Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Slides:



Advertisements
Similar presentations
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Advertisements

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
1 Thread Modular Model Checking Cormac Flanagan Systems Research Center HP Labs Joint work with Shaz Qadeer (Microsoft Research)
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Lazy Predicate Abstraction in BLAST John Gallagher CS4117.
Synergy: A New Algorithm for Property Checking
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.
Lazy Abstraction Lecture 2: Modular Analyses Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Lazy Abstraction Lecture 3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Ranjit Jhala Rupak Majumdar Interprocedural Analysis of Asynchronous Programs.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
Counter Example Guided Refinement CEGAR Mooly Sagiv.
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
Formal methods: Lecture
Abstraction and Refinement for Large Scale Model Checking
Amir Kamil and Katherine Yelick
Over-Approximating Boolean Programs with Unbounded Thread Creation
Amir Kamil and Katherine Yelick
Abstractions from Proofs
Predicate Abstraction
BLAST: A Software Verification Tool for C programs
Presentation transcript:

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Introduction Model Checking Software –“Little theorems about big programs” –“automatic”, Path sensitive properties –Limited to sequential programs Thread-modular Reasoning –Efficiently decompose checks –Requires manual (or divine) intervention TAR: Thread-modular Abstraction Refinement –Eliminate the divine using abstraction-refinement –Safety checking for concurrent programs

The story so far... Analyzing Sequential programs –BLAST/SLAM/… –Iterative Abstraction-Refinement [Kurshan ’93] YES SAFE explanation NO! (Trace) BUG feasible Seed Abstraction Program Why infeasible ? infeasible Refine Abstract Is model safe ? Check

… and what of Concurrent Programs ? Shared Memory (multithreaded) Message Passing Hard to analyze ! –Interleavings / State explosion One approach: Thread-modular analysis –Analyse threads separately –Compose analyses [Jones ’83, CALVIN (FQS ’02), Assume-Guarantee]

The Problem boxes = threads white denotes shared variables Safety checking: Is an ERROR state reachable ?

Thread-modular analysis (take1) safe

Thread-modular analysis (take1) safe If only… ! Threads are correct in constrained environments

Second Attempt: Summaries “Summarize” each thread’s behavior Use/verify summaries (circular)

safe Use Summaries (“Assume”) safe

Verify Summaries (“Guarantee”) µ µ safe

Thread-modular analysis (take 2) µ safe µ

Our Contribution Problem with TM Reasoning: –Divining (small) summaries ? ? Algorithm TAR –Compute/use/verify summaries –Using iterative abstraction-refinement

An Example: Race Detection Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Shared variables: data, flag, P, C Error states: P Æ C Initial states: : P Æ : C ( Æ : flag) P´P´ ´ C

An Example: Race Detection Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } P´P´ ´ C Correctness Invariant: –Producer ensures: P ) : flag –Consumer ensures: C ) flag

S Producer { : flag ! (flag’ Ç : flag’) Æ : P’ | : flag ! : flag’ Æ P’ } Summaries S Consumer { flag ! (flag’ Ç: flag’) Æ : C’ | flag ! flag’ Æ C’ } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Summary: Set of (present state, next state) pairs

Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Checking Safety [CALVIN] [use] Sequential program: Producer+ use BLAST/SLAM/ESC/… [verify] Every action of Producer+ is in S Producer Where do summaries come from? Producer+{ 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } while(*){ s Consumer ();} safe µ

Abstraction & Reachability Abstraction gives finite state space Conservative – Abstraction safe ) System safe – Too coarse ) spurious counterexample Initial Error

Refinement Using “spurious” error traces

Refinement Using “spurious” error traces –Add information to rule out spurious trace –e.g. Track more variables or predicates Repeat reachability –Till safe or real trace is found

Abstraction & Reachability Using “spurious” error traces –Add information to rule out spurious trace –e.g. Track more variables or predicates Repeat reachability –Till safe or real trace is found safe

To Summarize Nodes labeled by abstract states Each parent-child pair ! (present, next) pair –Quantify out local state (e.g. program counter) –Take pairs where global state changes Reachability Tree ’

Producer+{ 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } while(*){ s Consumer ();} Tying up the threads ;; Refine using “spurious” error traces Not yet the reachable set! Summarize

Refined System ;; safe Fixpoint

Running TAR on Example Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Shared variables: data, flag, P, C Error states: P Æ C Initial states: : P Æ : C Æ : flag P´P´ ´ C

; Summary: : P Æ : C ! : P’ Æ C’ : P Æ C ! : P’ Æ : C’ Running TAR 1 ; Init: : P Æ : C Error: P Æ C Abs: P, C Reach: : P Æ : C P Æ : C Reach: : P Æ : C : P Æ C Summary: : P Æ : C ! P’ Æ : C’ P Æ : C ! : P’ Æ : C’ Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } P Æ C P´P´ ´ C

Summary: C Æ flag ! : C’ Æ flag’ : C Æ flag ! : C’ Æ : flag’ ! C’ Æ flag ; Summary: Running TAR 2 ; Init: : P Æ : C Æ : flag Error: P Æ C Abs: P, C, flag Reach: : P Æ : C Æ : flag P Æ : C Æ : flag : P Æ : C Æ flag Reach: : P Æ : C Æ : flag Summary: : P Æ: flag ! P‘ Æ : flag’ ! : P’ Æ flag’ P Æ : flag ! : P Æ: flag Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } : P Æ C Æ flag : C Æ flag : C Æ : flag P´P´ ´ C Only change if : flag Only change if flag : P Fixpoint Track flag : flagflag

; Summary: flag ! ( flag’ Ç : flag’) Æ : C’ ! flag’ Æ C’ Running TAR 2 ; Reach: P Æ : C Æ : flag : P Reach: : P Æ C Æ flag : C Summary: : flag ! (flag’ Ç : flag’) Æ : P’ ! : flag Æ P’ Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } P´P´ ´ C safe Fixpoint SUMMARIES LEARNT !

Bells and Whistles Havoc Abstractions: –Track only when the environment changes a variable Not what new value it changes it to –For every global x,  x denotes states where thread writes x Summary: if (  x ) then x = * No explicit global variables –Sharing via pointers that escape

Race Detection w/ Pointers Producer { p = &buf; while (*) { while (p->flag) {}; p->data = newdata(); p->flag = true; p = p->next; } Consumer { q = &buf; while (*) { while (!q->flag) {}; read = q->data; q->flag = false; q = q->next; } data flag

Conclusions The moral … –TAR can check concurrent software –w/o (really) exploring all interleavings The devil … –Shared memory via pointers –Explicating local state Need to track some local state of “other” threads –Approximate Counterexample analysis Implemented TAR in BLAST –Race checking for drivers (each client is a thread) –Linux/Windows drivers 1-10 Kloc Looking for examples and properties …

BLAST Berkeley Lazy Abstraction Software * Tool

safe Use Summaries (“Assume”) safe

Verify Summaries (“Guarantee”) µ µ safe

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.