Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Slides:



Advertisements
Similar presentations
A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advertisements

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
ISBN Chapter 3 Describing Syntax and Semantics.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Chapter 2: Algorithm Discovery and Design
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Describing Syntax and Semantics
Word Level Predicate Abstraction and Refinement for Verifying RTL Verilog Himanshu Jain Daniel Kroening Natasha Sharygina Edmund Clarke Carnegie Mellon.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Chapter 2: Algorithm Discovery and Design
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
50.530: Software Engineering
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
1 Bisimulations as a Technique for State Space Reductions.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
Formal verification of skiplist algorithms Student: Trinh Cong Quy Supervisor: Bengt Jonsson Reviewer: Parosh Abdulla.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
Industrial Project (236504) Advanced programming tools for refactoring Java code in Eclipse Student: Alexander Libov Supervisor: Dr. Ran Ettinger, IBM.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Verification of Synchronization in SpecC Description with the Use of Difference Decision Diagrams Thanyapat Sakunkonchak Masahiro Fujita Department of.
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.
On Implementing High Level Concurrency in Java G Stewart von Itzstein Mark Jasiunas University of South Australia.
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
Boolean Programs: A Model and Process For Software Analysis By Thomas Ball and Sriram K. Rajamani Microsoft technical paper MSR-TR Presented by.
Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova.
Weakest Precondition of Unstructured Programs
Over-Approximating Boolean Programs with Unbounded Thread Creation
A Refinement Calculus for Promela
Predicate Abstraction
Course: CS60030 Formal Systems
Presentation transcript:

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer Science Department, Oxford University, United Kingdom Limor Goldberg

Outline  Introduction  Symmetry-Aware Predicate Abstraction  Symmetry-Aware Predicate Abstraction with aliasing  Closing the CEGAR Loop  Experimental results  Conclusion

Introduction

Introduction  Overview  Predicate Abstraction  Example  Uses of predicate abstraction  Naïve solution

Overview  Enables applying finite- state model checkers to programs written in mainstream languages  The use of predicate abstraction till now Goal: present an application of PA to shared variable concurrent software Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Overview A symmetry aware predicate abstraction:  Consider the replicated structure of a C program consists of many threads  Generate a boolean program Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Predicate Abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Predicate Abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Predicate Abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution (1,1) (2,1) (1,0,0) (0,1,0)

Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Predicate abstraction introduces as a way of dealing with data state explosion  It turns C programs into finite state boolean programs which can be model checked  Analyzing sequential software:  In the SLAM project at Microsoft, using this approach, was able to discover numerous control- dominated errors in low level operating system code.

Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  The bottleneck of PA in shared variable concurrent programs:  the exponential dependence of the generate state apace on the number of running threads.  Solution – exploit symmetry

Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  We present program as code fragments that declare shred and local variables.  such code is to be understood as a procedure to be executed by any number of threads  The code can declare shared variables – declared at the global scope (the complete program)  Can declare local variables (within the procedure)

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Since the program B is executed by parallel threads its variables have to be partitioned into “shared” and “local”.  The “shared” and “local” attribute of B’s variables depend on the attributes of P’s variables a predicate is formulated over.  Definition: - A local predicate refers solely to a local C program variables - A shared predicate refers solely to a shared C program variables - A mixed predicate is neither local nor shared.

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Definition: - A local predicate refers solely to a local C program variables - A shared predicate refers solely to a shared C program variables - A mixed predicate is neither local nor shared. Example to mix predicate: let s and l be a shared and local variables respectively. b is a boolean corresponding to the predicate: s != l Thus b is a mix variable

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; local int l = 1; assert s != l; ++s; local bool b = 1; assert b; b = b ? * : 1 ;

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; local int l = 1; assert s != l; ++s; local bool b = 1; assert b; b = b ? * : 1 ;

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; shared bool t = 0; local int l = 0; If * then if t then assert s != l; l = s + 1; t = 1; shared bool b = 1; shared bool t = 0; If * then if t then assert ! b; b = 0; t = 1;

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; shared bool t = 0; local int l = 0; If * then if t then assert s != l; l = s + 1; t = 1; shared bool b = 1; shared bool t = 0; If * then if t then assert ! b; b = 0; t = 1;

