On Sequentializing Concurrent Programs (Bounded Model Checking) Gennaro Parlato University of Southampton, UK UPMARC 7 th Summer School on Multicore Computing,

Slides:



Advertisements
Similar presentations
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
© 2007 Eaton Corporation. All rights reserved. LabVIEW State Machine Architectures Presented By Scott Sirrine Eaton Corporation.
Ermenegildo Tomasco University of Southampton, UK Omar Inverso University of Southampton, UK Bernd Fischer Stellenbosch University, South Africa Salvatore.
Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
© 2012 Carnegie Mellon University Introduction to CBMC Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel November.
Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.
Verification for Concurrency Part 2: Incomplete techniques and bug finding.
The Tree-Width of auxiliary storage Gennaro Parlato (University of Southampton, UK) Joint work: P. Madhusudan – UIUC, USA.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
On Sequentializing Concurrent Programs Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA, University of Paris 7, France Michael Emmi LIAFA, University.
The Tree-Width of automata with auxiliary storage Gennaro Parlato (LIAFA, CNRS, Paris, France) joint work with P. Madhusudan (Univ of Illinois at Urbana-Champaign,
Lazy-CSeq A Lazy Sequentialization Tool for C Omar Inverso University of Southampton, UK Ermenegildo Tomasco University of Southampton, UK Bernd Fischer.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
1/25 Context-Bounded Analysis of Concurrent Queue Systems Gennaro Parlato University of Illinois at Urbana-Champaign Università degli Studi di Salerno.
Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Model Checking for Embedded Systems Edmund Clarke, CMU High-Confidence Embedded Systems Workshop, May 1 st.
Verifying Concurrent Programs by Memory Unwinding Ermenegildo Tomasco University of Southampton, UK Omar Inverso University of Southampton, UK Bernd Fischer.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
Language Evaluation Criteria
Scope-Bounded Pushdown Languages Salvatore La Torre Università degli Studi di Salerno joint work with Margherita Napoli Università degli Studi di Salerno.
Model Checking Embedded Systems
Introduction to Threads CS240 Programming in C. Introduction to Threads A thread is a path execution By default, a C/C++ program has one thread called.
Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.
Scope-bounded Multistack Pushdown Systems: - fixed-point - sequentialization - tree-width 1 Salvatore La Torre Gennaro Parlato (U. Salerno, Italy) (U.
On Sequentializing Concurrent Programs Gennaro Parlato University of Southampton, UK UPMARC 7 th Summer School on Multicore Computing, June 8-10, 2015.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.
Getting Rid of Store-Buffers in TSO Analysis Mohamed Faouzi Atig Uppsala University, Sweden Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA,
Bounded Model Checking of Multi-Threaded C Programs via Lazy Sequentialization Omar Inverso University of Southampton, UK Ermenegildo Tomasco University.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
The software model checker BLAST Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Presented by Yunho Kim TexPoint fonts used in EMF. Read.
A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.
On Sequentializing Concurrent Programs
Lazy Sequentialization via Shared Memory Abstractions
Verification for Concurrent Programs
SS 2017 Software Verification Bounded Model Checking, Outlook
Sequentializing Parameterized Programs
Harry Xu University of California, Irvine & Microsoft Research
Sequentialization by Read-implicit Coarse-grained Memory Unwindings
Ermenegildo Tomasco1, Truc L
Over-Approximating Boolean Programs with Unbounded Thread Creation
Lazy Sequentialization Unbounded Concurrent Programs
An explicit state model checker
A Refinement Calculus for Promela
A Lazy Sequentialization Tool for Unbounded Context Switches
Predicate Abstraction
Model Checking and Its Applications
Presentation transcript:

On Sequentializing Concurrent Programs (Bounded Model Checking) Gennaro Parlato University of Southampton, UK UPMARC 7 th Summer School on Multicore Computing, June 8-10, 2015

Concurrent Programs - Reachability Problem concurrent C programs POSIX threads SC memory model reachability assertion failure out-of-bound array division-by-zero, … bounded model checking (BMC) bug-finding, not complete analysis SHARED MEMORY … T1T1 T2T2 TNTN THREADS

