Finding concurrency-related bugs using random isolation

  • Nicholas Kidd
  • Thomas Reps
  • Julian Dolby
  • Mandana Vaziri
VMCAI 2009


This paper concerns automatically verifying safety properties of concurrent programs. In our work, the safety property of interest is to check for multi-location data races in concurrent Java programs, where a multi-location data race arises when a program is supposed to maintain an invariant over multiple data locations, but accesses/updates are not protected correctly by locks. The main technical challenge that we address is how to generate a program model that retains (at least some of) the synchronization operations of the concrete program, when the concrete program uses dynamic memory allocation. Static analysis of programs typically begins with an abstraction step that generates an abstract program that operates on a finite set of abstract objects. In the presence of dynamic memory allocation, the finite number of abstract objects of the abstract program must represent the unbounded number of concrete objects that the concrete program may allocate, and thus by the pigeon-hole principle some of the abstract objects must be summary objects—they represent more than one concrete object. Because abstract summary objects represent multiple concrete objects, the program analyzer typically must perform weak updates on the abstract state of a summary object, where a weak update accumulates information. Because weak updates accumulate rather than overwrite, the analyzer is only able to determine weak judgements on the abstract state, i.e., that some property possibly holds, and not that it definitely holds. The problem with weak judgements is that determining whether an interleaved execution respects program synchronization requires the ability to determine strong judgements, i.e., that some lock is definitely held, and thus the analyzer needs to be able to perform strong updates—an overwrite of the abstract state—to enable strong judgements. We present the random-isolation abstraction as a new principle for enabling strong updates of special abstract objects. The idea is to associate with a program allocation site two abstract objects, \({r^{\sharp}}\) and \({o^{\sharp}}\) , where \({r^{\sharp}}\) is a non-summary object and \({o^{\sharp}}\) is a summary object. Abstract object \({r^{\sharp}}\) models a distinguished concrete object that is chosen at random in each program execution. Because \({r^{\sharp}}\) is a non-summary object—i.e, it models only one concrete object—strong updates are able to be performed on its abstract state. Because which concrete object \({r^{\sharp}}\) models is chosen randomly, a proof that a safety property holds for \({r^{\sharp}}\) generalizes to all objects modeled by \({o^{\sharp}}\) . We implemented the random isolation abstraction in a tool called Empire, which verifies atomic-set serializability of concurrent Java programs (atomic-set serializability is one notion of multi-location data-race freedom). Random isolation allows Empire to track lock states in ways that would not otherwise have been possible with conventional approaches.


