Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley.

Slides:



Advertisements
Similar presentations
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Advertisements

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Proofs and Counterexamples Rupak Majumdar. In the good old days… Decision Procedure  yes no.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Lazy Predicate Abstraction in BLAST John Gallagher CS4117.
SLAM Over the Summer Wes Weimer (Tom Ball, Sriram Rajamani, Manuvir Das)
An Evaluation of BLAST John Gallagher CS4117. Overview BLAST incorporates new, fascinating and complex technology. The engine and external components.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.
Lazy Abstraction Lecture 2: Modular Analyses Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
Witness and Counterexample Li Tan Oct. 15, 2002.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Lazy Abstraction Tom Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre.
Ranjit Jhala Rupak Majumdar Interprocedural Analysis of Asynchronous Programs.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Lazy Abstraction Lecture 3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Program Verification by Lazy Abstraction Ranjit Jhala UC San Diego Lecture 1 With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre, Adam Chlipala.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
50.530: Software Engineering
Languages of nested trees Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan)
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Lazy Abstraction Jinseong Jeon ARCS, KAIST CS750b, KAIST2/26 References Lazy Abstraction –Thomas A. Henzinger et al., POPL ’02 Software verification.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
SMT and Its Application in Software Verification (Part II) Yu-Fang Chen IIS, Academia Sinica Based on the slides of Barrett, Sanjit, Kroening, Rummer,
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Ranjit Jhala Rupak Majumdar Interprocedural Analysis of Asynchronous Programs.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Counter Example Guided Refinement CEGAR Mooly Sagiv.
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Having a BLAST with SLAM
runtime verification Brief Overview Grigore Rosu
Over-Approximating Boolean Programs with Unbounded Thread Creation
CSCI1600: Embedded and Real Time Software
Abstractions from Proofs
Program Verification by Lazy Abstraction
Abstraction, Verification & Refinement
Software Verification with BLAST
Predicate Abstraction
BLAST: A Software Verification Tool for C programs
Presentation transcript:

Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley

Mars, July 4, 1997 Lost contact due to real-time priority inversion bug Mars, December 3, 1999 Crashed due to uninitialized variable

French Guyana, June 4, 1996 $600 million software failure

Something Reliable Uptime: 67 years

Why don’t Bridges Crash ? Building Blocks 1.Relevant facts* 2.Model 3.Analysis Mass, Tensile Strength Free Body Diagram Solve Equations Logic Mechanics ?????? * w.r.t. property of interest BridgesPrograms Abstraction

Contributions Search Refine C Program Safe Trace Yes No Property [POPL 02] [POPL 04] BLAST Property

Property 1: Double Locking “An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock.” Calls to lock and unlock must alternate. lock unlock

Property 2: Drop Root Privilege “User applications must not run with root privilege” When execv is called, must have suid  0 [Chen-Dean-Wagner ’02]

Property 3 : IRP Handler [Fahndrich] MPR3 CallDriver MPR completion synch not pending returned SKIP2 IPC CallDriver Skip return child status DC Complete request return not Pend PPC prop completion CallDriver N/A no prop completion CallDriver start NP return Pending NP MPR1 MPR completion SKIP2 IPC CallDriver DC Complete request PPC prop completion CallDriver N/A no prop completion CallDriver start P Mark Pending IRP accessible N/A synch SKIP1 CallDriver SKIP1 Skip MPR2 MPR1 NP MPR3 CallDriver not pending returned MPR2 synch

Property 4: Data Races  x:= x+1   x:= x+1   x:= x-5  x:= x-5  x A data race on x is a state where: 1.Two threads can access x 2.One of the accesses is a write There should be no races on shared variables

Contributions Safe Yes No Trace BLAST Program Property Sequential Programs Counterex.-Guided Abstraction-Refinement For large programs, complex properties New Algorithms: Abstraction [POPL 02],Refinement [POPL 04] Property 1: Double Locking (Linux/Windows Drivers) Property 2: Drop Root Privilege (Linux Daemons ~59kloc) – Precise: No false Errors Property 3: IRP Handler (NT Drivers ~130Kloc) – Large Programs

