Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

Published byJulien Brabson Modified over 9 years ago

Similar presentations

Presentation on theme: "A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research."— Presentation transcript:

1 A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research

2 Optimizations In the context of compilers, an optimization is: A program transformation that preserves semantics Aimed at improving the execution time of the program We propose an optimization targeted towards program verification The optimization is semantics preserving Aimed at improving the verification time Targets “Deep Assertions”

3 Deep Assertions Main Assertion Search in a large call graph

4 Deep Assertions Path of length 5 Search in a large call graph

5 Deep Assertions Path of length 15 Search in a large call graph

6 Deep Assertions Statically, distance from main to the assertion was up to 38!

7 Deep Assertions Goal-directed verifiers try to establish relevant information For instance, SLAM infers only predicates relevant to the property Contrast this with symbolic-execution-based testing or explicit modelcheckers that are not goal-directed When the target is far away, knowing what is relevant is that much harder

8 Example // global variables var s, g: int; procedure main() { // Initialization s := 0; g := 1; P1(); } procedure P1() { P2(); } procedure P2() { P3(); } procedure Pn() { // loop while(*) { if(g == 1) Open(); Close(); } procedure Open() { s := 1; } procedure Close() { assert s > 0; s := 0; } Deep call graph!

9 Inlining-Based Verifiers Example: BMC, Corral Based on exploring the call graph by unfolding it Inline procedures, unroll loops Either in forward or backward direction Use invariants to help prune search

10 Lazy Inlining Algorithms

11 Example // global variables var s, g: int; procedure main() { // Initialization s := 0; g := 1; P1(); } procedure P1() { P2(); } procedure P2() { P3(); } procedure Pn() { // loop while(*) { if(g == 1) Open(); Close(); } procedure Open() { s := 1; } procedure Close() { assert s > 0; s := 0; } Corral, forward Full inlining: O(2^n)*R, Or Produce the invariant for each Pi: (old(g) == 1 && old(s) == 0) ==> (s == 0 && !err) Corral, backward Full inlining: O(2^n)*R, Or Produce the precondition for each Pi: (g == 1)

12 Example // global variables var s, g: int; procedure main() { // Initialization s := 0; g := 1; P1(); } procedure P1() { P2(); } procedure P2() { P3(); } procedure Pn() { // loop while(*) { if(g == 1) Open(); Close(); } procedure Open() { s := 1; } procedure Close() { assert s > 0; s := 0; } After our transformation: Corral, forward: O(1) Corral, backward: O(1) No invariants needed!

13 Our Transformation Key Guarantee: Lift all assertions to main, that is for any procedure call, it will be to a procedure that cannot fail How? Call-Return semantics: a procedure call stores the return address on the stack, jumps to the procedure, and on exit returns to the address on stack. When a procedure call doesn’t fail, then we already have our guarantee When a procedure call will fail then we don’t need the return address!

14 Our Transformation {... call foo();... } {... // guess if the call fails if(*) { // it does! goto foo_start; } else { // it doesn’t! call foo(); }... } procedure foo() { foo_start: … assert blah; … return; } foo_start: … assert blah; … halt; procedure foo() { foo_start: … assume blah; … return; }

15 Our Transformation main() { A; call foo(); B; assert e1; } foo() { call bar(); C; assert e2; } bar() { D; assert e3; } main() { A; call foo(); B; assert e1; } foo() { call bar(); C; assume e2; } bar() { D; assume e3; }

16 Our Transformation main() { A; call foo(); B; assert e1; } foo() { call bar(); C; assert e2; } bar() { D; assert e3; } main() { A; if(*) { goto foo_start; } else { call foo(); } B; assert e1; } foo() { call bar(); C; assume e2; } bar() { D; assume e3; }

17 Our Transformation main() { A; call foo(); B; assert e1; } foo() { call bar(); C; assert e2; } bar() { D; assert e3; } main() { A; if(*) { goto foo_start; } else { call foo(); } B; assert e1; } foo() { call bar(); C; assume e2; } bar() { D; assume e3; } foo_start: call bar(); C; assert e2; halt;

18 foo_start: if(*) { goto bar_start; } else { call bar(); } C; assert e2; halt; Our Transformation main() { A; call foo(); B; assert e1; } foo() { call bar(); C; assert e2; } bar() { D; assert e3; } main() { A; if(*) { goto foo_start; } else { call foo(); } B; assert e1; } foo() { call bar(); C; assume e2; } bar() { D; assume e3; }

