java pathrelaxer : extending jpf for jmm-aware model checking

Java PathRelaxer: Extending JPF for JMM-Aware Model Checking

Huafeng Jin, Tuba Yavuz-Kahveci, and Beverly SandersComputer and Information Science and Engineering

University of Florida

Contents

Memory ModelThe Java Memory ModelAlgorithm ImplementationExperienceConclusion

Contents

Specifies “which value each read of a memory location may return”.

Sequentially consistent (SC) memory model Memory actions must execute one at a time in

a single total single order Read always see the value of the most recent

write to that memory location. Relaxed memory models

PSO, TSO, Java Memory Model (JMM), etc.

Memory Model

Specifies “which value each read of a memory location may return”.

Sequentially consistent (SC) memory model Memory actions must execute one at a time in

a single total single order Read always see the value of the most recent

write to that memory location. Relaxed memory models

PSO, TSO, Java Memory Model (JMM), etc.

Memory Model

JPF assumes SC memory model

Example

Intially, x = 0, done = false

SCMM r == 1

Thread-1 Thread-2x = 1;

done = true;

while (!done){/*spin*/}

r = x;

Example

Intially, x = 0, done = false

done = true;

r = x;

SCMM r == 1

JMM r == 0 ˅ r == 1

Java’s String class

public final class String{ private final char value[]; private final int offset; private final int count; private int hash; //default 0 … public int hashCode(){ int h = hash, len = count; //read of hash if (h == 0 && len > 0){

… /*calculate hash code locally and assign to h*/hash = h; //write of hash

} return h; }}

Data race is benign in both SC MM and JMM

Another Version

} h = hash; //read of hash return h; }}

Benign in SC MM but not benign in JMM

Another Version

} h = hash; //read of hash return h; }}

Benign in SC MM but not benign in JMM

Return hash code

JPF: generates executions under SC memory model.

JPR: generates executions under an overapproximation of JMM.

Extending JPF

Contents

SC memory model: Read sees most recent write to that location.

Java memory model: Read sees any write (past/future) to that

location provided the execution is Well-formed Meets causality constraints

Overview of JMM

Action (memory related) <t, k, v, u>

Non-synchronization actions: non-volatile write, non-volatile read

Synchronization actions: volatile write, volatile read, lock, unlock, thread start, thread join, …

JMM Action

t Thread ID

k Action kind (volatile read/write, non-volatile read/write, lock/unlock, thread start, thread join …)

v Variable/monitor

u Unique action ID

Execution E <A, P, ≤po, ≤so, W, V>

JMM Execution

A Finite set of actionsP Program

≤po Program order, a partial order over A based on each thread’s sequence.

≤so Synchronization order, a total order over all the synchronization actions in A

W Write-seen function, maps each read action to the write action it sees

V Value-written function, maps each write action to the value it writes

A partial order over actions with regard to ≤so

Synchronizes-with Order ≤sw

unlock(x)

subsequent lock(x)volatile write(x) subsequent volatile read(x)start thread t 1st action of thread tWrite of default value 1st action in each thread

A partial order over actions by taking transitive closure of ≤po and ≤sw

Initially, x == 0 done == false, done is volatile⋀

Happens-before Order ≤hb

done = true

r = x;

done = true

r = x;

A partial order over actions by taking transitive closure of ≤po and ≤sw

Initially, x == 0 done == false, done is volatile⋀

Happens-before Order ≤hb

In an execution

Data Race

Thread-1: …

Thread-2: …

A program: If all the SC executions are free of

data races, it is Data-Race-Free program (DRF).

DRF Guarantee: Any legal execution of DRF program is SC.

Data Race Free

For all reads r of variable v, it cannot be

r ≤hb W(r)

W(r) ≤hb w ≤hb r (w writes to v)

Well-formed Execution

r can only be 1, not 0Initially, x == 0 done == false, done is volatile⋀

Example

done = true

while(!done) {/*spin*/}

r = x;

≤swIf read x = 0, then there is an interleaving writex = 1.

