对Java并发程序进行模型检测

随着多核处理器的发展,多线程并发程序成为现代程序设计的趋势.但并发线程的执行存在不确定性,传统的测试方法很难发现这类错误.针时这个问题,提出了一种直接分析Java源代码,从中提取并发程序模型的方法;并以此方法为基础开发了工具JTS(Java to SPIN),实现了对Java并发程序的自动化分析和模型检测.实验表明JTS能够成功地检测出Java并发程序中存在的错误并给出相应的错误路径.这项工作给Java并发程序的测试与验证提供了新的途径.     

基于模型检测的并发程序分析综述

程序分析可以被看作抽象解释的模型检测,这使得程序分析的系统化方法成为可能。并发程序日益重要,在多核平台和分布式系统有着广泛的应用。而并发程序分析仍然有巨大的困难,实践上的复杂性和理论上的不可判定性都使得程序分析难以简单进行。文献[19]指出即使只有两个递归线程的交互,断言检测也是不可判定的。为了克服这类障碍,一些并发程序的静态分析方法被提了出来。对基于模型检测的并发程序分析给出一个详尽的综述,包括使用的数学模型、已有工具、可判定以及不可判定结果。     

Java并发程序的单元测试

本文介绍了几种Java并发程序的单元测试策略,每种策略都有其各自的优缺点。可以肯定的是,MTC代表了未来并发单元测试的方向。     

多线程并发程序访问数据误差静态检测仿真

针对传统方法多线程并发程序访问数据误差检测存在检测精度低、能耗高的问题,提出多线程并发程序访问数据误差静态检测方法.扫描解析出来的多线程并发程序源代码,对待检测的部分进行词法分析、语法分析,通过高效链的储存结构,建立XML中间数据模型提取代码属性;构建数据访问树,扫描出待检测部分所存在竞争关系的节点,确定竞争关系节点的...     

基于EE-CSPE约束的并发程序测试

由于执行的不确定性,并发程序的测试需要验证程序执行的事件序列.定义事件之间的约束是验证事件序列合法性的前提.本文提出了一种事件约束的形式化描述方法,扩充了E-CSPE（extended constraints on succeeding and preceding events）对事件排斥约束和后决约束的定义,更全面地描述了前后事件的依赖关系,并给出了基于此方法的确定性测试和非确定性测试规则.     

并发程序的切片模型检验方法

提出了一种对并发程序进行切片以缩减模型检验状态空间的方法，首先针对并发程序中的同步与通信定义了一组依赖关系，包括并发分支与接合．非确定性，信道，共享变量等特征，对于从要验证的时态逻辑性质中提取的关于多个程序点的切片标准，文中给出算法根据相应的依赖关系通过不动点运算得到并发程序切片，可以证明得到的切片与原程序对于该性质具有相同的可满足性。     

基于抽象内存模型的内存相关漏洞检测方法

针对现有的内存相关漏洞检测方法中存在依赖指针数据流而导致大量误报漏报、缺乏漏洞特征的形式化描述以及漏洞特征描述不全面的问题,提出一种基于抽象内存模型的内存相关漏洞检测方法.对抽象内存模型进行相关定义;基于抽象内存模型,对内存泄露、重复释放内存和读写释放后的内存这三种与内存相关的漏洞类型的特征进行形式化符号表示;基于代码...     

基于约束依赖图的并发程序模型检测工具

模型检测是一种基于状态空间搜索的自动化验证方法,可以有效地提升程序的质量.然而,由于并发程序中线程调度的不确定性以及数据同步的复杂性,对该类程序验证时存在更为严重的状态空间爆炸问题.目前,大多采用基于独立性分析的偏序约简技术缩小并发程序探索空间.针对粗糙的独立性分析会显著增加需探索的等价类路径问题,开发了一款可细化线程迁移依赖性分析的并发程序模型检测工具CDG4CPV.首先,构造了待验证可达性性质对应的规约自动机;随后,根据线程迁移边的类型和共享变量访问信息构建约束依赖图;最后,利用约束依赖图剪裁控制流图在展开过程中的独立可执行分支.在SV-COMP 2022竞赛的并发程序数据集上进行了对比实验,并对工具的效率进行比较分析.实验结果表明,该工具可以有效地提升并发程序模型检测的效率.特别是,与基于BDD的程序分析算法相比,该工具可使探索状态数目平均减少91.38%,使时间和空间开销分别平均降低86.25%和69.80%.     