Contributions Safe Yes No Trace BLAST Program Property Multithreaded Programs New models for thread interactions New algorithms to compute models and Verify multithreaded programs [CAV 03] [PLDI 04] Property 4: Data Races Linux/Windows Drivers Sensor Network Apps. (TinyOS/NesC) ~10kloc Arbitrarily many threads Any synchronization mechanisms Real counterexamples, Safety Proofs

Plan 1. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs Multithreaded Programs 3. Future Work

Example Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return; } lock unlock

What a program really is… State Transition 3: unlock(); new++; 4:} … 3: unlock(); new++; 4:} … pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return;} Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4: } while(new != old); 5: unlock (); return;}

The Safety Verification Problem Initial Error Is there a path from an initial to an error state ? Problem: Infinite state graph Solution : Set of states ' logical formula Safe

Idea 1: Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent –Merged into one abstract state #abstract states is finite [Graf-Saidi 97]

Abstract States and Transitions State 3: unlock(); new++; 4:} … 3: unlock(); new++; 4:} … pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a lock old=new : lock : old=new Theorem Prover

Abstraction State 3: unlock(); new++; 4:} … 3: unlock(); new++; 4:} … pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a lock old=new : lock : old=new Theorem Prover Existential Lifting

Abstraction State 3: unlock(); new++; 4:} … 3: unlock(); new++; 4:} … pc lock old new q  3   5  0x133a pc lock old new q  4   5  6  0x133a lock old=new : lock : old=new

Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples

Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction ! [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]

1. Add predicates to distinguish states across cut 2. Build refined abstraction Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01] Idea 2: Counterex.-Guided Refinement Imprecision due to merge

Iterative Abstraction-Refinement 1. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample 3. Repeat search Till real counterexample or system proved safe Solution Use spurious counterexamples to refine abstraction [Kurshan et al 93] [Clarke et al 00] [Ball-Rajamani 01]

Plan 1. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs [POPL 02] [POPL04] Multithreaded Programs 3. Future Work

[POPL 02] [POPL 04] Scaling Sequential Verification Abstract Refine C Program Safe Trace Yes No Property BLAST

Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 100’s, #States ~ 2 100, #Reach ~ 1000’s

Safe Solution Build abstraction during search Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution1 : Only Abstract Reachable States

Solution Don’t refine error-free regions Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution2: Don’t Refine Error-Free Regions Error Free

Key Idea: Reachability Tree Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Initial

Key Idea: Reachability Tree Error Free Unroll Abstraction 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Initial

Key Idea: Reachability Tree Error Free SAFE Unroll 1. Pick tree-node (=abs. state) 2. Add children (=abs. successors) 3. On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. S1 : Only Abstract Reachable States S2: Don’t refine error-free regions Initial

Build-and-Search Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 Reachability Tree

Build-and-Search Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 lock() old = new q=q->next LOCK 2 2 Reachability Tree

Build-and-Search Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK 2 2 [q!=NULL] 3 3 Reachability Tree

Build-and-Search Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK q ->data = new unlock() new : LOCK Reachability Tree

Build-and-Search Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK : LOCK [new==old] 5 5 Reachability Tree

Build-and-Search Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK : LOCK 5 5 unlock() : LOCK Reachability Tree

Analyze Counterexample Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK : LOCK 5 5 Reachability Tree lock() old = new q=q->next [q!=NULL] q ->data = new unlock() new++ [new==old] unlock()

Analyze Counterexample Predicates: LOCK : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK : LOCK 5 5 [new==old] new++ old = new Inconsistent new == old Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK, new==old 2 2 lock() old = new q=q->next Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK, new==old q ->data = new unlock() new++ : LOCK, : new = old Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK, new==old : LOCK, : new = old [new==old] Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } 1 1 LOCK, new==old : LOCK, : new = old : LOCK, : new == old 1 [new!=old] 4 Reachability Tree

