Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili

Our Contributions New model-checking techniques for Communicating Pushdown Systems  Multi-level semi-decision procedure Addresses 3 challenging verification issues  Large and infinite domains  Recursion  Concurrency and synchronization Implemented on top of model checker MAGIC

Real Bugs! 2 process race condition found in Windows NT Bluetooth Driver [KISS 04] New 3 process race condition found in “corrected” version of Windows NT Bluetooth driver  Found while attempting to verify the driver

Model checking Program is a collection of states Program statements define transitions in state space

Model checking Predicate abstraction generates model of program Check model against a specification Model Spec

Concurrent model checking Multiple transition systems Model 1Model 2 Predicate abstraction generates multiple models Combine models and check specification Spec

Related Work SLAM  No concurrency BLAST and MAGIC  No recursion KISS  2 context switches k-bounded context switches  Under-approximation  No implementation

Outline Pushdown Systems Review Communicating Pushdown Systems Experiments

Pushdown Systems (PDS) Finite state machine with a stack (P, ,  ) P = {p, q,...} : finite set of states      : finite set of stack symbols Configuration c   P £  *   : finite set of rules µ (P £  ) £ (P £  * )  if h p,   i ! h q,   i then h p,    i ) h q,    i     *

Pushdown System from a CFG void f() { if( e 1 ) { message a f() message b } f enter message a e1e1 f exit message b call f ret f

PDS encoding of function f  p,f enter  !  p,e 1  f enter message a e1e1 f exit message b call f ret f  p,message b  !  p,f exit   p,ret f  !  p,message b   p,e 1  !  p,message a   p,e 1  !  p,f exit   p,call f  !  p,f enter ret f   p,message a  !  p,call f   p,f exit  !  p, " 

PDS encoding of a CFG Intraprocedural edge  p,  1  p,    Interprocedural call edge  p,  1  p,      Interprocedural return edge  p,  1  p,  f enter message a e1e1 f exit message b call f ret f

PDS Reachability Queries Let C be a set of PDS configurations {c 1, …, c n } pre*(C) backwards reachability from C post*(C) forwards reachability from C If C is regular, then pre*(C) (post*(C)) is regular

PDS Reachability Example f enter message a e1e1 f exit message b call f ret f f enter p ret f f enter, e 1, message a, call f p ret f f enter, e 1, message a, call f, messageb, ret f, f exit, " message b, ret f, f exit, "

Model checking PDS Is C reachable from C? If C is regular, then pre*(C) is regular Model checker checks configuration reachability I.e., is C  pre*(C) = 

Concurrent Message-Passing Program void f() { if( e 1 ) { message a f() message b } void g() { if( e 2 ) { message a message b g() } else { message b }

Reachability isn’t enough! Does not capture inter-process synchronization Must associate synchronization messages with execution paths Solution - Communicating Pushdown Systems  Model a process by language of synchronization messages  Language intersection checks inter-process reachability

Outline Review of Pushdown Systems Communicating Pushdown Systems Experiments

Communicating Pushdown Systems (CPDS) CPDS CP is a tuple of PDSs  1  …,  n  Global configuration of CP is a tuple of PDS configurations g =  c 1  …, c n  Set of global actions (Act) = {Lab}  {Lab} set of synchronizing actions  represents an internal action

Concurrent Message-Passing Program void f() { if( e 1 ) { message a f() message b } void g() { if( e 2 ) { message a message b g() } else { message b }

CPDS for Message-Passing Program CP = (P f, P g ) Configuration g = (c f,c g ) Act = {a, b,  }

Reachability Analysis of CPDS “From  c 1  c 2 , is  c 1  c 2  reachable?” True if L  c 1  c 1   L  c 2  c 2  [BET03] L 1 = L  c 1  c 1  & L 2 =L  c 2  c 2  What is L 1 & L 2 ?

Process’s Language of Messages void f() { if( e 1 ) { message a f() message b } L( f ) " ab aabb aaabbb aaaabbbb 

Language of Synchronizing Messages void f() { if( e 1 ) { message a f() message b } L( f )  a k b k

Generating the Process Language Use Weighted Pushdown System  Associates weight to each valid path  Reachability query returns “combined” weight over all valid paths  “Combined” weight is the language of synchronizing messages for each process

Language of Synchronizing Messages void f() { if( e 1 ) { message a f() message b } L( f )  a k b k

Language of Reachability in WPDS f enter message a e1e1 f exit message b call f ret f L(  p,f enter ,  p, f exit  )  a k b k

Problem: L 1  L 2 =  is undecidable! L(  p,f enter ,  p, f exit  )  akbk  akbkakbk  akbk f enter message a e1e1 f exit message b call f ret f f enter message a e1e1 f exit message b call f ret f

Multi-level semi-decision procedure Level 1 in MAGIC  Extract CPDS from C program  Query Level 2 Level 2 in WPDS++  use CounterExample Guided Abstraction Refinement (CEGAR)  Over-approximate L i as A i using i th -prefix  A i is regular because it is finite!

i th -prefix Associate finite string to each path in WPDS String length can be at most i  Bounded string concatenation Over-approximates CFL for a process  Separate concrete from abstract strings Defines a set of refinable finite chain abstractions

i th -prefix - 2 recursive calls f enter message a e1e1 f exit message b call f ret f i ∞ = aabb i 5 = aabb i 3 = aab  3 (aab) = aab(a+b)*

i th -prefix L(  p,f enter ,  p, f exit  ) f enter message a e1e1 f exit message b call f ret f i 1 = { ", a } i 2 = { ", aa, ab } i 3 = { ", ab, aaa, aab } i 4 = { ", ab, aaaa, aaab, aabb } i 5 = { ", ab, aabb, aaaaa, aaaab, aaabb } …

Level 2 CEGAR semi-decision procedure Given CP,  c 1  c 2 , and  c 1  c 2  Let C i = c i  Pre*(P i, c i ) Let A i =  over all paths in C i Let I = A 1  A 2

Level 2 CEGAR semi-decision procedure If I =  then L 1  L 2 =  L(  c 1  c 2 ,  c 1  c 2  )  I If I contains concrete string, report back the shortest counterexample Else, increment i and repeat

CPDS Example L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

CPDS Example i 1 = { ", a}i 1 = {a, b} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

CPDS Example  1 (i 1 = { ", a}) = " +a(a+b)*  1 ( i 1 = {a,b}) = (a+b)(a+b)* L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

CPDS Example i 2 = { ",ab}i 2 = {b,ab} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

CPDS Example i 3 = { ",ab,aaa,aab}i 3 = {b,aba,abb} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

CPDS Example =  i 3 = { ",ab,aaa,aab}i 3 = {b,aba,abb} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

Experiment - Bluetooth Driver Abstract Bluetooth driver from Windows NT  Reentrant multi-threaded library  Has known bug -- found by KISS [QW04]  Two handler processes: receive one request each  2 context switches: RUN; STOP; RUN   Modeled with a CPDS  Counterexample consists of 8 actions  Found in 5 seconds, using 334 MB

Bluetooth CPDS Model CPDS uses 5 processes Two handler processes  RUN  STOP Three processes that model global variables  2 Booleans  1 integer counter

Experiment 2 – Revised Bluetooth Driver “Corrected” version of model in which KISS found a bug Challenge: Could we verify that it was correct? Answers obtained by CPDS model checking:  For 2 processes (RUN, STOP) … correct!  For 3 processes (RUN1, RUN2, STOP) … incorrect  Six processes in CPDS model  Three handler processes (RUN1, RUN2, STOP)  Three processes for globals (2 Booleans, 1 integer counter) Counterexample consisted of 14 actions Found in 20 seconds, using 391 MB

“Correct” Bluetooth Bug n0: rc = atomicIncr(); n1: if( rc ) { n2: // do work n3: assert(Counter); } n4: atomicDecr(); RUN1STOPRUN2 n2 decr; wait; n1 n4 cleanup n3  Counter: 0Counter: 1Counter: 2Counter: 1

Conclusion Model each process as a language of messages L1L1 L2L2 Combine languages via intersection Reachability is emptiness of intersection  = Ø?

Questions?

Thank You Nicholas Kidd University of Wisconsin-Madison