Thread-Modular Verification for Shared-Memory Programs

Ensuring the reliability of multithreaded software systems is difficult due to the interaction between threads. This paper describes the design and implementation of a static checker for such systems. To avoid considering all possible thread interleavings, the checker uses assume-guarantee reasoning, and relies on the programmer to specify an environment assumption that constrains the interaction between threads. Using this environment assumption, the checker reduces the verification of the original multithreaded program to the verification of several sequential programs, one for each thread. These sequential programs are subsequently analyzed using extended static checking techniques (based on verification conditions and automatic theorem proving). Experience indicates that the checker is capable of handling a range of synchronization disciplines. In addition, the required environment assumptions are simple and intuitive for common synchronization idioms.

[1]  Ken Arnold,et al.  The Java programming language (2nd ed.) , 1998 .

[2]  Thomas A. Henzinger,et al.  Reactive Modules , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[3]  Stephen N. Freund,et al.  Detecting race conditions in large programs , 2001, PASTE '01.

[4]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[5]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[6]  Martín Abadi,et al.  Types for Safe Locking , 1999, ESOP.

[7]  Amir Pnueli,et al.  Now you may compose temporal logic specifications , 1984, STOC '84.

[8]  Mieke Massink,et al.  Theoretical and Practical Aspects of SPIN Model Checking , 1999, Lecture Notes in Computer Science.

[9]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[10]  Matthew B. Dwyer,et al.  Tool-supported program abstraction for finite-state verification , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[11]  Charles Gregory Nelson,et al.  Techniques for program verification , 1979 .

[12]  Sanjit A. Seshia,et al.  A Modular Checker for Multithreaded Programs , 2002, CAV.

[13]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[14]  Pierre Collette,et al.  Logical Foundations for Compositional Verification and Development of Concurrent Programs in UNITY , 1995, AMAST.

[15]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[16]  Nicholas Sterling,et al.  WARLOCK - A Static Data Race Analysis Tool , 1993, USENIX Winter.

[17]  Eugene W. Stark,et al.  A Proof Technique for Rely/Guarantee Properties , 1985, FSTTCS.

[18]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[19]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[20]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[21]  Ken Arnold,et al.  The Java Programming Language , 1996 .

[22]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[23]  Michael Huth,et al.  Assume-Guarantee Model Checking of Software: A Comparative Case Study , 1999, SPIN.

[24]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[25]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[26]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[27]  Thomas A. Henzinger,et al.  MOCHA: Modularity in Model Checking , 1998, CAV.

[28]  Bengt Jonsson,et al.  On Decomposing and Refining Specifications of Distributed Systems , 1989, REX Workshop.

[29]  Frank S. de Boer,et al.  Proof-Outlines for Threads in Java , 2000, CONCUR.

[30]  Edward A. Ashcroft,et al.  Proving Assertions about Parallel Programs , 1975, J. Comput. Syst. Sci..

[31]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[32]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[33]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[34]  Dominique Méry,et al.  On Using a Composition Principle to Design Parallel Programs , 1993, AMAST.

[35]  Kenneth L. McMillan,et al.  A Compositional Rule for Hardware Design Refinement , 1997, CAV.

[36]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[37]  Chandramohan A. Thekkath,et al.  Frangipani: a scalable distributed file system , 1997, SOSP.

[38]  Grzegorz Rozenberg,et al.  Stepwise Refinement of Distributed Systems Models, Formalisms, Correctness , 1989, Lecture Notes in Computer Science.

[39]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[40]  Leslie Lamport,et al.  Control predicates are better than dummy variables for reasoning about program control , 1988, TOPL.

[41]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[42]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[43]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[44]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .