Presentation is loading. Please wait.

Presentation is loading. Please wait.

Over-Approximating Boolean Programs with Unbounded Thread Creation

Published byFanny Hartanto Modified over 6 years ago

Similar presentations

Presentation on theme: "Over-Approximating Boolean Programs with Unbounded Thread Creation"— Presentation transcript:

1 Over-Approximating Boolean Programs with Unbounded Thread Creation
Natasha Sharygina Byron Cook, Daniel Kroening

2 Introduction Counterexample guided abstraction refinement (CECAR) is a successful method to verify programs Initial Abstraction Verification No error or bug found C Program with threads Concurrent Boolean Program Model Checker Property holds Simulation successful Refinement Simulator Bug found

3 Boolean Programs Expressions Control Flow Assignments assert
Usual Boolean operators Non-deterministic choice Control Flow if then else goto Functions Assignments Simultaneous assignments to multiple variables Constrained assignments assert

4 Boolean Programs with Threads
Created by version of SLAM for concurrent programs called SLING (G. Weissenbacher) Threads are marked by special labels Dynamic creation of threads Arbitrary interleavings of the threads

5 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; Thread Creation

6 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; STATE g0 F

7 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; STATE g0 T

8 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; STATE g0 F

9 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; STATE g0 F Alternative Schedule

10 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; STATE g0 T Alternative Schedule

11 Boolean Programs: Example
decl g0; void t1() begin end void t2() begin assert(g0); void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; STATE g0 F Alternative Schedule

12 Available Model Checkers
With translator: NuSMV SPIN Zing BOPPO – partial order reduction + QBF [Spin 2005] Fixed number of threads

13 Unbounded Thread Creation
Actual number of threads always finite May be very large Actual number usually lost during predicate abstraction Must check abstract program with unbounded number of threads Checking the abstract model is now undecidable! Must give up Soundness or Completeness

14 Our Approach Other tools (SPIN, ZING) won’t terminate
Not a good fit for the CEGAR loop Our approach: Over-approximating reachability in Boolean programs with unbounded thread creation

15 Our Approach Guarantees termination
Initial Abstraction Verification No error or bug found C Program with threads Concurrent Boolean Program Model Checker Property holds Simulation successful Refinement Simulator Bug found Guarantees termination If no bug is found, the loop terminates Otherwise, provide a “helpful trace”to CEGAR loop to make progress

16 Thread States Explicit State,  : Triple (n, pc, ) with
n   - number of threads pc : {1,…,n}  L – vector of program locations  : ({1,…,n}  Vl)  Vg  B – valuation of program variables Thread State, : Tuple (PC, ) with PC  L  : V  B Let S denote the set of explicit states and denote a set of thread states

17 Execution Semantics A scheduler picks a thread to execute an instruction The transition relation of a thread is defined by a case-split on the instruction (i.e., goto, assume, start_thread, lock, unlock, etc.) Current thread state Next thread state

18 Execution Semantics The set of all reachable states is
The property to check: reachability of states with particular locations

19 Projection from a state to the value of the pc of thread t
Thread Projection Projection from a state to the value of the pc of thread t Thread Projection Function Maps an explicit state of the full state space to the state visible to a thread t  {1,…,.n} Projection from a state to the values of the program variables of thread t

20 Thread-Visible States
1 2 3 4 5 *()

21 Thread-Visible States
The set of thread-visible states reachable in i transitions is We compute an over-approximation of This is sufficient to prove reachability properties that are expressed in terms of thread visible states Example: assertions

22 Over-Approximating Relation

23 Over-Approximating Relation
1 2

24 Over-Approximation

25 Approximation Algorithm

26 Mapping from a set of variables into a set of formulae
Making it Symbolic Mapping from a set of variables into a set of formulae

27 Represents the guard of the state symbolically
Making it Symbolic Represents the guard of the state symbolically

28 Symbolic States Guard and values of variables are stored as Boolean formulae with sharing No blowup – linear space in number of transitions Assertions are checked symbolically by checking satisfiability of SAT instances

29 Fixpoint Detection with QBF
Did we get a new thread state? Fixpoint Detection easy for explicit state (hash-table) Symbolic case: a set of explicit thread states is represented by a symbolic thread state Give that to QBF solver (e.g., Quantor)

30 Refinement Imprecision caused by over-approximating relation might lead to traces that are spurious within the abstract model Can be ruled out by adding more predicates (i.e., classical refinement)

31 Recursion Reachability already undecidable with only two threads
Our algorithm can be extended to handle recursion Idea: replace recursive calls by thread creation

32 Experimental Results Ran on many sequential programs generated by SLAM
a few concurrent programs generated by SLING Using MiniSAT for assertions Quantor for fixpoint detection

33 Experimental Results

34 Tool for Experimentation
BOPPO with support for unbounded thread creation is available for download

35 Related Work Zing: restricted form of recursion and unbounded thread creation Qadeer and Rehof, TACAS05: unsounded approach for bounding the number of context switches Flanagan and Qadeer, SPIN03: loosely coupled multhreaded programs: thread states in order of programs with little interaction.

36 Questions?

37 Modeling Recursion For function f(p1,…,pk) | p1,…pk Vl are the parameters of the function p1,…,pk := e1,…ek A new global variable is introduced for synchronization of the function return Function call is replaced by start_thread ,  - the first program location of f After the function call, is inserted and set to false When f returns, it sets  to true. The return values are passed by means of global variables

38 Over-approximating recursive calls
Over-approximation of a recursive call f(e1,e2) with thread creation

39 Partial Order Reduction with SAT
Implemented in GETSUCCESSORS Computes subset of threads that are considered for symbolic execution in a particular state Commonly used in explicit state model checkers, BOPPO does it symbolically

Download ppt "Over-Approximating Boolean Programs with Unbounded Thread Creation"

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.

Similar presentations

Ads by Google