Divjyot Sethi scite author profile

We present a method for model checking list-based concurrent data structures. These data structures, increasingly available in libraries such as Intel Thread Building blocks and Java.util.concurrent (JSR), are notorious for being error prone. This stems from the usage of sophisticated synchronization techniques in their implementation for high efficiency. This efficiency comes at the cost of increasing the number of possible thread interleavings during execution, thus making them hard to verify. Consequently, the verification of concurrent data structures has been of interest to the formal methods community. Concurrent data structures are unbounded in two dimensions: the list size is unbounded and an unbounded number of threads access them. Thus, their model checking requires abstraction to a model bounded in both the dimensions. In previous work, we showed how the unbounded threads can be model checked by using the CMP (CoMPositional) method. The method abstracted the unbounded threads by keeping one thread as is and abstracting all the other threads to a single environment thread. Next, this abstraction was iteratively refined by the user in order to prove correctness. However, in that work we assumed that the number of list elements were bounded to a fixed value. In practice this fixed value was small; model checking could only complete for small sized lists. In this work, we overcome this limitation and model check the unbounded list as well. Our method has the same flavor as the CMP method in the thread dimension, but differs significantly in the list dimension. In the list dimension, our method constructs an abstraction of the unbounded list by keeping the nodes pointed to by the pointers in the model as is (referred to as concrete nodes), and abstracting away chains of all the nodes which are not pointed to by any pointers to abstract nodes. Since the accesses to the abstract nodes return non-deterministic field values, the abstraction may have to be refined to constrain these values. This is accomplished by the iterative addition of lemmas by the user. We show the soundness of our method and establish its utility by model checking challenging concurrent data structure examples.

show abstract

Model Checking Unbounded Concurrent Lists

Sethi

Talupur²,

Malik

2013

View full text Add to dashboard Cite

Abstract. We present a method for model checking list-based concurrent data structures. These data structures, increasingly available in libraries such as Intel Thread Building blocks and Java.util.concurrent (JSR), are notorious for being error prone. This stems from the usage of sophisticated synchronization techniques in their implementation for high efficiency. This efficiency comes at the cost of increasing the number of possible thread interleavings during execution, thus making them hard to verify. Consequently, the verification of concurrent data structures has been of interest to the formal methods community. Concurrent data structures are unbounded in two dimensions: the list size is unbounded and an unbounded number of threads access them. Thus, their model checking requires abstraction to a model bounded in both the dimensions. In previous work, we showed how the unbounded threads can be model checked by using the CMP (CoMPositional) method. The method abstracted the unbounded threads by keeping one thread as is and abstracting all the other threads to a single environment thread. Next, this abstraction was iteratively refined by the user in order to prove correctness. However, in that work we assumed that the number of list elements were bounded to a fixed value. In practice this fixed value was small; model checking could only complete for small sized lists. In this work, we overcome this limitation and model check the unbounded list as well. Our method has the same flavor as the CMP method in the thread dimension, but differs significantly in the list dimension. In the list dimension, our method constructs an abstraction of the unbounded list by keeping the nodes pointed to by the pointers in the model as is (referred to as concrete nodes), and abstracting away chains of all the nodes which are not pointed to by any pointers to abstract nodes. Since the accesses to the abstract nodes return non-deterministic field values, the abstraction may have to be refined to constrain these values. This is accomplished by the iterative addition of lemmas by the user. We show the soundness of our method and establish its utility by model checking challenging concurrent data structure examples.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Divjyot Sethi

Abstractions for model checking SDN controllers

SAT-based techniques for determining backbones for post-silicon fault localisation

Parameterized Model Checking of Fine Grained Concurrency

Model checking unbounded concurrent lists

Model Checking Unbounded Concurrent Lists

Contact Info

Product

Resources

About