1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)

Slides:



Advertisements
Similar presentations
QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.
Advertisements

© 2006 Carnegie Mellon University Combining Predicate and Numeric Abstraction for Software Model Checking Software Engineering Institute Carnegie Mellon.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Promising Directions in Hardware Design Verification Shaz Qadeer Serdar Tasiran Compaq Systems Research Center.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
S CALABLE A ND P RECISE R EFINEMENT OF C ACHE T IMING A NALYSIS VIA M ODEL C HECKING Sudipta Chattopadhyay Abhik Roychoudhury 1.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
Describe the concept of lightweight process (LWP) and the advantages to using LWPs Lightweight process (LWP) lies in a hybrid form of user-level & kernel-level.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking
Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 1 Software Model Checking via Iterative Abstraction Refinement.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Calvinism A static analysis for multithreaded program verification.
Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t =
Part 2: Reachability analysis of stack-based systems.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.
Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Axiomatic Methods for Software Verification Hongseok Yang.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Parameterized Verification of Thread-safe Libraries Thomas Ball Sagar Chaki Sriram K. Rajamani.
Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.
Inferring Synchronization under Limited Observability Martin Vechev, Eran Yahav, Greta Yorsh IBM T.J. Watson Research Center (work in progress)
Context-bounded model checking of concurrent software Shaz Qadeer Microsoft Research Joint work with: Jakob Rehof, Microsoft Research Dinghao Wu, Princeton.
Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Program Analysis and Verification
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
SS 2017 Software Verification Bounded Model Checking, Outlook
ZING Systematic State Space Exploration of Concurrent Software
Component Implementations Using RESOLVE
Modular verification of multithreaded shared-memory programs
MoCHi: Software Model Checker for a Higher-Order Functional Language
Atomicity in Multithreaded Software
Over-Approximating Boolean Programs with Unbounded Thread Creation
Abstractions from Proofs
The Zoo of Software Security Techniques
Predicate Abstraction
Program Analysis and Verification
Presentation transcript:

1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)

2 Multithreaded software Operating systems, databases, web servers, file systems, device drivers, GUI,... Correctness problem: –does the program satisfy its specification for all inputs and all interleavings ? Testing particularly weak for multithreaded software Need model checkers for multithreaded software

3 State explosion Large/infinite domains –eg. integers Infinite stack Many threads Predicate abstraction + iterative refinement SLAM, BLAST, Verifun Thread Modular Model Checking

4 Simple multithreaded program Thread 1 1: acquire(m) 2: x := 0 3: x := x + 1 4: assert x > 0 5: release(m) 6: stop Mutex m; int x := 1; Shared state H = Mutex  int Local state L tid = program counter State space Q = H  L 1 ...  L n Model checking space: O( |H|.|L| n ) Thread 2 1: acquire(m) 2: assert x > 0 3: release(m) 4: stop Thread n

5 Avoiding state explosion H L1L1 L2L2 Standard MC Space: O( |H|.|L| n ) Thread modular MC H L2L2 H L1L1 G 1  H  H guaranteeassume G 2  H  H guaranteeassume  Space: O(n.|H|.|L| + n.|H| 2 )

6 Mutex implementation Thread tid 1: acquire(m) 2: x := 0; 3: x := x + 1 4: assert x > 0 5: release(m) 6: stop int x := 1; Mutex m := 0; Mutex m = tid, if held by thread tid 0, if unheld (m=0  m’=tid) m m := 0 Guarantee G tid : (m!=tid  x’=x)  (m’=0  x’=1)  (m!=0  m!=tid  m’=m)

7 H L2L2 H L1L1 G 1  H  H guaranteeassume G 2  H  H guaranteeassume Thread modular checking of Thread 1 Abstraction for Thread 1 (m=0  m’=1) m ; x := 0; x := x + 1; assert x > 0; (m’=0) m ; * * * * * Model check abstraction for Thread 1 Also guarantee steps satisfy G 1 Repeat for other threads  Program is OK Thread tid 1: (m=0  m’=tid) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop G 2  ; (m=0  m’=1) m ; G 2  ; x := 0; G 2  ; x := x + 1; G 2  ; assert x > 0; G 2  ; (m’=0) m ;

8 Calvin Checker Thread modular checker for multithreaded software –uses ESC/Java as back end Applications –Apprentice challenge ( 50 LOC) –java.util.Vector ( 400 LOC) –part of Mercator web crawler (1500 LOC) –Daisy file system (1500 LOC) Thread modular reasoning works well provided you can write suitable thread guarantees Can we infer thread guarantees?

