Reasoning on Concurrency: An Approach to Modeling and Verification of Java Thread-safe Objects Franco Cicirelli, Libero Nigro, Francesco Pupo Laboratorio di Ingegneria del Software Dipartimento di Elettronica Informatica e Sistemistica Università della Calabria - 87036 Rende (CS) – Italy Email: f.cicirelli@deis.unical.it, {l.nigro,f.pupo}@unical.it AbstractDevelopment of concurrent and time-dependent software systems is currently growing in its strategic importance due to the diffusion of powerful multi- core/many-core machines. To effectively cope with current and prospective concurrency demands, formal tools have to be used. A library of reusable UPPAAL timed automata was achieved, which enables a reasoning on concurrency. The library is tailored to Java. However, similar solutions could be also developed to work with other languages as well. This paper outlines library design and focuses on its exploitation for model-based prediction of the correctness of thread-safe Java objects. Keywords-Modeling and verification; concurrent systems; Java; thread-safe objects; model checking; UPPAAL. I. INTRODUCTION This work argues that to properly design and implement concurrent systems, the adoption of formal tools, which can support a reasoning on concurrency is mandatory. This paper introduces the design of a UPPAAL library of timed automata [1-3], which improves preliminary experience described in [4]. Library design was mainly inspired by Java concurrency features. Common synchronization mechanisms such as semaphores and monitors, both classic and Java specific, are provided. On top of these mechanisms, new synchronizers, tailored to particular programming styles, can be built. The library enables modeling of a concurrent program according to implementation aspects, thus reducing the semantic gap which normally exists between a specification model and its vocabulary (e.g., atomic actions, broadcast synchronization, etc.) and a corresponding implementation. Analysis activities are based on exhaustive verification and model checking [5], [6]. The paper proposes an approach to modeling and verification (M&V) of Java thread-safe objects and illustrates it by practical examples. The model-based prediction approach can be related to the work of Hamberg and Vaandrager [7] and to the known Finite State Processes (FSP)/Labeled Transition System Analyzer (LTSA) tool developed by Magee and Kramer [8]. With the first work our approach shares the use of the UPPAAL model checker. However, our library is characterized by its volition of being Java tailored. In addition, some common structures like semaphores appear to be more efficient. The second approach is based on the FSP process algebra. An FSP model is transformed into a labeled transition system to be analyzed by the LTSA tool. However, this approach does not allow, for instance, the expression of a FIFO policy (e.g., for awaking processes waiting on a semaphore). In addition, the use of a discrete time model can complicate the verification of complex models. The paper is structured as follows. Section II outlines the developed UPPAAL. Section III proposes an approach for M&V of Java thread-safe objects. Section IV describes a more complex modeling example. Finally, an indication of research directions which deserve further work is given in the conclusion. II. CONCURRENCY CONTROL IN UPPAAL A library of UPPAAL template processes (i.e., timed automata TA) was developed, which provides such common concurrent structures as semaphores and monitors [9], both classic and Java specific. The following gives an outline of the library contents. Figure 1. The BinarySemaphore automaton Fig. 1 shows an automaton for classic binary semaphore. A similar construction exists for a general, counting semaphore. Classic P/V operations are implemented as unicast channel arrays P[.]/V[.] whose dimension mirrors the number of semaphores used in a model. A P operation on a semaphore s is expressed by raising a synchronization P[s]!. The requesting process is assumed to put into a global (meta) variable proc its unique process id at the time of P[s]!. Variable proc is used only during the atomic action of P[s]!, with the receiving semaphore which frees it immediately by storing the proc value in a local variable. A further channel array GO[.], whose dimension coincides with the number of processes in the model, is used for blocking the requesting process until the semaphore assigns the permit to the process. The use of GO is implicit in the operation P in a programming language, but in UPPAAL it serves the purpose of transforming a strict rendezvous (P[.]!) into an extended rendezvous, which terminates when the semaphore completes the handling of P[.]! and allows the requesting process to unblock. A V[s]! request never blocks the requesting process and normally does not require the proc mediation. With respect to the realization proposed in [7], our semaphores use less variables thus favoring model 53 Copyright (c) IARIA, 2013. ISBN: 978-1-61208-308-7 SIMUL 2013 : The Fifth International Conference on Advances in System Simulation