Java程序内存泄漏综述

从与C/C++内存泄漏对比的角度分析了Java内存泄漏问题,详细介绍了Java内存泄漏的相关研究和工具,探讨了当前研究和工具中存在的不足并分析了其原因,总结了内存泄漏相关领域研究的发展趋势。     

基于Adaboost模型的并发程序数据竞争语句级检测

针对并发程序数据竞争检测时准确率低和开销大的问题,基于Adaboost模型设计并发程序数据竞争语句级检测方法。对多线程并发程序进行插桩操作,记录指令的相关内存信息,并对提取出的指令集做语句级转化处理,利用语句对相关属性特征构建并发程序Adaboost数据竞争检测模型,实现多线程程序数据竞争检测工具ADR。实验结果表明,相比于Eraser、Djit+和Thread Sanitizer工具,ADR能够在降低时间及内存开销的同时,有效提高分类准确率,验证了所提方法的有效性。     

面向共享内存并行程序的测试技术

随着并行编程越来越普及,并行程序的测试也变得越来越重要。本文面向共享内存的并行程序,研究一种新的并行程序测试技术,设计了工具CPTester,采用冗余分析方法避免重复的结果。和已有工作不同的是CPTester能够自动生成每一个并行bug的上下文信息,对程序员理解并修复一个并行bug具有重要意义。将CPTester在一些真实的并行程序上进行实验评测,结果显示CPTester能够有效地检测到程序中的并行bug,且每一个并行bug都有相应的上下文信息来描述该bug触发的根本原因。     

程序切片技术在并发程序模型检查中的应用

模型检查技术在硬件和协议设计方面已经取得很大成功,但在软件验证方面仍存在很多困难。其主要问题是如何从源代码中自动抽取验证所要模型并精简其状态空间。文中通过对程序切片技术的研究,来解决并发程序验证的建模问题,包括把验证公式映射到切片准则．并把得到的程序切片转化为验证所需的模型。经程序切片处理后,软件模型检查效率得到提高。     

Certifying Concurrent Programs Using Transactional Memory

Transactional memory (TM) is a new promising concurrency-control mechanism that can avoid many of the pitfalls of the traditional lock-based techniques. TM systems handle data races between threads automatically so that programmers do not have to reason about the interaction of threads manually. TM provides a programming model that may make the development of multi-threaded programs easier. Much work has been done to explore the various implementation strategies of TM systems and to achieve better perfor...     

Error Detection in Concurrent Java Programs

Concurrency in multithreaded programs introduces additional complexity in software verification and testing, and thereby significantly increases the cost of Quality Assurance (QA). We present a case study in which a specialized model checker was used to discover concurrency errors in a large preexisting code base. The results revealed race conditions that lead to data corruption errors whose detection would have been prohibitively expensive with conventional testing and QA methods. We describe our methodology and highlight parts of the methodology that could be automated.     

Software Model Checking: The VeriSoft Approach

Verification by state-space exploration, also often referred to as model checking, is an effective method for analyzing the correctness of concurrent reactive systems (for instance, communication protocols). Unfortunately, traditional model checking is restricted to the verification of properties of models, i.e., abstractions, of concurrent systems.We discuss in this paper how model checking can be extended to analyze arbitrary software, such as implementations of communication protocols written in programming languages like C or C++. We then introduce a search technique that is suitable for exploring the state spaces of such systems. This algorithm has been implemented in VeriSoft, a tool for systematically exploring the state spaces of systems composed of several concurrent processes executing arbitrary code.During the past five years, VeriSoft has been applied successfully for analyzing several software products developed in Lucent Technologies, and has also been licensed to hundreds of users in industry and academia. We discuss applications, strengths and limitations of VeriSoft, and compare it to other approaches to software model checking, analysis and testing.     

Model Checking Programs

The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.     

一种新的Java存储模型L-JMM

Java存储模型是Java语言和Java虚拟机研究中的核心关键部分,目前Java语言规范中的存储模型不能保证Java技术所必需的语义特性,而且不利于Java虚拟机的性能优化.提出了一种新的Java存储模型,该模型取消了规范中Java存储模型中对存储密致性的要求,保证了Location一致性;同时根据Java语义的要求,对Java语言中不同类型的变量详细规定了多线程存储操作的行为规则.该模型不仅能保证Java程序的正确性,同时能有效提高Java程序的运行效率.最后通过仿真实验验证了该存储模型的关键特性.     

Low-cost,Concurrent Checking of Pointer and Array Accesses in C Programs

Illegal pointer and array accesses are a major cause of failure for C programs. We present a technique called ‘guarding’ to catch illegal array and pointer accesses. Our implementation of guarding for C programs works as a source-to-source translator. Auxiliary objects called guards are added to a user program to monitor pointer and array accesses at run time. Guards maintain attributes to catch out of bounds array accesses and accesses to deallocated memory. Our system has found a number of previously unreported errors in widely-used Unix utilities and SPEC92 benchmarks. Many commonly used programs have bugs which may not always manifest themselves as a program crash, but may instead produce a subtly wrong answer. These programs are not routinely checked for run-time errors because the increase in execution time due to run-time checking can be very high. We present two techniques to handle the high cost of run-time checking of pointer and array accesses in C programs: ‘customization’ and ‘shadow processing’. Customization works by decoupling run-time checking from original computation. A user program is customized for guarding by throwing away computation not relevant for guarding. We have explored using program slicing for customization. Customization can cut the overhead of guarding by up to half. Shadow processing uses idle processors in multiprocessor workstations to perform run-time checking in the background. A user program is instrumented to obtain a ‘main process’ and a ‘shadow process’. The main process performs computations from the orignal program, occasionally communicating a few key values to the shadow process. The shadow process follows the main process, checking pointer and array accesses. The overhead to the main process which the user sees is very low – almost always less than 10%. © 1997 by John Wiley & Sons, Ltd.