Random-isolation abstraction Atomic sets Model checking Verification Pushdown systems Atomicity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahmed A., Fluet M., Morrisett G.: L3: a linear language with locations. Fundam. Inf. 77(4), 397–449 (2007)MathSciNetzbMATHGoogle Scholar
  2. 2.
    Aiken, A., Foster, J., Kodumal, J., Terauchi, T.: Checking and inferring local non-aliasing. In: PLDI. pp. 129–140 (2003)Google Scholar
  3. 3.
    Artho, C., Biere, A., Havelund, K.: Using block-local atomicity to detect stale-value concurrency errors. In: Proceedings of Second International Symposium on Automated Technology for Verification and Analysis (ATVA 2004), Taipei, Taiwan. LNCS, vol. 3299, pp. 150–164. Springer, Berlin (2004)Google Scholar
  4. 4.
    Artho C., Havelund K., Biere A.: High-level data races. J. Softw. Test. Verif. Reliab. (STVR) 13(4), 207–227 (2003)CrossRefGoogle Scholar
  5. 5.
    Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: SAS, pp. 221–239 (2006)Google Scholar
  6. 6.
    Ball, T., Rajamani, S.: Automatically validating temporal safety properties of interfaces. In: SPIN, pp. 103–122 (2001)Google Scholar
  7. 7.
    Boyapati, C., Lee, R., Rinard, M.: Ownership types for safe programming: preventing data races and deadlocks. In OOPSLA, pp. 211–230 (2002)Google Scholar
  8. 8.
    Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model checking: 1020 states and beyond. In LICS, pages 428–239 (1990)Google Scholar
  9. 9.
    Burrows M., Leino K.R.M.: Finding stale-value errors in concurrent programs. Conc. Comp. Prac. Exp. 16(12), 1161–1172 (2004)CrossRefGoogle Scholar
  10. 10.
    Chaki, S., Clarke, E., Kidd, N., Reps, T., Touili, T.: Verifying concurrent message-passing C programs with recursive calls. In: TACAS, pp. 334–349 (2006)Google Scholar
  11. 11.
    Chase, D., Wegman, M., Zadeck, F.: Analysis of pointers and structures. In: PLDI, pp. 296–310 (1990)Google Scholar
  12. 12.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL, pp. 269–282 (1979)Google Scholar
  13. 13.
    Dillig, I., Dillig, T., Aiken, A.: Fluid updates: beyond strong versus weak updates. In: ESOP, pp. 246–266 (2010)Google Scholar
  14. 14.
    Emmi, M., Jhala, R., Kohler, E., Majumdar, R.: Verifying reference counting implementations. In: TACAS, pp. 352–367 (2009)Google Scholar
  15. 15.
    Eytani Y., Havelund K., Stoller S.D., Ur S.: Towards a framework and a benchmark for testing tools for multi-threaded programs. Conc. Comp. Prac. Exp. 19(3), 267–279 (2007)CrossRefGoogle Scholar
  16. 16.
    Fahndrich, M., DeLine, R.: Adoption and focus: practical linear types for imperative programming. In: PLDI, pp. 13–24 (2002)Google Scholar
  17. 17.
    Flanagan, C., Freund, S.N.: Atomizer: a dynamic atomicity checker for multithreaded programs. In: POPL, pp. 256–267 (2004)Google Scholar
  18. 18.
    Foster, J., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI, pp. 1–12 (2002)Google Scholar
  19. 19.
    Gopan, D., DiMaio, F., Dor, N., Reps, T.W., Sagiv, S.: Numeric domains with summarized dimensions. In: TACAS, pp. 512–529 (2004)Google Scholar
  20. 20.
    Gopan, D., Reps, T.W., Sagiv, S.: A framework for numeric analysis of array operations. In: POPL, pp. 338–350 (2005)Google Scholar
  21. 21.
    Gulwani, S., McCloskey, B., Tiwari, A.: Lifting abstract interpreters to quantified logical domains. In: POPL, pp. 235–246 (2008)Google Scholar
  22. 22.
    Hammer, C., Dolby, J., Vaziri, M., Tip, F.: Dynamic detection of atomic-set serializability violations. In: ICSE, pp. 231–240 (2008)Google Scholar
  23. 23.
    Harris, W., Kidd, N., Chaki, S., Jha, S., Reps, T.: Verifying information flow control over unbounded processes. In: FM, pp. 773–789 (2009)Google Scholar
  24. 24.
    Horwitz, S., Pfeiffer, P., Reps, T.: Dependence analysis for pointer variables. In: PLDI, pp. 28–40 (1989)Google Scholar
  25. 25.
    IBM: Watson Libraries for Analysis (WALA). (2009)
  26. 26.
    Jones, N., Muchnick, S.: Flow analysis and optimization of Lisp-like structures. In: Program Flow Analysis: Theory and Applications, pp. 66–74. Prentice-Hall, New Jersey (1981)Google Scholar
  27. 27.
    Jones, N., Muchnick, S.: A flexible approach to interprocedural data flow analysis and programs with recursive data structures. In: POPL (1982)Google Scholar
  28. 28.
    Kahlon, V., Gupta A.: On the analysis of interacting pushdown systems. In: POPL, pp. 303–314 (2007)Google Scholar
  29. 29.
    Kidd, N.: Static Verification of Data-Consistency Properties. PhD thesis, University of Wisconsin-Madison (2009)Google Scholar
  30. 30.
    Kidd, N., Lal, A., Reps, T.: Language strength reduction. In:SAS, pp. 283–298 (2008)Google Scholar
  31. 31.
