Model Checking Unbounded Concurrent Lists
Abstract. We present a method for model checking list-based concurrent data structures. These data structures, increasingly available in libraries such as Intel Thread Building blocks and Java.util.concurrent (JSR), are notorious for being error prone. This stems from the usage of sophisticated sync...
| Main Authors: | , , |
|---|---|
| Other Authors: | |
| Format: | Text |
| Language: | English |
| Subjects: | |
| Online Access: | http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.386.8218 http://spinroot.com/spin/Workshops/ws13/spin2013_submission_14.pdf |
| Summary: | Abstract. We present a method for model checking list-based concurrent data structures. These data structures, increasingly available in libraries such as Intel Thread Building blocks and Java.util.concurrent (JSR), are notorious for being error prone. This stems from the usage of sophisticated synchronization techniques in their implementation for high efficiency. This efficiency comes at the cost of increasing the number of possible thread interleavings during execution, thus making them hard to verify. Consequently, the verification of concurrent data structures has been of interest to the formal methods community. Concurrent data structures are unbounded in two dimensions: the list size is unbounded and an unbounded number of threads access them. Thus, their model checking requires abstraction to a model bounded in both the dimensions. In previous work, we showed how the unbounded threads can be model checked by using the CMP (CoMPositional) method. The method abstracted the unbounded threads by keeping one thread as is and abstracting all the other threads to a single environment thread. Next, this abstraction was iteratively refined by the user in order to prove correctness. However, in that work we assumed that the number of list elements were bounded to a fixed value. In practice this fixed value was small; model checking could only complete for small sized lists. In this work, we overcome this limitation and model check the unbounded list as well. Our method has the same flavor as the CMP method in the thread dimension, but differs significantly in the list dimension. In the list dimension, our method constructs an abstraction of the unbounded list by keeping the nodes pointed to by the pointers in the model as is (referred to as concrete nodes), and abstracting away chains of all the nodes which are not pointed to by any pointers to abstract nodes. Since the accesses to the abstract nodes return non-deterministic field values, the abstraction may have to be refined to constrain these values. This is ... |
|---|