BMC approach – Sequential Programs Efficient tools for C BLITZ [ Cho, D'Silva, Song – ASE’13 ] CBMC [ Clarke, Kroening, Lerda – TACAS’04 ] LLBMC [ Falke, Merz, Sinz – ASE’13 ] ESBMC [ Cordeiro, Fischer, Marques-Silva – ASE’09 ] PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER inlining unrolling SSA form

direct SAT/SMT approach encode each thread as in the sequential case add a conjunct for shared memory operations all possible interleavings in the bounded program φ threads ∧ φ concurrency papers: [ Sinha, Wang – POPL’11 ] [ Alglave, Kroening, Tautschnig – CAV’13 ] BMC approach - Concurrent C Programs CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER concurrency handling

Sequentialization pros reuse robust BMC sequential analysis tools fast prototyping of concurrency handling delegating all sequential reasoning to an existing target analysis tool easier to implement than full-fledged tools CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM SEQUENTIALIZATION (code-to-code translation) BMC SEQ TOOL

SEQUENTIALIZATION (code-to-code translation) Sequentialization papers proposal [ Qadeer, Wu – PLDI’04 ] eager, bounded context-switch, finite # threads [ Lal, Reps – CAV’08 ] lazy, finite # threads, parameterized [La Torre, Madhusudan, Parlato – CAV’09, CAV’10] thread creation [Bouajjani, Emmi, Parlato – SAS’11] [Emmi, Qadeer, Rakamaric – POPL’11] Lal/Reps for real-time systems [Chaki, Gurfinkel, Strichman – FMCAD’11] message-passing programs [Bouajjani, Emmi -- TACAS’12] CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM BMC SEQ TOOL

SEQUENTIALIZATION (code-to-code translation) Sequentialization BMC-based tools (Implementations of variants of Lal/Reps schema) Corral (microsoft research) [ Lal, Qadeer, Lahiri – CAV’12, FSE’14 ] Rek [ Chaki, Gurfinkel, Strichman – FMCAD’11 ] STORM [ Lahiri,Qadeer,Rakamaric CAV’09 ] CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM BMC SEQ TOOL

Sequentialization We have designed new sequentializations targeting BMC scalable analyses + surprisingly simple Lazy-CSeq Memory Unwinding CONC PROGRAM BOUNDED PROGRAM SAT/SMT FORMULA SOLVER SEQ PROGRAM SEQUENTIALIZATION (code-to-code translation) BMC SEQ TOOL

Lazy-CSeq: Schema Overview (new sequentialization for BMC) [ Inverso–Tomasco–Fischer–La Torre–Parlato, CAV’14 ]

Lazy-CSeq Approach BOUNDED PROGRAM BMC SEQUENTIAL TOOL SEQ PROGRAM SEQUENTIALIZATION (code-to-code translation) CONC PROGRAM

Bounded Concurrent Programs main() T 0 TNTN T N-1 T1T1 … no loops no function calls Control flow only forward one procedure for each thread

Round Robin Schedule main() T 0 TNTN T N-1 T1T1 … Lazy-Cseq sequentialization: captures all bounded Round-Robin computations for a given bound error manifest themselves within very few rounds [ Musuvathi, Qadeer – PLDI’07 ] round 1 round 2 round k round 3

Schema Overview … main() T 0 T1T1 TNTN … F0F0 F1F1 FNFN main() bounded concurrent program “equivalent” Sequential program with non determinism Sequentialization (code-to-code translation) Sequentialized functions Driver translates …

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } main driver a global pc for each thread thread locals  thread global

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } main driver for each round for each thread T i simulate T i

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE.. M: CS(M); stmt M; main driver F i ()

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc i ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE.. M: CS(M); stmt M; main driver F i ()... context-switch resume mechanism

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(1); stmt0; 2: CS(2); stmt1; 3: CS(3); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... Context-switch simulation: #define CS(j) if (*) { pc i =j; return; } Context-switch simulation: #define CS(j) if (*) { pc i =j; return; }

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(1); stmt0; 2: CS(2); stmt1; 3: CS(3); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()...