9 Inferring thread guarantees H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer infer R 1 = { (m=0,x=1,pc=1) } R 2 = { (m=0,x=1,pc=1) } G 1 = { } G 2 = { } (m=1,x=1)  (m=1,x=0) (m=0,x=1,pc=1)  1 (m=1,x=1,pc=2) (m=1,x=0,pc=3) (m=1,x=1,pc=2) (m=1,x=1,pc=1) (m=0,x=1)  (m=1,x=1)

10 Algorithm R t (H Init, L t Init ) R t (H, L t ) (H, L t )  t (H’, L t ’) R t ( H’, L t ’ ) G t (H, H’) R t (H, L t ) G u (H, H’) u != t R t (H’, L t ) Find least R t  H  L t, G t  H  H such that

11 Inferring thread guarantees H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer infer G 1 = { } G 2 = { } (m=2,x=1)  (m=2,x=1) (m=2,x=1)  (m=0,x=1) (m=0,x=1)  (m=2,x=1) (m=1,x=1)  (m=1,x=0) (m=1,x=0)  (m=1,x=1) (m=1,x=1)  (m=1,x=1) (m=1,x=1)  (m=0,x=1) (m=0,x=1)  (m=1,x=1) Thread 2 1: (m=0  m’=2) m 2: assert x > 0 3: m := 0 4: stop

12 Inferring thread guarantees H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer infer G 1 = { } G 2 = { } (m=2,x=1)  (m=2,x=1) (m=2,x=1)  (m=0,x=1) (m=0,x=1)  (m=2,x=1) (m=1,x=1)  (m=1,x=0) (m=1,x=0)  (m=1,x=1) (m=1,x=1)  (m=1,x=1) (m=1,x=1)  (m=0,x=1) (m=0,x=1)  (m=1,x=1) Hand-written guarantee G tid : (m!=tid  x’=x)  (m’=0  x’=1)  (m!=0  m!=tid  m’=m)

13 Soundness and Completeness Thread modular reasoning is sound Thread modular reasoning is not complete “Complete enough” for loosely-computed threads –no need for tight correlation of PCs Modeling mutexes as Tid + {0} crucial –guarantee G tid : (m!=tid  x’=x)  (m’=0  x’=1)  (m!=0  m!=tid  m’=m) –cannot model mutexes as {0,1}

14 One bit mutexes do not work! H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume Thread 1 1: (m=0  m’=1) m 2: x := 0; 3: x := x + 1 4: assert x > 0 5: m := 0 6: stop guarantee infer infer G 1 = { } R 2 = { } (m=0,x=1,pc=1) Thread 2 1: (m=0  m’=1) m 2: assert x > 0 3: m := 0 4: stop (m=1,x=1,pc=2) (m=1,x=0,pc=2) (m=1,x=1)  (m=1,x=0)

15 Adding procedure calls Standard MC Each thread has stack S tid Q = H  (L 1  S 1 ) ...  (L n  S n ) Undecidable H L 1 L 2 S 1 S 2 H L2L2 H L1L1 G 1  H  H G 2  H  H guaranteeassume guaranteeassume S1S1 S2S2 Thread modular MC Decidable

16 Related work Jones 83 –parallel shared-memory programs –requires manual specification of guarantee –plus Hoare-style triples Misra-Chandy 81 Abadi-Lamport 85 Alur-Henzinger 96 McMillan 97

17 Future Work Large/infinite domains –eg. integers Infinite stack Many threads Predicate abstraction + iterative refinement SLAM, BLAST, ESC, Verifun, MAGIC Thread Modular Model Checking Combine thread modular checking with predicate abstraction and iterative refinement Verifun BLAST SLAM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.