An execution E <A, P, ≤po, ≤so, W, V> with ≤hb is legal if there is a finite sequence of set of actions Ci and well-formed executions Ei < Ai, Pi, ≤poi, ≤soi, Wi, Vi > with ≤hbi and ≤swi such that C0 = , ∅ Ci ⊆ Ci-1 for all i > 0, ∪ Ci = A, and for each i > 0 the following rules are satisfied:

Causality Rules (complicated)

An execution E <A, P, ≤po, ≤so, W, V> with ≤hb is legal if there is a finite sequence of set of actions Ci and well-formed executions Ei < Ai, Pi, ≤poi, ≤soi, Wi, Vi > with ≤hbi and ≤swi such that C0 = , ∅ Ci ⊆ Ci-1 for all i > 0, ∪ Ci = A, and for each i > 0 the following rules are satisfied:

Causality Rules (complicated)

→ E1 → E2 → … → Ei

∅ C1 C2 Ci-1

Justify

Causality Rules: Rules out out-of-thin-air values

Example: Initially, x == y == 0, x and y are non-volatile

r1 == r2 == 42 is out-of-thin-air value

Out-of-thin-air Value

Thread-1 Thread-2r1 = x; r2 = y;

y = r1; x = r2;

Contents

Fixed-point semantics

Overapproximation of JMM WriteSet

JPR Overview

WriteSetWrite: add values to Read: Pick value from

Structure of JPR

JPR Driver

JPF JMMListener

WriteSetold

WriteSetnew

Events

Iterative calls

Bytecode of the target program

JPF’s state representation is extended with the following metadata:

Metadata

WriteSet MemLoc → 2Aid × Val Collect write values

ActionSet 2Action Current set of actions

HBSet 2Aid × Aid Collect ≤hb relations

ImposeSet 2Aid × Val Rule out some out-of-thin-air values

Read Aid → Aid × Val Record W(r) and V(W(r))

Write Aid → Val Record V(w)

Initially, x == y == 0, x and y are non-volatile.

Under JMM, r1 == 1 r2 == 1 is possible. ⋀

Example

Thread-1 Thread-2r1 = x; r2 = y;

y = 1; x = 1;

init: x = 0, y = 0; Thread-1 Thread-2A1: r1 = x; B1: r2 = y; A2: y = 1; B2: x = 1;

init: x = 0, y = 0

WS(x) = {<init, 0>}, WS(y) = {<init, 0>}IS = ∅

1st iteration

GWS = ∅init

init: x = 0, y = 0

WS(x) = {<init, 0>}, WS(y) = {<init, 0>}IS = ∅R(A1) = <init, 0>, legal past read

A1; r1 = x;

1st iteration

init A1

init: x = 0, y = 0

WS(x) = {<init, 0>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>

A1; r1 = x;

A2: y = 1;

1st iteration

init A1 A2

init: x = 0, y = 0

WS(x) = {<init, 0>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

1st iteration

init: x = 0, y = 0

WS(x) = {<init, 0>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <init, 0> legal past read

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

1st iteration

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <init, 0>

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

r1 = 0, r2 = 0

1st iteration

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <A2, 1> legal past read

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

r1 = 0, r2 = 1

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <A2, 1>

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

WS(x) = {<init, 0>}, WS(y) = {<init, 0>}IS = , ∅R(A1) = <init, 0>, R(B1) = 0 legal past read

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

WS(x) = {<init, 0>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <init, 0>

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

B2: x = 1; WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <init, 0>

r1 = 0, r2 = 0

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

B2: x = 1;

A2: y = 1;

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = , ∅R(A1) = <init, 0>, R(B1) = <init, 0>

r1 = 0, r2 = 0

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

B2: x = 1;

A2: y = 1;

B1: r2 = y;

WS(x) = {<init, 0>}, WS(y) = {<init, 0>}IS = ∅R(B1) = <init, 0> legal past read

1st iteration

init B1

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

B2: x = 1;

A2: y = 1;

B1: r2 = y;

A1; r1 = x;

WS(x) = {<init, 0>}, WS(y) = {<init, 0>}IS = ∅R(B1) = <init, 0>, R(A1) = <init, 0> legal past read

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

B2: x = 1;

A2: y = 1;

B1: r2 = y;

A1; r1 = x;

A2: y = 1;

B2: x = 1;