Naïve Lazy Sequentialization: CROSS PRODUCT SIMULATION pc 0 =0; pc 1 =0;... pc N =0; local 0 ; local 1 ;... local k ; main() { for (r=0; r<R; r++) for (k=0; k<N; k++) // simulate T k F k (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver... Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M 2 ) guards Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M 2 ) guards

pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

pc 0 =0;... pc N =0; local 0 ;... local k ; main() { for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) F i (); } switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(1); stmt0; 2: CS(2); stmt1; 3: CS(3); stmt2;.. E XE... M: CS(M); stmt M; main driver F i ()... CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1; pc 0 =0;... pc N =0; local 0 ;... local k ; nextCS; main() for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) nextCS = nondet; assume(nextCS>=pc i ) F i (); pc i = nextCS;

switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(1); stmt0; 2: CS(2); stmt1; 3: CS(3); stmt2;.. E XE... M: CS(M); stmt M; main driver F i () CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1; pc 0 =0;... pc N =0; local 0 ;... local k ; nextCS; main() for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) nextCS = nondet; assume(nextCS>=pc i ) F i (); pc i = nextCS;

switch(pc k ) { case 0: goto 0; case 1: goto 1; case 2: goto 2;... case M: goto M; } 1: CS(0); stmt0; 2: CS(1); stmt1; 3: CS(2); stmt2;.. E XE... M: CS(M); stmt M; main driver F i () CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1;... pc 0 =0;... pc N =0; local 0 ;... local k ; nextCS; main() for (r=0; r<K; r++) for (i=0; i<N; i++) // simulate T i if (active i ) nextCS = nondet; assume(nextCS>=pc i ) F i (); pc i = nextCS;

resuming + context-switch 1: CS(1); stmt1; 2: CS(2); stmt2; 3: CS(3); stmt3; EXECUTE M: CS(M); stmt M; nextCS... skip pc i... skip #define CS(j) NEW if (j =nextCS) goto j+1; #define CS(j) NEW if (j =nextCS) goto j+1; CSeq-Lazy Sequentialization: CROSS PRODUCT SIMULATION

Individual Threads Sequentialization 1: CS(1); stmt1; 2: CS(2); stmt2; 3: CS(3); stmt3; EXECUTE M: CS(M); stmt M;... Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M) guards Formula encoding: goto statement to formula add a guard for each crossing control-flow edge = O(M) guards

Individual Threads Sequentialization 1: CS(1); stmt1; 2: CS(2); stmt2; 3: CS(3); stmt3; EXECUTE M: CS(M); stmt M;... #define CS(j) if (j =next_CS) goto pc+1; #define CS(j) if (j =next_CS) goto pc+1; inject light-weight, non- invasive control code no non-determinism no assignments no return inject light-weight, non- invasive control code no non-determinism no assignments no return

Experiments

Evaluation: bug-hunting SVCOMP’14, Concurrency (UNSAFE instances) Lazy-CSeqConcurrent Tools UR BLITZ CBMC ESBMC LLBMC CBMC ESBMC Corral CSeq Threade r 27_Boop_simple_vf TO _buggy_simple_ _pthread5_vs TO2.2n/aTO 40_barrier_vf n/a0.8n/a0.7 49_bigshot_p n/a 50_bigshot_s n/a 53_fib_bench _fib_bench_longer _fib_bench_longest11 TO214.0TO 75.2TO n/a _lazy _qrcu safe0.7TO5.8safeTO 65_queue TO20.9TOn/a128.7n/a 67_read_write_lock safe0.4TO _reorder_ n/a1.30.7TO1.3n/a2.4 70_reorder_ n/a3.30.7TO1.9n/a3.5 72_sigma n/a TOn/a 73_singleton safe1.6TOn/a 75_stack TO _stateful TO _twostage_ n/a8.04.9TO3.6n/aTO

Evaluation: bug-hunting SVCOMP’14, Concurrency (UNSAFE instances) Lazy-CSeqConcurrent Tools UR BLITZ CBMC ESBMC LLBMC CBMC ESBMC Corral CSeq Threade r 27_Boop_simple_vf TO _buggy_simple_ _pthread5_vs TO2.2n/aTO 40_barrier_vf n/a0.8n/a0.7 49_bigshot_p n/a 50_bigshot_s n/a 53_fib_bench _fib_bench_longer _fib_bench_longest11 TO214.0TO 75.2TO n/a _lazy _qrcu safe0.7TO5.8safeTO 65_queue TO20.9TOn/a128.7n/a 67_read_write_lock safe0.4TO _reorder_ n/a1.30.7TO1.3n/a2.4 70_reorder_ n/a3.30.7TO1.9n/a3.5 72_sigma n/a TOn/a 73_singleton safe1.6TOn/a 75_stack TO _stateful TO _twostage_ n/a8.04.9TO3.6n/aTO