19 foo_start: if(*) { goto bar_start; } else { call bar(); } C; assert e2; halt; Our Transformation main() { A; call foo(); B; assert e1; } foo() { call bar(); C; assert e2; } bar() { D; assert e3; } main() { A; if(*) { goto foo_start; } else { call foo(); } B; assert e1; } foo() { call bar(); C; assume e2; } bar() { D; assume e3; } bar_start: D; assert e3; halt; Remarks: 1.The algorithm terminates 2.At most one copy of each procedure absorbed into main (unlike inlining) 3.All assertions in main! 4.Semantically equivalent

20 Our Transformation Additional Guarantee: Loops don’t have assertions How? Only the last iteration can fail loop(b)loop(b); if(*) { b }

21 Example // global variables var s, g: int; procedure main() { // Initialization s := 0; g := 1; P1(); } procedure P1() { P2(); } procedure P2() { P3(); } procedure Pn() { // loop while(*) { if(g == 1) Open(); Close(); } procedure Open() { s := 1; } procedure Close() { assert s > 0; s := 0; } Deep call graph!

22 Example var s, g: int; procedure main() { s := 0; g := 1; if(*) goto P1_start; else P1(); return; P1_start: if(*) goto P2_start; else P2(); if(*) goto P2_start; else P2(); return;... Pn_start: while(*) { if(g == 1) Open(); Close(); } if(*) { if(g == 1) Open(); if(*) { assert s > 0; s := 0; } else Close(); } } // end main Inline: Open ensures s == 1

23 Transforming Concurrent Programs Concurrent Programs: We still retain our guarantee Key Idea: At most one thread can fail Main thread guesses the failing thread upfront and starts running it (But it blocks until the thread is actually spawned) Rest all of the threads run failure free Failing thread transformed, as for sequential programs

24 Programming Model Execution starts in main Additional threads can be spawned as: async call foo(x) Preemptions are explicit: yield Note: unbounded threads, but finite (fixed) number of thread entrypoints

25 Transforming Concurrent Programs {... async call foo(x);... } {... // guess if this is the failing thread if(*) { // it is not async call foo(x); } else { // it is assume flag == nil; a := x; flag := “foo”; }... }

26 Transforming Concurrent Programs { flag := nil; if(*) { flag := “main”; goto main_entry; } async call main(); yield; goto l foo, l bar ; l foo : assume flag == “foo”; args := a; goto foo_start; l bar : assume flag == “bar”; args := a; goto bar_start; main_entry: ; die; foo_entry: ; die; bar_entry: ; die; } main

27 Evaluation Two verifiers Corral: Based on procedure inlining Yogi: Based on testing and refinement via lazy predicate abstraction Implementation Less than 1000 lines of code! Evaluation Criteria Number of instances solved Running time Memory consumption Effect on summary generation (discussed in the paper)

28 Benchmarks (Sequential) Windows Device Drivers, source: “The Static Driver Verifier”

29 Summary of the Results

30 Results: SI Number of instances: 2516 Reduction in Timeouts: 297 10X speedup: 54 2X speedup: 220 2X slowdown: 5 Program size increase: 1.1X to 1.6X Memory consumption: reduced!

31 Results: SI+Houdini Number of instances: 2516 Reduction in Timeouts: 30 2X speedup: 80 2X slowdown: 4

32 Results: Yogi Third party tool Number of instances: 802 Reduction in Timeouts: 7 10X speedup: 36 Slowdown mostly limited to trivial instances

33 Results on Concurrent Programs

34 Summary A program transformation that lifts all assertions to main Considerable speedups, up to 10X for two different verifiers Very little implementation effort Try it out in your verifier today! Thank You!

Download ppt "A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Synopsys University Courseware Copyright © 2012 Synopsys, Inc. All rights reserved. Compiler Optimization and Code Generation Lecture - 3 Developed By:

Synopsys University Courseware Copyright © 2012 Synopsys, Inc. All rights reserved. Compiler Optimization and Code Generation Lecture - 3 Developed By:
Course Outline Traditional Static Program Analysis Software Testing

Course Outline Traditional Static Program Analysis Software Testing
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.

Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
Coalescing Register Allocation CS153: Compilers Greg Morrisett.

Coalescing Register Allocation CS153: Compilers Greg Morrisett.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.

Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.

CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Similar presentations

Ads by Google