A2: y = 1;

r1 = 0, r2 = 0

1st iteration

init: x = 0, y = 0

A1; r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

B1: r2 = y;

A2: y = 1;

B2: x = 1;

A2: y = 1;

B1: r2 = y;

A1; r1 = x;

A2: y = 1;

B2: x = 1;

A2: y = 1;

B2: x = 1;

A1; r1 = x;

A2: y = 1;

r1 = 0, r2 = 1

1st iteration

r1 = 0, r2 = 1

The WriteSet collected after 1st iteration is

GWS(x) = {<init, 0>, <B2, 1>}GWS(y) = {<init, 0>, <A2, 1>}

It is passed to the 2nd iteration

init: x = 0, y = 0;

Thread-1 Thread-2A1: r1 = x; B1: r2 = y;

A2: y = 1; B2: x = 1;

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = ∅

2nd iteration

GWS(x) = {<T, 0>, <B2, 1>}GWS(y) = {<T, 0>, <A2, 1>}

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = ∅

2nd iteration

A1: r1 = x;

init A1

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = {<B2, 1>}, R(A1) = <B2, 1> potential future read

2nd iteration

A1: r1 = x;

init A1

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = {<B2, 1>}, R(A1) = <B2, 1>

2nd iteration

A1: r1 = x;

A2: y = 1;

init A1 A2

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = {<B2, 1>}, R(A1) = <B2, 1>

2nd iteration

A1: r1 = x;

A2: y = 1;

B1: r2 = y;…

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = {<B2, 1>}, R(A1) = <B2, 1>, R(B1) = <A2, 1>

2nd iteration

A1: r1 = x;

A2: y = 1;

B1: r2 = y;

init: x = 0, y = 0

WS(x) = {<init, 0>, <B2, 1>}, WS(y) = {<init, 0>, <A2, 1>}IS = {<B2, 1>}, justifiedR(A1) = <B2, 1>, R(B1) = <A2, 1>

2nd iteration

A1: r1 = x;

A2: y = 1;

B1: r2 = y;

B2: x = 1;

… r1 = 1, r2 = 1

3rd iteration generates the same global WriteSet as 2nd iteration, so a fixed-point is reached.

Possible outcomes running JPR: r1 == 0 r2 == 0⋀ r1 == 0 r2 == 1⋀ r1 == 1 r2 == 0⋀ r1 == 1 r2 == 1⋀

Example

Contents

JRF (Java Racefinder) is a JPF extension used to precisely detect data races.

Kyunghee Kim, Eric Mercer, Neha Rungta, Tuba Yavuz-Kahveci, Beverly Sanders

http://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-racefinder

Working with JRF

Data Race Free (DRF) Guarantee

For DRF programs, model checking under SC memory model is enough. JPF is sufficient, no need to run JPR.

Working with JRF

DRF? Y

DRF? N

Contents

Group 1 tc1 – tc20 from JMM causality test cases

http://www.cs.umd.edu/~pugh/java/memoryModel/unified Proposal/testcases.html

Group 2 Benign data races (hash code, is prime)

Group 3 Harmful data races (dcl, peterson, dekker)

Testing Suites

Experiment ResultsTe

Time (milliseconds)

JPR takes much longer time than JPF: Iterations Data choice generators

Number of states

Contents

JPR: Applies a fixed-point based semantic Adds non-SC behaviors into JPF Generates an overapproximiation of JMM

Conclusion

Thank You!

java pathrelaxer : extending jpf for jmm-aware model checking

Documents

java pathrelaxer: extending jpf for jmm-aware model checking...

discovering realty jmm

シーケー金属株式会社 · 2020. 12. 2. · b 2301...

jpf model checking

iklan pemangkuan jpf jpc u36.compressed

jpf - java path fide

ev la france-en_ballon_dirigeable-jpf

jpf tutorial - part 1 jpf core system willem visser...

junca pieper2003 jmm

jupiter banner jpf

jpf 8 marsx

w¿jmm - ddd.uab.cat

jpf ’08 where are we - the...

dossier jpf

sector terciario jmm

code java jmm

jpf for beginners david bushnell david.h.bushnell@nasa.gov...

proyecto gym jmm

infos n°38 - jpf

presentación mlt carga aérea jpf