Remarks Lazy-CSeq is a new sequentialization targeted to BMC backends lazy based on bounded round-robin computations efficient for bug-hunting simple to implement (CSeq framework) Eager vs Lazy no empirical evidence that lazy is faster Lazy does not require an implementation of a memory model and handling of error checks (as opposed to LR sequentialization) Lazy-CSeq won 2 gold medals in the Concurrency category of the last two editions of the software verification competition SV-COMP all verification tasks solved 30x faster than the best tool with native concurrency handling

Sequentialization based on Memory Unwinding [ Tomasco–Inverso–Fischer–La Torre–Parlato, TACAS’15 ]

T1T2 T3 Interleaving semantics rxwxrxwyrxwxrywyryrxwywx run

T1T2 T3 From interleavings to memory unwinding rxwxrxwyrxwxrywy run ryrxwy accesses to shared memory writes rxwxrxwyrxwxrywyryrxwy wx ⇒ Memory unwinding models thread interaction history by data MEMORY UNWINDING wx wywx wy wx wywx wy

Memory unwindings as thread interfaces T1T2 Assume-guarantee reasoning style decomposition of verification TASK 1 TASK 2 T1 bounding parameter: # of shared write operations -most concurrency bugs exposed by few interactions [Lu, Park, Seo, Zhou – ASPLOS 2008]

Assume-guarantee reasoning T1T2 TASK 1 TASK 2 Thread T2 assumes: MU writes of other threads guarantees: its own MU writes  Task 1:Task 2: Thread T1 assumes: MU writes of other threads guarantees: its own MU writes

Verification using MU y=1 …. a=x x=1 …. for each write check: - right thread id - right variable - right value ensure all writes are matched for each read: - pick value from write in right range x=2 y=1 x=1 x=3 y=8 z=2 Checking assume-guarantee condition for each thread:

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Global variable write – check against current MU entry void write(uint t, uint v, int val) { mc[t] = th_nxt_wr[t][mc[t]]; assume(var[mc[t]] == v); assume(val[mc[t]] == val); } pc void write(uint t, uint v, int val) { mc[t] = th_nxt_wr[t][mc[t]]; } mc

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Local statement (no global variables) – update pc, keep mc pc

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Global variable read – “pick write position in range” int read(uint t, uint v) { if (thr_terminated()) return 0; if (var_fst_wr[v]==0) return 0; uint r_from = *; assume((r_from <= last_wr_pos) && (r_from < th_nxt_wr[t][mc[t]])); assume(var[r_from] == v); if (r_from < mc[t]) assume(var_nxt_wr[r_from] > mc[t]); else { if (r_from < var_fst_wr[v]) return 0; mc[t] = r_from; }; return value[r_from]; } non- deterministic assignment

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Global variable read – “pick write position in range” int read(uint t, uint v) { if (thr_terminated()) return 0; if (var_fst_wr[v]==0) return 0; uint r_from = *; assume((r_from <= last_wr_pos) && (r_from < th_nxt_wr[t][mc[t]])); assume(var[r_from] == v); if (r_from < mc[t]) assume(var_nxt_wr[r_from] > mc[t]); else { if (r_from < var_fst_wr[v]) return 0; mc[t] = r_from; }; return value[r_from]; }...before next write of thread... Check in unwinding...

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Global variable read – “pick write position in range” int read(uint t, uint v) { if (thr_terminated()) return 0; if (var_fst_wr[v]==0) return 0; uint r_from = *; assume((r_from <= last_wr_pos) && (r_from < th_nxt_wr[t][mc[t]])); assume(var[r_from] == v); if (r_from< mc[t]) assume(var_nxt_wr[nxt_mc] > mc[t]); else { if (r_from< var_fst_wr[v]) return 0; mc[t] = r_from; }; return value[r_from]; }...before next write of thread......right variable...

