Upload
ferdinand-townsend
View
216
Download
1
Embed Size (px)
Citation preview
Exponential Blowupt1:
if (x==100)a = 1 else a = 2
t2:
if (y==9) a = 3
else a = 4
Scheduler choice: thread
switch
Conditional statement
Computation tree for a
single thread
Computation tree for two
threads
Solution All paths in the tree are not important
for statement reachability Many paths are equivalent to each other Prune equivalent paths => Partial Order
Reduction Generate inputs along with Partial
Order Reduction
Equivalent Paths
t1:
x = 3
t2:
y = 2
Initially x = 0 and y = 0
x=3
y=2
One partial order
x=3
y=2
Same partial order
Different linear order => Different Path =>
Equivalent Path
x=0, y=0 x=0, y=0
Independent transitions
B and R are independent transitions if1. they commute: B ∘ R = R ∘ B2. neither enables nor disables the other
BR
RB
s
Example: x = 3 and y = 2 are independent
Existing Approaches Static Partial Order Reduction
Valmari 91, Peled 93, Godefroid 96, SPIN model checkerby Holzmann, Verisoft
Limitation Results in a large dependent relation Pointers -> Whether two pointers point to the
same location is determined conservatively (May point-to)
Results in over-approximation of the dependency relation
Limited POR
Example: static partial-order reductionGlobal Vars
lock m int i1,i2 int x=0 int n=100 char[] a
Thread 2 lock(m) i2 := x++ unlock(m)
for( ;i2<n; i2+=2) a[i2] := ‘r’
Thread 1 lock(m) i1 := x++ unlock(m)
for( ;i1<n; i1+=2) a[i1] := ‘b’
Static analysis gives i1, i2 are thread-local x is protected by m but a[i1] and a[i2] may alias
Static POR gives O(n2) explored states and transitions but only two possible terminating states
may-alias (according to static analysis)never alias (in practice)
Dynamic partial-order reduction Static POR relies on static analysis
to yield approximate information about run-time behavior
pointers => coarse information => limited POR => path explosion
Dynamic POR while model checker executes the program,
it sees exactly which threads access which locations
use to simultaneously reduce the path space while model-checking
Focus on Race-Detection and Flipping Algorithm and Concolic Testing: jCUTE
Race-Detection and Flipping Algorithm is a simplified form of DPOR Proof of correctness in the presence of
inputs and conditionals
Event (t,l,a)
If thread t executes the statement labeled l and the access type is a
a 2 {w,r,l,u,?} An execution path is a sequence of
events
Sequential Relation e = (t,l,a) and e’ = (t’,l’,a’) e C e’
e = e', or t=t’ and e appears before e' in , or t t’, t created the thread t’, and e appears before
e'' in , where e'' is the fork event on t creating the thread t’, or
there exists an event e'' in such that e C e'' and e'' C e'.
2: fork(8)
e2
t1
t0
3: y=2
e3
4: lock(m)
e4
1: x=1
e1
5: x=3
e5
6: unlock(m)
e6
8: lock(m)
e9
9: x=4
e10
10: unlock(m)
e11
11: y=5
e12
7: halt
e7
12: halt
e13e8
Causal Relation (Happens-Before Relation) e = (t,l,a) and e’ = (t’,l’,a’) e ¹ e’
e C e’, or e appears before e' in and both access a shared
memory location m and one of the accesses is update (write, lock acquire, release), or
there exists an event e'' in such that e ¹ e'' and e'' ¹ e'.
¹ is a partial order relation
2: fork(8)
e2
t1
t0
3: y=2
e3
4: lock(m)
e4
1: x=1
e1
5: x=3
e5
6: unlock(m)
e6
8: lock(m)
e9
9: x=4
e10
10: unlock(m)
e11
11: y=5
e12
7: halt
e7
12: halt
e13e8
Equivalent Paths Definition: Two execution paths are
equivalent if they are linearizations of the same partial order
Proposition: Exploration of one linear order of each partial order is sufficient for statement reachability
Race Relation Not so strict
definition (see paper for the strict definition)
e = (t,l,a) and e’ = (t’,l’,a’)
e l e’ e ¹ e’ Not (e C e’ or e’ C e) There exists no e1 such
that e ¹ e1 and e1 ¹ e’ Where e1 is not equal
to e or e’
x := 1
y := 2
y := 3
x := 4
Partial Order
1. Events in race relation can be permuted by changing schedule
2. What happens if we have locks? (see paper)
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Execution 1
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ }
{ }
{ }
{ }
Execution 1
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Race
Execution 1
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
Race
Execution 1
Backtrack Here
{ }
{ }
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
Race
Execution 1
Backtrack Here
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Execution 2
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1 ,t2}
{ t1}
{ }
{ }
Execution 2
Race
Racex := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1 ,t2}
{ t1}
{ }
{ }
Execution 2
Race
Race
Cannot Backtrack Here
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1 ,t2}
{ t1}
{ }
{ }
Execution 2
Race
Race
Backtrack Here
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
Execution 2
Race
Race
Backtrack Here
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Execution 3
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t2}
{ }
{ }
Execution 3
Race
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t2}
{ }
{ }
Execution 3
Race
Backtrack Here
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t2}
Execution 3
Race
Backtrack Here
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t2}
{ }
{ }
Execution 4
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1,t2}
{ t1,t2}
{ }
{ }
Execution 4
Race
Race
Cannot Backtrack Here
Cannot Backtrack Here
Done!
