Journal Article10.1145/514188.514189
The apprentice challenge
J. Strother Moore,George Porter +1 more
TL;DR: A mechanically checked proof of a property of a small system of Java programs involving an unbounded number of threads and synchronization, via monitors, is described, using the output of the javac compiler as the semantics and the system at the bytecode level under an operational semantics for the JVM.
read more
Abstract: We describe a mechanically checked proof of a property of a small system of Java programs involving an unbounded number of threads and synchronization, via monitors. We adopt the output of the javac compiler as the semantics and verify the system at the bytecode level under an operational semantics for the JVM. We assume a sequentially consistent memory model and atomicity at the bytecode level. Our operational semantics is expressed in ACL2, a Lisp-based logic of recursive functions. Our proofs are checked with the ACL2 theorem prover. The proof involves reasoning about arithmetic; infinite loops; the creation and modification of instance objects in the heap, including threads; the inheritance of fields from superclasses; pointer chasing and smashing; the invocation of instance methods (and the concomitant dynamic method resolution); use of the start method on thread objects; the use of monitors to attain synchronization between threads; and consideration of all possible interleavings (at the bytecode level) over an unbounded number of threads. Readers familiar with monitor-based proofs of mutual exclusion will recognize our proof as fairly classical. The novelty here comes from (i) the complexity of the individual operations on the abstract machine; (ii) the dependencies between Java threads, heap objects, and synchronization; (iii) the bytecode-level interleaving; (iv) the unbounded number of threads; (v) the presence in the heap of incompletely initialized threads and other objects; and (vi) the proof engineering permitting automatic mechanical verification of code-level theorems. We discuss these issues. The problem posed here is also put forth as a benchmark against which to measure other approaches to formally proving properties of multithreaded Java programs.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Formalising java's data race free guarantee
David Aspinall,Jaroslav Ševčík +1 more
- 10 Sep 2007
TL;DR: The data race free (DRF) guarantee provided by Java, as captured by the semi-formal Java Memory Model (JMM), is formalised and found that not all of the anticipated conditions in the JMM definition were actually necessary for the DRF guarantee.
An Assertional Proof System for Multithreaded Java - Theory and Tool Support
Erika Ábrahám
- 20 Jan 2005
TL;DR: This work introduces a tool-supported assertional proof method for JavaMT ("Multi-Threaded Java"), a small sublanguage of Java, covering the mentioned concurrency issues as well as the object-based core of Java.
116
A Grand Challenge Proposal for Formal Methods: A Verified Stack
TL;DR: In this paper, the authors propose a grand challenge for the formal methods community to build and verify a practical computing system from transistors to software, from the point of view of verification.
57
Some Key Research Problems in Automated Theorem Proving for Hardware and Software Verification
M. Kaufman
- 01 Jan 2004
TL;DR: The paper focuses on the theorem proving system ACL2, developed by the two authors, and points out some of the key research topics in the area.
•Book
A Machine-Checked, Type-Safe Model of Java Concurrency: Language, Virtual Machine, Memory Model, and Verified Compiler
Andreas Lochbihler
- 07 Dec 2012
TL;DR: This work develops a machine-checked model of concurrent Java and the Java memory model and investigates the impact of concurrency on these guarantees.
References
•Book
The Java Virtual Machine Specification
Tim Lindholm,Frank Yellin +1 more
- 19 Sep 1996
TL;DR: In this article, the authors present a detailed overview of the Java Virtual Machine, including the internal structure of the class file format, the internal form of Fully Qualified Class and Interface names, and the implementation of new class instances.
Eraser: a dynamic data race detector for multithreaded programs
TL;DR: A new tool, called Eraser, is described, for dynamically detecting data races in lock-based multithreaded programs, which uses binary rewriting techniques to monitor every shared-monory reference and verify that consistent locking behavior is observed.
Model checking programs
Willem Visser,Klaus Havelund,Guillaume Brat,Seungjoon Park +3 more
- 11 Sep 2000
TL;DR: A verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing, and uses state compression to handle big states and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space.
Related Papers (5)
Tim Lindholm,Frank Yellin +1 more
- 19 Sep 1996
Robert S. Boyer,J. Strother Moore +1 more
- 01 Jan 1988
John C. Mitchell,Stephen N. Freund +1 more
- 01 Jan 2000