CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi State merging, Concolic Execution
Concolic Execution Works well on interprocedural bugs, use of library calls
Concolic Execution Falls back on concrete values when – Non linear arithmetic – pointers pointing to input values
Concolic execution with dynamic data No way to know whether a->c is overwritten. With initial random values, Concolic falls back to concrete values
Nonlinear arithmetic
Problems with Concolic Testing Limited exploration when decision procedures encounter: – Floats, nonlinear arithmetic, 3 rd party components – symbolic pointers
Symbolic Execution with Concurrency Scheduling explosion - an additional headache Solution: Check for feasible interleavings under a “causal model”
Example Symbolic execution of a path along with the schedule Does there exist a bad schedule?
Example Lamport’s HB Causality -- Respect read-after-write pairs to the same shared var. Not sufficient to expose the error
Solution: Allow all interleavings As long as they follow SC semantics What happens in our running example?
Preliminaries Concurrent program P: finite set of threads, finite set of shared vars SV Each thread t i has finite set of local vars LV i Symbolic execution trace: where
Preliminaries Symbolic execution trace: where action:, assert(c) state is a map s: V -> Val
Sym. Exec. of Example
Concurrent Trace Program CTP of : Feasible linearization of
CSSA – Concurrent SSA
SAT Encoding based on CSSA
Path Constraints
Property Constraints HB Constraints
PO Ordering
VD Constraints
Phi Constraints
CSSA Encoding
Context bounding What is a context and a context switch? Context bounding – restrict the number of context switches allowed! In our example: What happens when we bound the contexts to 1? What happens when it is increased to 2?
CTP with Context Bounding For this to happen, we change the HB definition slightly
Acknowledgements