Repeat Build-and-Search Predicates: LOCK, new==old : LOCK Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } Example ( ) { 1: do{ lock(); old = new; q = q->next; 2: if (q != NULL){ 3: q->data = new; unlock(); new ++; } 4:}while(new != old); 5: unlock (); } LOCK, new=old 4 4 : LOCK, new==old 5 5 SAFE Reachability Tree LOCK, new==old : LOCK, : new = old : LOCK, : new == old

[POPL 02] Scaling Sequential Verification Abstract Refine C Program Safe Trace Yes No Property Key Idea: Reachability Tree Solution: 1. Abstract reachable states, 2. Avoid refining error-free regions Problem: Abstraction is Expensive

Results Program Lines * Previous Time(mins) Time (mins) Predicates Total Average kbfiltr 12k floppy 17k diskprf 14k cdaudio 18k parport 61kDNF parclss 138kDNF * Pre-processed Property3: IRP Handler Win NT DDK

Analyzing Programs Building Blocks 1.Relevant facts* 2.Model 3.Analysis Logic Predicates Reach Tree Search * w.r.t. property of interest Programs Abstraction

Plan 1. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs [POPL 02, POPL 04] Multithreaded Programs 3. Future Work

Multithreaded Programs Curse of Interleaving Non-deterministic scheduling Exponentially many behaviors Errors are hard to detect, reproduce, eliminate Testing exercises a tiny fraction of possible behaviours Thread Shared Memory x Thread Thread

Data Races  x:= x+1   x:= x+1   x:= x-5  x:= x-5  x A data race on x is a state where: Two threads can access x One of the accesses is a write Unpredictable, undesirable program

Brute Force Approach Model Checking: Explore (abstract) State Space The curse of Interleavings #Control Combinations = m.n –250,000 if 500 lines/thread, ignoring predicates –3,4,5,…,k threads ? Unbounded threads ?

A Thread-Modular Approach Key Idea: Summarize each thread –Interactions with others w.r.t. property while(1){ atomic{ old := s; if(s==0){ s :=1; }  if(old==0){ x++; s :=0;} } while(1){ atomic{ old := s; if(s==0){ s :=1; }  if(old==0){ x++; s :=0;} } [PLDI 04] s=0 s0s0 s=1 s s,x Automaton on predicates on global variables

A Thread-Modular Approach Analysis Time » Thread £ Summary Problem: Find Summary which: 1.[Scalability] is small 2.[Verification] has all behaviors of thread

Verify (Thread || Other’s Summary) safe Control Combinations: Thread £ Summary –Small (if summary is small)

Check that Summaries are Valid safe µ µ

Thread-Modular Verification safe µ µ Assume-Guarantee [Owicki-Gries 73] [Jones 83] [Stark 85] [Abadi-Lamport 93] [Alur-Henzinger 96] [McMillan 97] [Flanagan-Qadeer 01] Q: Finding Summaries ?

Data Races in NesC Programs [PLDI 04] PL for Networked Embedded Systems [Gay et al. 03] –TinyOS Sensor Networks Applications Interrupts fire events, which fire other events or post tasks which run asynchronously Race-freedom important –Non-trivial synchronization idioms –Flow-based analysis Compiled to C

Case Study: sense.nc atomic{ old:= state; if(state==0){ state:=1; }  if(old==0){ x++;  atomic{ old:= state; if(state==0){ state:=1; }  if(old==0){ x++;  Interrupt 1 fires  old := state if (state ==0){ state := 1  If (old == 0){ about to write x Interrupt 2 fires  state := 0 Interrupt 1 fires  old := state if (state ==0){ state := 1  If (old == 0){ about to write x Interrupt 1 handler disables interrupt 2 BLAST finds information - proves no races [PLDI 04]

Analyzing Programs Building Blocks 1.Relevant facts* 2.Model 3.Analysis Logic Predicates Reach Tree Search * w.r.t. property of interest Programs Abstraction Predicates Summary Thread-Modular Multithreaded

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.