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

 The assertion in this program cannot cannot be violated  We can prove that over a set od non mixed predicates, no invariant is computable that is strong enough to prove s == l. Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution 0: shared int s = 0; 1: shared int r = 0; 2: local int l = 0; 3: ++r; 4: if ( r == 1 ) then 5: ++s; ++l; 6: assert s == l; 7: goto 5

Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Naïve solution - summarize Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Mixed predicate as local  Make unsound abstraction  Mixed predicate as shared  Make unsound abstraction  Use only shared or local predicate  Cannot verify a simple bug-free program  Instantiate the template as the number of threads  The program is no longer symmetric – cause state explosion  Symmetry oblivious – will not scale beyond a very small number of threads

Symmetry Aware Predicate Abstraction

 Definitions  Mixed predicate and notify all updates  Implementing Notify-All updates  The predicate abstraction algorithm

Definitions Definitions Mixed predicate Notify All implementation The algorithm

Definitions Mixed predicate Notify All implementation The algorithm

Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Mix predicates and Notify-All updates We have noticed that mixed predicate are tracked in local variables Why? Declaring b i shared would lose information, declaring it local doesn’t – though, it is insufficient to guarantee a sound abstraction.  This is a problem we can solve! Definitions Mixed predicate Notify All implementation The algorithm

Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

Implementing Notify-All updates Implementing Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Implementing Notify-All updates Implementing Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

Implementing Notify-All updates Implementing Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

The Algorithm Definitions Mixed predicate Notify All implementation The algorithm

The Algorithm Definitions Mixed predicate Notify All implementation The algorithm Indexes of all the predicate that that effected by v

The Algorithm Definitions Mixed predicate Notify All implementation The algorithm When v is shared, indexes of mixed predicate s.t the corresponding boolean predicate is local and needs to be updated separately

Symmetry Aware Predicate Abstraction with Aliasing

 Assumptions  Definitions  The algorithm

Assumptions Assumptions Definitions The algorithm

Definitions Assumptions Definitions The algorithm

Predicate Abstraction Algorithm with Aliasing Assumptions Definitions The algorithm

must_notify  Again, we need to determine whether an update affects the truth of a predicate only for the threads executing the update, or for all threads.  We need to define must_notify like we did without aliasing. Assumptions Definitions The algorithm

must_notify – first try  The previous definition (without aliasing) was: So, we can try to adapt it to this situation with the new definitions: Assumptions Definitions The algorithm

must_notify – first try Assumptions Definitions The algorithm

must_notify – second try Assumptions Definitions The algorithm

The Algorithm Assumptions Definitions The algorithm

The CEGAR loop

The CEGAR Loop  Reminder  Adept CEGAR loop to handle concurrency

Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

spurious counterexample x1x1 x2x2 y1y1 y2y2 X Y Considering the counterexample Y  X  Y : This path exists only in the abstract model Remainder CEGAR loop with concurrency

Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

Adept CEGAR loop to handle concurrency  Model checking boolean broadcast program  Simulation  Refinement Remainder CEGAR loop with concurrency

Model checking boolean broadcast program  We can no longer use existing concurrent Boolean program model checkers such as Boom (*).  A prototype extension of Boom which called B-Boom can overcome the problem that the new syntax and semantics for broadcasts created.  B-Boom extends the capabilities of Boom to support broadcast operations. Remainder CEGAR loop with concurrency

Simulation  The existing S AT A BS simulator:  extracts the control flow from the trace  Mapped it back to the original C program  Translate it into a propositional formula The error is spurious exactly if the formula is unsatisfiable  For concurrent case the control flow information of an abstract trace includes which thread executes actively in each steps.  An extended version of the S AT A BS create a trace over a replicated C program which can be checked using SAT Remainder CEGAR loop with concurrency

Refinement  The implementation performs refinement by extracting new predicates from counterexample via WP calculations. Remainder CEGAR loop with concurrency

Experimental results

 Symmetry-aware vs. Symmetry oblivious  Sound abstraction vs. unsound abstraction

Symmetry aware vs. Symmetry oblivious Reminder: SOPA: an n-thread symmetric concurrent program expanded so that variables for all threads are explicitly duplicated and n copies of all non-shared predicate are generated.

Sound Abs vs. Unsound Abs Reminder: we saw Unsound Abstraction in the two naïve solutions to the mixed predicate problem.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.