    Kidd N., Lammich P., Touili T., Reps T.: A decision procedure for detecting atomicity violations for communicating processes with locks. Int. J. Softw. Tools Tech. Transfer 13(1), 37–60 (2011)CrossRefGoogle Scholar
  32. 32.
    Kidd, N., Reps, T., Dolby, J., Vaziri, M.: Finding concurrency-related bugs using random isolation. In: VMCAI, pp. 198–213 (2009a)Google Scholar
  33. 33.
    Kidd, N. A., Lammich, P., Touili, T., Reps, T.: A decision procedure for detecting atomicity violations for communicating processes with locks. In: SPIN, pp. 125–142 (2009b)Google Scholar
  34. 34.
    Lahiri, S.K., Qadeer, S.: Verifying properties of well-founded linked lists, pp. 115–126 (2006)Google Scholar
  35. 35.
    Lammich, P., Müller-Olm, M.: Conflict analysis of programs with procedures, dynamic thread creation, and monitors. In: SAS, pp. 205–220 (2008)Google Scholar
  36. 36.
    Lev-Ami, T., Sagiv, M.: TVLA: A system for implementing static analyses. In: SAS, pp. 280–301 (2000)Google Scholar
  37. 37.
    Lu, S., Park, S., Seo, E., Zhou, Y.: Learning from mistakes—a comprehensive study on real world concurrency bug characteristics. In: ASPLOS, pp. 329–339 (2008)Google Scholar
  38. 38.
    Lu, S., Tucek, J., Qin, F., Zhou, Y.: AVIO: Detecting atomicity violations via access-interleaving invariants. In: ASPLOS, pp. 37–48 (2006)Google Scholar
  39. 39.
    McMillan, K.: Verification of infinite state systems by compositional model checking. In: CHARME, pp. 219–234 (1999)Google Scholar
  40. 40.
    Milanova A., Rountev A., Ryder B.G.: Parameterized object sensitivity for points-to analysis for Java. TOSEM 14(1), 1–41 (2005)CrossRefGoogle Scholar
  41. 41.
    Min, S.L., Choi, J.-D.: An efficient cache-based access anomaly detection scheme. In: ASPLOS, pp. 235–244 (1991)Google Scholar
  42. 42.
    Naik, M., Aiken, A.: Conditional must not aliasing for static race detection. In: POPL, pp. 327–338 (2007)Google Scholar
  43. 43.
    O’Callahan, R., Choi, J.-D.: Hybrid dynamic data race detection. In: PPoPP, pp. 167–178 (2003)Google Scholar
  44. 44.
    Plevyak, J., Karamcheti, V., Chien, A.: Analysis of dynamic structures for efficient parallel execution. In: Banerjee, U., Gelernter, D., Nicolau, A., Padua, D. (eds.) In: Workshop on Languages and Compilers for Parallel Computing, Portland, OR. Lecture Notes in Computer Science, vol. 768, pp. 37–57. Springer, Berlin (1993)Google Scholar
  45. 45.
    Pnueli, A., Xu, J., Zuck, L.: Liveness with (0, 1, ∞)-counter abstraction. In: CAV, pp. 107–122 (2002)Google Scholar
  46. 46.
    Qadeer, S., Wu, D.: KISS: keep it simple and sequential. In: PLDI, pp. 14–24 (2004)Google Scholar
  47. 47.
    Ramalingam G.: Context-sensitive synchronization-sensitive analysis is undecidable. ACM Trans. Program. Lang. Syst. 22, 416–430 (2000)CrossRefGoogle Scholar
  48. 48.
    Rondon, P., Kawaguchi, M., Jhala, R.: Low-level liquid types. In: POPL, pp. 131–144 (2010)Google Scholar
  49. 49.
    Sagiv M., Reps T., Wilhelm R.: Solving shape-analysis problems in languages with destructive updating. ACM Trans. Program. Lang. Syst. 20(1), 1–50 (1998)CrossRefGoogle Scholar
  50. 50.
    Sagiv M., Reps T., Wilhelm R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)CrossRefGoogle Scholar
  51. 51.
    Sasturkar, A., Agarwal, R., Wang, L., Stoller, S.D.: Automated type-based analysis of data races and atomicity. In: PPoPP, pp. 83–94 (2005)Google Scholar
  52. 52.
    Savage S., Burrows M., Nelson G., Sobalvarro P., Anderson T.E.: Eraser: A dynamic data race detector for multithreaded programs. Theor. Comput. Sci. 15(4), 391–411 (1997)Google Scholar
  53. 53.
    Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis, TUM (2002)Google Scholar
  54. 54.
    Vaziri, M., Tip, F., Dolby, J.: Associating synchronization constraints with data in an object-oriented language. In: POPL, pp. 334–345 (2006)Google Scholar
  55. 55.
    Walker, D., Morrisett, J.: Alias types for recursive data structures. In: Types in Compilation, pp. 177–206 (2000)Google Scholar
  56. 56.
    Wang, L., Stoller, S.D.: Accurate and efficient runtime detection of atomicity errors in concurrent programs. In PPoPP, pp. 137–146 (2006a)Google Scholar
  57. 57.
    Wang L., Stoller S.D.: Runtime analysis for atomicity of multithreaded programs. IEEE Trans. Softw. Eng. 32, 93–110 (2006)CrossRefGoogle Scholar
  58. 58.
    Yavuz-Kahveci T., Bultan T.: Automated verification of concurrent linked lists with counters. In: SAS, pp. 69–84 (2002)Google Scholar

Copyright information

© Springer-Verlag 2011

Authors and Affiliations

  • Nicholas Kidd
    • 1
    • 4
  • Thomas Reps
    • 1
    • 2
  • Julian Dolby
    • 3
  • Mandana Vaziri
    • 3
  1. 1.University of WisconsinMadisonUSA
  2. 2.GrammaTech, Inc.IthacaUSA
  3. 3.IBM T.J. Watson Research CenterHawthorneUSA
  4. 4.Google Inc.Mountain ViewUSA

Personalised recommendations