x := 1
y := 2
y := 3
x := 4
Partial Order
DPOR (POPL 05) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
Race
Execution 1
{ }
{ }
x := 1
y := 2
y := 3
x := 4
Partial Order
Persistent
{ t2}
{ }
{ }
{ }
DPOR (POPL 05) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1 ,t2}
{ t1}
{ }
{ }
Execution 2
x := 1
y := 2
y := 3
x := 4
Partial Order
Persistent
{ t1 ,t2}
{ t2}
{ }
{ }
DPOR (POPL 05) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t2}
{ }
{ }
Execution 3
x := 1
y := 2
y := 3
x := 4
Partial Order
Persistent
{ t2}
{ t1}
{ }
{ }
DPOR (POPL 05) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Execution 4
x := 1
y := 2
y := 3
x := 4
Partial Order
Postponed
{ t1,t2}
{ t1,t2}
{ }
{ }
Persistent
{ t1,t2}
{ t1,t2}
{ }
{ }
DPOR ProblemThread t1:
1: x := 12: x := 2
Thread t2:
1: y := 12: x := 3
• DPOR (both approaches) explores all 6 execution paths => No reduction
• Example in the POPL 05 paper has error
• Think about it
• Need Sleep Set to obtain reduction
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Execution 1
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ }
{ }
{ }
{ }
Execution 1
x := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ }
{ }
{ }
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Race
Execution 1
x := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ }
{ }
{ }
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
Race
Execution 1
{ }
{ }
x := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ }
{ }
{ }
Backtrack Here
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
Race
Execution 1
x := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ }
{ }
{ }
Backtrack Here
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Execution 2
x := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ t1 }
{ t1 }
{ }
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t1}
{ }
{ }
Execution 2
Race
Racex := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ t1 }
{ t1 }
{ }
X
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t1}
{ }
{ }
Execution 2
Race
Racex := 1
y := 2
y := 3
x := 4
Partial Order
{ }
{ t1 }
{ t1 }
{ }
Nothing to Backtrack Here
Delayed
X
Delayed
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ t1}
{ }
{ }
Execution 2
Race
Racex := 1
y := 2
y := 3
x := 4
Partial Order
{ }
{ t1 }
{ t1 }
{ }
Backtrack Here
X
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
Execution 2
Race
Racex := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ }
{ t1 }
{ t1 }
{ }
Backtrack Here
X
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Execution 3
x := 1
y := 2
y := 3
x := 4
Partial Order
Delayed
{ t1 }
{ }
{ }
{ t1 }
DPOR (Race-detection and flipping) ExampleThread t1:
1: x := 12: y := 2
Thread t2:
1: y := 32: x := 4
x := 1
y := 2
y := 3
x := 4
Postponed
{ t1}
{ }
{ }
{ }
Execution 3
Race
x := 1
y := 2
y := 3
x := 4
Partial Order
X
Delayed
{ t1 }
{ }
{ }
{ t1 }
jCUTE Key Observation: Concolic execution is ideal
for testing concurrent programs with complex data inputs Use symbolic execution to generate new inputs Use concrete execution to perform partial order
reduction ?
jCUTE Key Observation: Concolic execution is ideal
for testing concurrent programs with complex data inputs Use symbolic execution to generate new inputs Use concrete execution to perform partial order
reduction Explore “Interesting” thread schedules or total
orders Where to perform context switches?
How to perform context switches?
?
jCUTE Key Observation: Concolic execution is ideal
for testing concurrent programs with complex data inputs Use symbolic execution to generate new inputs Use concrete execution to perform partial order
reduction Explore “Interesting” thread schedules or total
orders Where to perform context switches?
Detect data race and lock race How to perform context switches?
Hijack the scheduler using semaphores Insert semaphores through
instrumentation
?
