research-article

Fair stateless model checking

Authors:

Madanlal Musuvathi,

Shaz QadeerAuthors Info & Claims

PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 362 - 371

https://doi.org/10.1145/1375581.1375625

Published: 07 June 2008 Publication History

Abstract

Stateless model checking is a useful state-space exploration technique for systematically testing complex real-world software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, realistic concurrent programs are nonterminating, a property that significantly reduces the efficacy of stateless model checking in testing them. Moreover, existing stateless model checkers are unable to verify that a nonterminating program satisfies the important liveness property of livelock-freedom, a property that requires the program to make continuous progress for any input.

To address these shortcomings, this paper argues for incorporating a fair scheduler in stateless exploration. The key contribution of this paper is an explicit scheduler that is (strongly) fair and at the same time sufficiently nondeterministic to guarantee full coverage of safety properties.We have implemented the fair scheduler in the CHESS model checker. We show through theoretical arguments and empirical evaluation that our algorithm satisfies two important properties: 1) it visits all states of a finite-state program achieving state coverage at a faster rate than existing techniques, and 2) it finds all livelocks in a finite-state program. Before this work, nonterminating programs had to be manually modified in order to apply CHESS to them. The addition of fairness has allowed CHESS to be effectively applied to real-world nonterminating programs without any modification. For example, we have successfully booted the Singularity operating system under the control of CHESS.

References

[1]

S. Aggarwal, C. Courcoubetis, and P. Wolper. Adding liveness properties to coupled finite-state machines. ACM Transactions on Programming Languages and Systems, 12(2):303--339, 1990.

Digital Library

[2]

K.R. Apt and E.-R. Olderog. Proof rules and transformations dealing with fairness. Science of Computer Programming, 3:65--100, 1983.

[3]

Krzysztof R. Apt, Nissim Francez, and Shmuel Katz. Appraising fairness in languages for distributed programming. In POPL 87: Principles of Programming Languages, pages 189--198, 1987.

Digital Library

[4]

Satish Chandra, Patrice Godefroid, and Christopher Palm. Software model checking in practice: an industrial case study. In ICSE 02: International Conference on Software Engineering, pages 431--441, 2002.

Digital Library

[5]

E.M. Clarke and E.A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs, LNCS 131, pages 52--71. Springer-Verlag, 1981.

Digital Library

[6]

Nissim Francez. Fairness. In Texts and Monographs in Computer Science. Springer-Verlag, 1986.

Digital Library

[7]

Matteo Frigo, Charles E. Leiserson, and Keith H. Randall. The implementation of the Cilk-5 multithreaded language. In PLDI 98: Programming Language Design and Implementation, pages 212--223. ACM Press, 1998.

Digital Library

[8]

P. Godefroid. Model checking for programming languages using Verisoft. In POPL 97: Principles of Programming Languages, pages 174--186. ACM Press, 1997.

Digital Library

[9]

Patrice Godefroid. Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem. LNCS 1032. Springer-Verlag, 1996.

Digital Library

[10]

Orna Grumberg, Nissim Francez, and Shmuel Katz. Fair termination of communicating processes. In PODC 84: Principles of Distributed Computing, pages 254--265. ACM Press, 1984.

Digital Library

[11]

Joseph L. Hellerstein. Achieving service rate objectives with decay usage scheduling. IEEE Transactions on Software Engineering, 19(8):813--825, 1993.

Digital Library

[12]

G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, May 1997.

Digital Library

[13]

Galen C. Hunt, Mark Aiken, Manuel F�hndrich, Chris Hawblitzeland Orion Hodson, James R. Larus, Steven Levi, Bjarne Steensgaard, David Tarditi, and Ted Wobber. Sealing OS processes to improve dependability and safety. In Proceedings of the EuroSys Conference, pages 341--354, 2007.

Digital Library

[14]

Radu Iosif. Exploiting heap symmetries in explicit-state model checking of software. In ASE 01: Automated Software Engineering, pages 254--261, 2001.

Digital Library

[15]

Michael Isard, Mihai Budiu, Yuan Yu, Andrew Birrell, and Dennis Fetterly. Dryad: distributed data-parallel programs from sequential building blocks. In Proceedings of the EuroSys Conference, pages 59--72, 2007.

Digital Library

[16]

J. Kay and P. Lauder. A fair share scheduler. Communications of the ACM, 31(1):44--55, 1988.

Digital Library

[17]

Charles Edwin Killian, James W. Anderson, Ranjit Jhala, and Amin Vahdat. Life, death, and the critical transition: Finding liveness bugs in systems code. In NSDI 07: Symposium on Networked Systems Design and Implementation, pages 243--256, 2007.

Digital Library

[18]

M. Z. Kwiatkowska. Survey of fairness notions. Information and Software Technology, 31(7):371--386, 1989.

Digital Library

[19]

Daniel J. Lehmann, Amir Pnueli, and Jonathan Stavi. Impartiality, justice and fairness: The ethics of concurrent termination. In ICALP 81: International Conference on Automata Languages and Programming, pages 264--277, 1981.

Digital Library

[20]

Daan Leijen. Futures: a concurrency library for C#. Technical Report MSR-TR-2006-162, Microsoft Research, 2006.

[21]

M. Musuvathi, D. Park, A. Chou, D. Engler, and D. L. Dill. CMC: A pragmatic approach to model checking real code. In OSDI 02: Operating Systems Design and Implementation, pages 75--88, 2002.

Digital Library

[22]

Madanlal Musuvathi and Shaz Qadeer. Iterative context bounding for systematic testing of multithreaded programs. In PLDI 07: Programming Language Design and Implementation, pages 446--455, 2007.

