Property-guided verification of concurrent heap-manipulating programs

Property-Guided Verification of Concurrent Heap-Manipulating Programs Eran Yahav Doctor of Philosophy School of Computer Science Tel-Aviv University We address the problem of verifying properties of concurrent and sequential programs written in languages, such as Java, that make extensive use of the heap to allocate—and deallocate—new objects and threads. We present a framework for the verification of sequential and concurrent Java programs. The framework combines thread scheduling information and information about the shape of the heap. This leads to error-detection algorithms that are more precise than existing techniques. In contrast to many existing verification techniques, our algorithms do not put a bound on the number of allocated objects (and threads). We also present novel approaches that allow us to tie the cost of verification to the nature of the property being verified. The combination of these techniques allows us to automatically verify non-trivial properties of heap-manipulating programs that have not been automatically verified in the past.

[1]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[2]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[3]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[4]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[5]  Kenneth L. McMillan,et al.  Verification of Infinite State Systems by Compositional Model Checking , 1999, CHARME.

[6]  David Lewis Counterpart Theory and Quantified Modal Logic , 1968 .

[7]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[8]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[9]  Matthew B. Dwyer,et al.  Checking Strong Specifications Using an Extensible Software Model Checking Framework , 2004, TACAS.

[10]  Per Brinch Hansen,et al.  Java's insecure parallelism , 1999, SIGP.

[11]  James C. Corbett,et al.  Expressing checkable properties of dynamic systems: the Bandera Specification Language , 2002, International Journal on Software Tools for Technology Transfer.

[12]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[13]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[14]  Maged M. Michael,et al.  Simple, fast, and practical non-blocking and blocking concurrent queue algorithms , 1996, PODC '96.

[15]  George Porter,et al.  The apprentice challenge , 2002, TOPL.

[16]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[17]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[18]  Martin C. Rinard,et al.  Analysis of Multithreaded Programs , 2001, SAS.

[19]  Patrick Cousot,et al.  Temporal abstract interpretation , 2000, POPL '00.

[20]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[21]  James C. Corbett,et al.  Using shape analysis to reduce finite-state models of concurrent Java programs , 2000, TSEM.

[22]  Parosh Aziz Abdulla,et al.  Verification of Infinite-State Systems by Combining Abstraction and Reachability Analysis , 1999, CAV.

[23]  George S. Avrunin,et al.  Patterns in property specifications for finite-state verification , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[24]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[25]  Elliot K. Kolodner,et al.  Automatic Removal of Array Memory Leaks in Java , 2000, CC.

[26]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[27]  Eran Yahav,et al.  Shallow Finite State Verification , 2003 .

[28]  Amir Pnueli,et al.  Verification by Augmented Abstraction: The Automata-Theoretic View , 2001, J. Comput. Syst. Sci..

[29]  Flemming Nielson,et al.  A Kleene Analysis of Mobile Ambients , 2000, ESOP.

[30]  Noam Rinetzky,et al.  Interprocedural Shape Analysis for Recursive Programs , 2001, CC.

[31]  Paul R. Wilson,et al.  Uniprocessor Garbage Collection Techniques , 1992, IWMM.

[32]  Barbara G. Ryder,et al.  Pointer-induced aliasing: a problem classification , 1991, POPL '91.

[33]  Rajiv Gupta,et al.  Refining data flow information using infeasible paths , 1997, ESEC '97/FSE-5.

[34]  Eran Yahav,et al.  LTL Model Checking for Systems with Unbounded Number of Dynamically Created Threads and Objects , 2001 .

[35]  Thomas W. Reps,et al.  Finite Differencing of Logical Formulas for Static Analysis , 2003, ESOP.

[36]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[37]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[38]  Yassine Lakhnech,et al.  InVeST: A Tool for the Verification of Invariants , 1998, CAV.

[39]  Doug Lea,et al.  Concurrent Programming In Java , 1996 .

[40]  A. Prasad Sistla,et al.  Symmetry and model checking , 1996, Formal Methods Syst. Des..

[41]  Eran Yahav,et al.  Establishing local temporal heap safety properties with applications to compile-time memory management , 2003, Sci. Comput. Program..

[42]  César Muñoz,et al.  An Overview of SAL , 2000 .

[43]  Theodore Johnson,et al.  A Nonblocking Algorithm for Shared Queues Using Compare-and-Swap , 1994, IEEE Trans. Computers.

[44]  Barry K. Rosen,et al.  Qualified Data Flow Problems , 1980, IEEE Transactions on Software Engineering.

[45]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[46]  Eran Yahav,et al.  Verifying safety properties using separation and heterogeneous abstractions , 2004, PLDI '04.

[47]  Suresh Jagannathan,et al.  Concurrency Analysis for Java , 2000, SAS.

[48]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[49]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[50]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[51]  George S. Avrunin,et al.  Data flow analysis for checking properties of concurrent Java programs , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[52]  Jeannette M. Wing,et al.  A Library of Concurrent Objects and Their Proofs of Correctness , 1990 .

[53]  Viktor Kuncak,et al.  Role analysis , 2002, POPL '02.

[54]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[55]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[56]  Zohar Manna,et al.  Completing the Temporal Picture , 1991, Theor. Comput. Sci..

[57]  Katsuro Inoue,et al.  Analysis of functional programs to detect run-time garbage cells , 1988, TOPL.

[58]  Barton P. Miller,et al.  What are race conditions?: Some issues and formalizations , 1992, LOPL.

[59]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[60]  Amir Pnueli,et al.  Verification by Augmented Finitary Abstraction , 2000, Inf. Comput..

[61]  Hassen Saïdi,et al.  Model Checking Guided Abstraction and Analysis , 2000, SAS.

[62]  Daniel M. Yellin,et al.  Extending Typestate Checking Using Conditional Liveness Analysis , 1993, IEEE Trans. Software Eng..

[63]  Eran Yahav,et al.  Typestate Verification: Abstraction Techniques and Complexity Results , 2003, SAS.

[64]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[65]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 2002, TOPL.

[66]  Martin Wirsing,et al.  An Event-Based Structural Operational Semantics of Multi-Threaded Java , 1999, Formal Syntax and Semantics of Java.

[67]  Eran Yahav,et al.  Verifying Temporal Heap Properties Specified via Evolution Logic , 2003, Log. J. IGPL.

[68]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[69]  Michael Rodeh,et al.  Checking Cleanness in Linked Lists , 2000, SAS.

[70]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[71]  Radu Iosif,et al.  A deadlock detection tool for concurrent Java programs , 1999, Softw. Pract. Exp..

[72]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[73]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[74]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[75]  Scott D. Stoller Model-Checking Multi-threaded Distributed Java Programs , 2000, SPIN.

[76]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[77]  Saumya K. Debray,et al.  On the complexity of flow-sensitive dataflow analyses , 2000, POPL '00.

[78]  David Detlefs,et al.  Garbage collection and local variable type-precision and liveness in Java virtual machines , 1998, PLDI.

[79]  Maydene Fisher,et al.  JDBC¿ API Tutorial and Reference , 2003 .

[80]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[81]  Deepak Goyal,et al.  Deriving specialized program analyses for certifying component-client conformance , 2002, PLDI '02.

[82]  Dino Salvo Distefano,et al.  On model checking the dynamics of object-based software : a foundational approach , 2003 .

[83]  Mooly Sagiv,et al.  Estimating the impact of heap liveness information on space consumption in Java , 2002, ISMM '02.

[84]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[85]  Eran Yahav,et al.  Automatically Verifying Concurrent Queue Algorithms , 2003, SoftMC@CAV.

[86]  Amir Pnueli,et al.  Liveness with (0, 1, infty)-Counter Abstraction , 2002, CAV.

[87]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[88]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[89]  Peter A. Buhr,et al.  Monitor classification , 1995, CSUR.

[90]  Janice M. Stone A simple and correct shared-queue algorithm using compare-and-swap , 1990, Proceedings SUPERCOMPUTING '90.

[91]  James C. Corbett,et al.  A Language Framework for Expressing Checkable Properties of Dynamic Software , 2000, SPIN.

[92]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[93]  Bruno Courcelle,et al.  On the Expression of Graph Properties in some Fragments of Monadic Second-Order Logic , 1996, Descriptive Complexity and Finite Models.

[94]  Robert DeLine,et al.  Adoption and focus: practical linear types for imperative programming , 2002, PLDI '02.

[95]  Robert E. Strom Mechanisms for compile-time enforcement of security , 1983, POPL '83.

[96]  Abraham Silberschatz,et al.  Operating Systems Concepts , 2005 .

[97]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[98]  Emin Gün Sirer,et al.  Static Analyses for Eliminating Unnecessary Synchronization from Java Programs , 1999, SAS.

[99]  Somesh Jha,et al.  Verifying parameterized networks , 1997, TOPL.