLDI 2004: Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, pp. 14–24. ACM, New York (2004) 21. Lindstrom, G., Mehlitz, P.C., Visser, W.: Model checking real-time java using java pathfinder. In: Peled, D.A., Tsay, Y.-K. (eds.) ATVA 2005. LNCS, vol. 3707, pp. 444–456. Springer, Heidelberg (2005) 22. The Java PathFinder Team: Java PathFinder (2010), http://babelfish.arc.nasa.gov/trac/jpf/ 23. Bollella, G., Gosling, J., Brosgol, B., Dibble, P., Furr, S., Turnbull, M.: The RealTime Specification for Java. Addison-Wesley, Reading (2000) 24. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126(2), 183–235 (1994)

Author Index

Aalst, Wil M.P. van der Aoki, Toshiaki 58 Boˇsnaˇcki, Dragan

146

146

Calin, Georgel 193 Chen, Zhe 162 Cimatti, Alessandro 1 Cofer, Darren 76 Crouzen, Pepijn 193 D’Argenio, Pedro R. 193 de Jonge, Marc 124 Edelkamp, Stefan 106 Ehlers, R¨ udiger 129 Esparza, Javier 180 Finkbeiner, Bernd

129

Ghafari, Naghmeh

227

Hague, Matthew 187 Hahn, E. Moritz 193 Heljanko, Keijo 22 Hu, Alan J. 227 Jagannathan, Suresh K¨ ahk¨ onen, Kari 22 Kidd, Nicholas 245

Kindermann, Roland 22 Kupferschmid, Sebastian 88 Linden, Alexander 212 L¨ uttgen, Gerald 4 Merino, Pedro 40 Motet, Gilles 162 M¨ uhlberg, Jan Tobias Niemel¨ a, Ilkka

22

Ong, C.-H. Luke Peˇsi´c, Maja

187

146

Rakamari´c, Zvonimir Ruys, Theo C. 124 Salmer´ on, Alberto Sulewski, Damian Vitek, Jan

245 88 212

Yatake, Kenro

58

245

193

227

40 106

Wehrle, Martin Wolper, Pierre

Zhang, Lijun

4