Digital Library

[23]

Amir Pnueli. The temporal logic of programs. In FOCS 77: Foundations of Computer Science, pages 46--57, 1977.

Digital Library

[24]

J. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Fifth International Symposium on Programming, LNCS 137, pages 337--351. Springer-Verlag, 1981.

Digital Library

[25]

M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In LICS 86: Logic in Computer Science, pages 322--331. IEEE Computer Society Press, 1986.

[26]

W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In ASE 00: Automated Software Engineering, pages 3--12, 2000.

Digital Library

[27]

Carl A. Waldspurger and William E. Weihl. Lottery scheduling: Flexible proportional-share resource management. In OSDI 94: Operating Systems Design and Implementation, pages 1--11, 1994.

Digital Library

[28]

Junfeng Yang, Paul Twohey, Dawson R. Engler, and Madanlal Musuvathi. Using model checking to find serious file system errors. ACM Transactions on Computer Systems, 24(4):393--423, 2006.

Digital Library

Cited By

Decouchant JOzkan BZhou Y(2023)Liveness Checking of the HotStuff Protocol Family2023 IEEE 28th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC59308.2023.00029(168-179)Online publication date: 24-Oct-2023
https://doi.org/10.1109/PRDC59308.2023.00029
Oberhauser JChehab RBehrens DFu MPaolillo AOberhauser LBhat KWen YChen HKim JVafeiadis VSherwood TBerger EKozyrakis C(2021)VSync: push-button verification and optimization for synchronization primitives on weak memory modelsProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446748(530-545)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446748
Agarwal UDeligiannis PHuang CJung KLal ANaseer IParkinson MThangamani AVedurada JXiao YGrundy J(2021)NekaraProceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE51524.2021.9678838(679-691)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1109/ASE51524.2021.9678838
Show More Cited By

Recommendations

Fair stateless model checking
PLDI '08

Stateless model checking is a useful state-space exploration technique for systematically testing complex real-world software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, ...
Bounded partial-order reduction
OOPSLA '13: Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications

Eliminating concurrency errors is increasingly important as systems rely more on parallelism for performance. Exhaustively exploring the state-space of a program's thread interleavings finds concurrency errors and provides coverage guarantees, but ...
Bounded partial-order reduction
OOPSLA '13

Eliminating concurrency errors is increasingly important as systems rely more on parallelism for performance. Exhaustively exploring the state-space of a program's thread interleavings finds concurrency errors and provides coverage guarantees, but ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2008

396 pages

ISBN:9781595938602

DOI:10.1145/1375581

General Chair:
Rajiv Gupta
University of California, Riverside, USA
,
Program Chair:
Saman Amarasinghe
Massachusetts Institute of Technology, USA

ACM SIGPLAN Notices Volume 43, Issue 6
PLDI '08
June 2008
382 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1379022
Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '08

Sponsor:

PLDI '08: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 7 - 13, 2008

AZ, Tucson, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

78
Total Citations
View Citations
686
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)3

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Decouchant JOzkan BZhou Y(2023)Liveness Checking of the HotStuff Protocol Family2023 IEEE 28th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC59308.2023.00029(168-179)Online publication date: 24-Oct-2023
https://doi.org/10.1109/PRDC59308.2023.00029
Oberhauser JChehab RBehrens DFu MPaolillo AOberhauser LBhat KWen YChen HKim JVafeiadis VSherwood TBerger EKozyrakis C(2021)VSync: push-button verification and optimization for synchronization primitives on weak memory modelsProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446748(530-545)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446748
Agarwal UDeligiannis PHuang CJung KLal ANaseer IParkinson MThangamani AVedurada JXiao YGrundy J(2021)NekaraProceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE51524.2021.9678838(679-691)Online publication date: 15-Nov-2021
https://dl.acm.org/doi/10.1109/ASE51524.2021.9678838
Mukherjee SDeligiannis PBiswas ALal A(2020)Learning-based controlled concurrency testingProceedings of the ACM on Programming Languages10.1145/34282984:OOPSLA(1-31)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428298
Inverso OTrubiani CGupta RShen X(2020)Parallel and distributed bounded model checking of multi-threaded programsProceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming10.1145/3332466.3374529(202-216)Online publication date: 19-Feb-2020
https://dl.acm.org/doi/10.1145/3332466.3374529
Berglund LArtho C(2019)Method summaries for JPFACM SIGSOFT Software Engineering Notes10.1145/3364452.336446044:4(16-20)Online publication date: 2-Dec-2019
https://dl.acm.org/doi/10.1145/3364452.3364460
Bianchi FMargara APezze M(2018)A Survey of Recent Trends in Testing Concurrent Software SystemsIEEE Transactions on Software Engineering10.1109/TSE.2017.270708944:8(747-783)Online publication date: 1-Aug-2018
https://dl.acm.org/doi/10.1109/TSE.2017.2707089
Karna AChen YYu HZhong HZhao J(2018)The role of model checking in software engineeringFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-016-6192-012:4(642-668)Online publication date: 1-Aug-2018
https://dl.acm.org/doi/10.1007/s11704-016-6192-0
Walker MRunciman C(2018)Cheap Remarks About Concurrent ProgramsFunctional and Logic Programming10.1007/978-3-319-90686-7_17(264-279)Online publication date: 24-Apr-2018
https://doi.org/10.1007/978-3-319-90686-7_17
Mudduluru RDeligiannis PDesai ALal AQadeer SStewart DWeissenbacher G(2017)Lasso detection using partial-state cachingProceedings of the 17th Conference on Formal Methods in Computer-Aided Design10.5555/3168451.3168473(84-91)Online publication date: 2-Oct-2017
https://dl.acm.org/doi/10.5555/3168451.3168473
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents