Abstract
Multithreaded programs are difficult to get right because of unexpected interaction between concurrently executing threads. Traditional testing methods are inadequate for catching subtle concurrency errors which manifest themselves late in the development cycle and post-deployment. Model checking or systematic exploration of program behavior is a promising alternative to traditional testing methods. However, it is difficult to perform systematic search on large programs as the number of possible program behaviors grows exponentially with the program size. Confronted with this state-explosion problem, traditional model checkers perform iterative depth-bounded search. Although effective for message-passing software, iterative depth-bounding is inadequate for multithreaded software.
This paper proposes iterative context-bounding, a new search algorithm that systematically explores the executions of a multithreaded program in an order that prioritizes executions with fewer context switches. We distinguish between preempting and nonpreempting context switches, and show that bounding the number of preempting context switches to a small number significantly alleviates the state explosion, without limiting the depth of explored executions. We show both theoretically and empirically that context-bounded search is an effective method for exploring the behaviors of multithreaded programs. We have implemented our algorithmin two model checkers and applied it to a number of real-world multithreaded programs. Our implementation uncovered 9 previously unknown bugs in our benchmarks, each of which was exposed by an execution with at most 2 preempting context switches. Our initial experience with the technique is encouraging and demonstrates that iterative context-bounding is a significant improvement over existing techniques for testing multithreaded programs.
- Derek Bruening and John Chapin. Systematic testing of multithreaded Java programs. Technical Report LCS-TM-607, MIT/LCS, 2000.Google Scholar
- E.M. Clarke and E.A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs, LNCS 131, pages 52--71. Springer-Verlag, 1981. Google Scholar
Digital Library
- Matthew B. Dwyer, John Hatcliff, Robby, and Venkatesh Prasad Ranganath. Exploiting object excape and locking information in partial-order reductions for concurrent object-oriented programs. Formal Methods in System Design, 25:199--240, 2004. Google Scholar
Digital Library
- Tayfun Elmas, Shaz Qadeer, and Serdar Tasiran. Goldilocks: Efficiently computing the happens-before relation using locksets. In FATES/RV 06: Formal Approaches to Testing and Runtime Verification, volume 4262 of Lecture Notes in Computer Science, pages 193--208. Springer-Verlag, 2006. Google Scholar
Digital Library
- F. Allen Emerson and A. Prasad Sistla. Symmetry and model checking. Formal Methods in System Design, 9(1/2):105--131, August 1996. Google Scholar
Digital Library
- C. Flanagan and S.N. Freund. Atomizer: A dynamic atomicity checker for multithreaded programs. In POPL 04: Principles of Programming Languages, pages 256--267. ACM Press, 2004. Google Scholar
Digital Library
- C. Flanagan and P. Godefroid. Dynamic partial-order reduction for model checking software. In POPL 05: Principles of Programming Languages, pages 110--121. ACM Press, 2005. Google Scholar
Digital Library
- Matteo Frigo, Charles E. Leiserson, and Keith H. Randall. The implementation of the Cilk-5 multithreaded language. In PLDI 98: Programming Language Design and Implementation, pages 212--223. ACM Press, 1998. Google Scholar
Digital Library
- Patrice Godefroid. Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem. LNCS 1032. Springer-Verlag, 1996. Google Scholar
Digital Library
- Patrice Godefroid. Model checking for programming languages using Verisoft. In POPL 97: Principles of Programming Languages, pages 174--186. ACM Press, 1997. Google Scholar
Digital Library
- Alex Groce and Willem Visser. Model checking Java programs using structural heuristics. In ISSTA 02: Software Testing and Analysis, pages 12--21, 2002. Google Scholar
Digital Library
- Radu Iosif. Exploiting heap symmetries in explicit-state model checking of software. In ASE 01: Automated Software Engineering, pages 254--261, 2001. Google Scholar
Digital Library
- C. Norris Ip and David L. Dill. Better verification through symmetry. Formal Methods in System Design, 9(1/2):41--75, 1996. Google Scholar
Digital Library
- Michael Isard, Mihai Budiu, Yuan Yu, Andrew Birrell, and Dennis Fetterly. Dryad: Distributed data-parallel programs from sequential building blocks. Technical Report MSR-TR-2006-140, Microsoft Research, 2006.Google Scholar
- Daan Leijen. Futures: a concurrency library for C#. Technical Report MSR-TR-2006-162, Microsoft Research, 2006.Google Scholar
- Madanlal Musuvathi, David Park, Andy Chou, Dawson R. Engler, and David L. Dill. CMC: A pragmatic approach to model checking real code. In OSDI 02: Operating Systems Design and Implementation, pages 75--88, 2002. Google Scholar
Digital Library
- Ratan Nalumasu and Ganesh Gopalakrishnan. An efficient partial order reduction algorithm with an alternative proviso implementation. Formal Methods in System Design, 20(3):231--247, May 2002. Google Scholar
Digital Library
- Doron Peled. Partial order reduction: Model-checking using representatives. In MFCS 96: Mathematical Foundations of Computer Science, pages 93--112. Springer-Verlag, 1996. Google Scholar
Digital Library
- S. Qadeer and J. Rehof. Context-bounded model checking of concurrent software. In TACAS 05: Tools and Algorithms for the Construction and Analysis of Systems, volume 3440 of Lecture Notes in Computer Science, pages 93--107. Springer-Verlag, 2005. Google Scholar
Digital Library
- S. Qadeer and D. Wu. KISS: Keep it simple and sequential. In PLDI 04: Programming Language Design and Implementation, pages 14--24. ACM Press, 2004. Google Scholar
Digital Library
- J. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Fifth International Symposium on Programming, Lecture Notes in Computer Science 137, pages 337--351. Springer-Verlag, 1981. Google Scholar
Digital Library
- Stuart Russell and Peter Norvig. Artificial Intelligence: A Modern Approach (Second Edition). Prentice Hall, 2002. Google Scholar
Digital Library
- Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, and Thomas Anderson. Eraser: a dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4):391--411, 1997. Google Scholar
Digital Library
- Hemanthkumar Sivaraj and Ganesh Gopalakrishnan. Random walk based heuristic algorithms for distributed memory model checking. Electronic Notes in Theoretical Computer Science, 89(1), 2003.Google Scholar
Index Terms
Iterative context bounding for systematic testing of multithreaded programs
Recommendations
Iterative context bounding for systematic testing of multithreaded programs
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and ImplementationMultithreaded programs are difficult to get right because of unexpected interaction between concurrently executing threads. Traditional testing methods are inadequate for catching subtle concurrency errors which manifest themselves late in the ...
Variable and thread bounding for systematic testing of multithreaded programs
ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and AnalysisPrevious approaches to systematic state-space exploration for testing multi-threaded programs have proposed context-bounding and depth-bounding to be effective ranking algorithms for testing multithreaded programs. This paper proposes two new metrics ...
GAMBIT: effective unit testing for concurrency libraries
PPoPP '10: Proceedings of the 15th ACM SIGPLAN Symposium on Principles and Practice of Parallel ProgrammingAs concurrent programming becomes prevalent, software providers are investing in concurrency libraries to improve programmer productivity. Concurrency libraries improve productivity by hiding error-prone, low-level synchronization from programmers and ...







Comments