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set{ }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 3, z 17 x 3, z z0
{ }
{ }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 3, z 17 x 3, z z0
x 2, z 17 x 2, z z0
{ t1 }
{ }
{ }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 3, z 17 x 3, z z0
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
{ t1 }
{ }
{ }
2*z0+1!=2
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 3, z 17 x 3, z z0
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
{ t1 }
{ }
{ }
2*z0+1!=2
Backtrack Here
Solve: 2*z0+1=2
No Solution
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 3, z 17 x 3, z z0
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
{ t1 }
Backtrack Here
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set{ t1 }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=2
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
{ t1 }
{ }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
{ t1 }
{ }
{ }
2*z0+1!=2
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
x 3, z 17 x 3, z z0
{ t1 }
{ t2}
{ }
2*z0+1!=2
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
x 3, z 17 x 3, z z0
{ t1 }
{ t2}
{ }
2*z0+1!=2
Backtrack Here
Solve: 2*z0+1=2
No Solution
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 2, z 17 x 2, z z0
x 3, z 17 x 3, z z0
{ t1 }
{ t2}
Backtrack Here
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set{ t1 }
{ t2}
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
x :=2
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
{ t1 }
{ t2}
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR; x :=
3
x :=2
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 3, z 17 x 3, z z0
{ t1 ,t2}
{ t2}
{ }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR; x :=
3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 3, z 17 x 3, z z0
x 3, z 17 x 3, z z0
{ }
2*z0+1!=3
{ t1 ,t2}
{ t1 ,t2}
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR; x :=
3
x :=2
2*z+1 ==x
Concrete State
x 0, z 17 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 17 x 2, z z0
x 3, z 17 x 3, z z0
x 3, z 17 x 3, z z0
{ }
2*z0+1!=3
Backtrack Here
Solve: 2*z0+1=3
Solution: z = 1
{ t1 ,t2}
{ t1 ,t2}
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR;
Concrete State
x 0, z 1 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
{ }
{ t1 ,t2}
{ t1 ,t2}
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR; x :=
3
x :=2
2*z+1 ==x
Concrete State
x 0, z 1 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 1 x 2, z z0
x 3, z 1 x 3, z z0
x 3, z 1 x 3, z z0
{ }
2*z0+1=3
{ t1 ,t2}
{ t1 ,t2}
ERROR
{ }
jCUTE Examplez = input();
Thread t1:
1: x := 3
Thread t2:
1: x := 22: if (2*z + 1 == x)3: ERROR; x :=
3
x :=2
2*z+1 ==x
Concrete State
x 0, z 1 x 0, z z0
Symbolic State
Path Constraint + Postponed
Set
x 2, z 1 x 2, z z0
x 3, z 1 x 3, z z0
x 3, z 1 x 3, z z0
{ }
2*z0+1=3
{ t1 ,t2}
{ t1 ,t2}
ERROR
{ }
Nothing to Backtrack
Race DetectionDynamic Vector Clock Algorithm [FSE’03,TACAS’04] Vector clock V : Threads ! Nat Vi be vector clock for each thread ti. Vx
a and Vxw vector clocks for each shared variable x.
Algorithm:1. if ei
k is a shared memory access, then Vi[i] Ã Vi[i] + 1
2. if eik is a read of a variable x then
Vi à max{Vi,Vxw}
Vxa à max{Vx
a,Vi}
3. if eik is a write of a variable x then
Vxw à Vx
a à Vi à max{Vxa,Vi}
Lemma: For any two events e ¹ e’ iff Ve · Ve’
Race Flipping: Hijack Thread Scheduler Ensure that only one thread is
executing Create a tester thread (tsched) Associate a semaphore sem(t) with
each thread t Before any shared memory access by t
release control to the tester threadV(sem(tsched)); P(sem(t));
Tester thread schedules a thread t V(sem(t)); P(sem(tsched));
jCUTE jCUTE can test multi-threaded Java
programs URL:
http://osl.cs.uiuc.edu/~ksen/cute/ Next generation testing tools
Combines Testing and Model-Checking jCUTE supports generation of JUnit test
cases The tools also support replay of a buggy
execution
Sun Microsystem’s JDK 1.4 Library java.util package provides thread-safe data-structure classes LinkedList, ArrayList,
HashSet, TeeMap, etc. Widely used Found previously
undocumented concurrency related problems Data race, Infinite Loop,
Uncaught Exceptions, and Deadlocks
List l1 = Collections.synchronizedList(new LinkedList());
List l2 = Collections.synchronizedList(new LinkedList());
l1.add(null); l2.add(null);// Create two threads // let thread 1 runl1.clear(); // let thread 2 runl2.containsAll(l1) ;
NameRuntime
in seconds# of
Paths# of
Threads% Branch Coverage
# of FunctionsTested
# of Bugs Found data races+
deadlocks+ infinite loops+
exceptions
Vector 5519 20000 5 76.38 16 1+9+0+2
ArrayList 6811 20000 5 75.00 16 3+9+0+3
LinkedList 4401 11523 5 82.05 15 3+3+1+1
LinkedHashSet
7303 20000 5 67.39 20 3+9+0+2
TreeSet 7333 20000 5 54.93 26 4+9+0+2
HashSet 7449 20000 5 69.56 20 19+9+0+2
Sun Microsystem’s JDK 1.4 Library
Honeywell’s DEOS real-time scheduling kernel Operating system developed for use in small
business aircraft jCUTE found the subtle time-partitioning error in
< 1 minute Java Pathfinder from NASA Ames ran out of
memory on the original program Had to test manually created abstraction Took 11 minutes to discover the same error in the
abstraction