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Global variable read – “pick write position in range” int read(uint t, uint v) { if (thr_terminated()) return 0; if (var_fst_wr[v]==0) return 0; uint r_from = *; assume((r_from <= last_wr_pos) && (r_from < th_nxt_wr[t][mc[t]])); assume(var[r_from] == v); if (r_from < mc[t]) assume(var_nxt_wr[r_from] > mc[t]); else { if (r_from < var_fst_wr[v]) return 0; mc[t] = r_from; }; return value[r_from]; }...right variable......next write of variable in future...

Simulating a thread against an MU y=1 …. a=x x=1 …. x=2 y=1 x=1 x=3 y=8 z=2 pc mc Global variable read – “pick write position in range” int read(uint t, uint v) { if (thr_terminated()) return 0; if (var_fst_wr[v]==0) return 0; uint r_from = *; assume((r_from <= last_wr_pos) && (r_from < th_nxt_wr[t][mc[t]])); assume(var[r_from] == v); if (r_from < mc[t]) assume(var_nxt_wr[r_from] > mc[t]); else { if (r_from < var_fst_wr[v]) return 0; mc[t] = r_from; }; return value[r_from]; }...before next write of variable......else update mc. mc Return value. pc

Simulating a thread against an MU y=1 …. a=x x=1 …. assert(b); x=2 y=1 x=1 x=3 y=8 z=2 Handling errors – “flag that an error occurs” pc translates to if (! b) _error = 1; (computation might not be feasible) translates to if (! b) _error = 1; (computation might not be feasible)

Our apporach: sequentialization by MU … T0T0 T1T1 TNTN … F0F0 F1F1 FNFN main() Concurrent program Sequential program Sequentialization (code-to-code translation) Simulation functions translates … MEMORY UNWINDING

Main Sequential Program void main(void){ memory_init(W); ct := mem_thread_create(); F 0 (); thread_terminate(ct); all_thread_simulated(); assert(_error == 0) } main instantiate memory unwinding error check all writes of the thread are executed simulation starts from main thread all writes of the MU are executed register main thread Thread creation

CSeq framework + Evaluation

CSeq framework sequential non-deterministic C program P'P' concurrent C program P sequential analysis tool code-to-code translation is a framework that simplifies code-to-code translations -for C programs + Pthread -comprises several code-to-code translation modules -supports several sequential analysis back-end tools Internal modules -unrolling -function inlining -counter-example … Sequentialisations -Memory-Unwinding -Lazy-CSeq -LR-CSeq … testing Klee bounded model-checking -BLITZ -CBMC -ESBMC -LLBM abstraction -CPA-checker -Frama-C -SATABS

Evaluation [ SV–COMP ] SV-COMP software verification TACAS Concurrency category benchmarks: 1003 files Lazy-CSeq won 2 GOLD medals (2014, 2015) MU-CSeq won 2 SILVER medals (2014, 2015)

Ongoing & Future Work

Sequentializations based on BMC and Abstraction for programs communication through FIFO channels weak memory models (TSO) [Atig, Bouajjani, – CAV 2011 ] message passing interface (MPI) Symbolic partial order reduction based on interleaving partitioning (CEGAR) combining: abstraction interpretation to discard “safe” partitions bug-finding for partitions with “potential” bugs with few interleavings swarm verification (on clusters) implemented using Lazy- and MU-Cseq sequentialization Foundational work: Reasoning about programs using graph representations. Analysis based on graph decompositions. [“The Tree Width of Automata with Auxiliary Storage” Madhusudan, Parlato – POPL 2011 ] for multi-stack pushdown automata communicating either through shared variables or queues) Ongoing work & Future work

Sequentializations based on BMC and Abstraction for programs communication through FIFO channels weak memory models (TSO) [Atig, Bouajjani, – CAV 2011 ] message passing interface (MPI) Symbolic partial order reduction based on interleaving partitioning (CEGAR) combining: abstraction interpretation to discard “safe” partitions bug-finding for partitions with “potential” bugs with few interleavings swarm verification (on clusters) implemented using Lazy- and MU-Cseq sequentialization Foundational work: Reasoning about programs using graph representations. Analysis based on graph decompositions. [“The Tree Width of Automata with Auxiliary Storage” Madhusudan, Parlato – POPL 2011 ] for multi-stack pushdown automata communicating either through shared variables or queues) Ongoing work & Future work

Thank You users.ecs.soton.ac.uk/gp4/cseq

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.