Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Published byStephany Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer."— Presentation transcript:

1 Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer Science Department, Oxford University, United Kingdom Limor Goldberg 15.4.2012

2 Outline  Introduction  Symmetry-Aware Predicate Abstraction  Symmetry-Aware Predicate Abstraction with aliasing  Closing the CEGAR Loop  Experimental results  Conclusion

3 Introduction

4 Introduction  Overview  Predicate Abstraction  Example  Uses of predicate abstraction  Naïve solution

5 Overview  Enables applying finite- state model checkers to programs written in mainstream languages  The use of predicate abstraction till now Goal: present an application of PA to shared variable concurrent software Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

6 Overview A symmetry aware predicate abstraction:  Consider the replicated structure of a C program consists of many threads  Generate a boolean program Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

7 Predicate Abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

8 Predicate Abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

9 Predicate Abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

10 Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

11 Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

12 Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

13 Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

14 Example Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution (1,1) (2,1) (1,0,0) (0,1,0)

15 Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Predicate abstraction introduces as a way of dealing with data state explosion  It turns C programs into finite state boolean programs which can be model checked  Analyzing sequential software:  In the SLAM project at Microsoft, using this approach, was able to discover numerous control- dominated errors in low level operating system code.

16 Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  The bottleneck of PA in shared variable concurrent programs:  the exponential dependence of the generate state apace on the number of running threads.  Solution – exploit symmetry

17 Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

18 Uses of predicate abstraction Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  We present program as code fragments that declare shred and local variables.  such code is to be understood as a procedure to be executed by any number of threads  The code can declare shared variables – declared at the global scope (the complete program)  Can declare local variables (within the procedure)

19 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Since the program B is executed by parallel threads its variables have to be partitioned into “shared” and “local”.  The “shared” and “local” attribute of B’s variables depend on the attributes of P’s variables a predicate is formulated over.  Definition: - A local predicate refers solely to a local C program variables - A shared predicate refers solely to a shared C program variables - A mixed predicate is neither local nor shared.

20 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Definition: - A local predicate refers solely to a local C program variables - A shared predicate refers solely to a shared C program variables - A mixed predicate is neither local nor shared. Example to mix predicate: let s and l be a shared and local variables respectively. b is a boolean corresponding to the predicate: s != l Thus b is a mix variable

21 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; local int l = 1; assert s != l; ++s; local bool b = 1; assert b; b = b ? * : 1 ;

22 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; local int l = 1; assert s != l; ++s; local bool b = 1; assert b; b = b ? * : 1 ;

23 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; shared bool t = 0; local int l = 0; If * then if t then assert s != l; l = s + 1; t = 1; shared bool b = 1; shared bool t = 0; If * then if t then assert ! b; b = 0; t = 1;

24 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution shared int s = 0; shared bool t = 0; local int l = 0; If * then if t then assert s != l; l = s + 1; t = 1; shared bool b = 1; shared bool t = 0; If * then if t then assert ! b; b = 0; t = 1;

25 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

26  The assertion in this program cannot cannot be violated  We can prove that over a set od non mixed predicates, no invariant is computable that is strong enough to prove s == l. Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution 0: shared int s = 0; 1: shared int r = 0; 2: local int l = 0; 3: ++r; 4: if ( r == 1 ) then 5: ++s; ++l; 6: assert s == l; 7: goto 5

27 Naïve solution Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

28 Naïve solution - summarize Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution  Mixed predicate as local  Make unsound abstraction  Mixed predicate as shared  Make unsound abstraction  Use only shared or local predicate  Cannot verify a simple bug-free program  Instantiate the template as the number of threads  The program is no longer symmetric – cause state explosion  Symmetry oblivious – will not scale beyond a very small number of threads

29 Symmetry Aware Predicate Abstraction

30  Definitions  Mixed predicate and notify all updates  Implementing Notify-All updates  The predicate abstraction algorithm

31 Definitions Definitions Mixed predicate Notify All implementation The algorithm

32 Definitions Mixed predicate Notify All implementation The algorithm

33 Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

34 Mix predicates and Notify-All updates We have noticed that mixed predicate are tracked in local variables Why? Declaring b i shared would lose information, declaring it local doesn’t – though, it is insufficient to guarantee a sound abstraction.  This is a problem we can solve! Definitions Mixed predicate Notify All implementation The algorithm

35 Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

36 Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

37 Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

38 Mix predicates and Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

39 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

40 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

41 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

42 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

43 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

44 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

45 Weakest precondition Definitions Mixed predicate Notify All implementation The algorithm

46 Implementing Notify-All updates Implementing Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

47 Implementing Notify-All updates Implementing Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

48 Implementing Notify-All updates Implementing Notify-All updates Definitions Mixed predicate Notify All implementation The algorithm

49 The Algorithm Definitions Mixed predicate Notify All implementation The algorithm

50 The Algorithm Definitions Mixed predicate Notify All implementation The algorithm Indexes of all the predicate that that effected by v

51 The Algorithm Definitions Mixed predicate Notify All implementation The algorithm When v is shared, indexes of mixed predicate s.t the corresponding boolean predicate is local and needs to be updated separately

52 Symmetry Aware Predicate Abstraction with Aliasing

53  Assumptions  Definitions  The algorithm

54 Assumptions Assumptions Definitions The algorithm

55 Definitions Assumptions Definitions The algorithm

56 Predicate Abstraction Algorithm with Aliasing Assumptions Definitions The algorithm

57 must_notify  Again, we need to determine whether an update affects the truth of a predicate only for the threads executing the update, or for all threads.  We need to define must_notify like we did without aliasing. Assumptions Definitions The algorithm

58 must_notify – first try  The previous definition (without aliasing) was: So, we can try to adapt it to this situation with the new definitions: Assumptions Definitions The algorithm

59 must_notify – first try Assumptions Definitions The algorithm

60 must_notify – second try Assumptions Definitions The algorithm

61 The Algorithm Assumptions Definitions The algorithm

62 The CEGAR loop

63 The CEGAR Loop  Reminder  Adept CEGAR loop to handle concurrency

64 Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

65 Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

66 Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

67 Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

68 spurious counterexample x1x1 x2x2 y1y1 y2y2 X Y Considering the counterexample Y  X  Y : This path exists only in the abstract model Remainder CEGAR loop with concurrency

69 Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

70 Remainder T h is not spurious check spurious counterexample ThTh stop M h |=  generate counterexample T h M h |=  model check MhMh generate initial abstraction M and  refinement ThTh is spurious Remainder CEGAR loop with concurrency

71 Adept CEGAR loop to handle concurrency  Model checking boolean broadcast program  Simulation  Refinement Remainder CEGAR loop with concurrency

72 Model checking boolean broadcast program  We can no longer use existing concurrent Boolean program model checkers such as Boom (*).  A prototype extension of Boom which called B-Boom can overcome the problem that the new syntax and semantics for broadcasts created.  B-Boom extends the capabilities of Boom to support broadcast operations. Remainder CEGAR loop with concurrency

73 Simulation  The existing S AT A BS simulator:  extracts the control flow from the trace  Mapped it back to the original C program  Translate it into a propositional formula The error is spurious exactly if the formula is unsatisfiable  For concurrent case the control flow information of an abstract trace includes which thread executes actively in each steps.  An extended version of the S AT A BS create a trace over a replicated C program which can be checked using SAT Remainder CEGAR loop with concurrency

74 Refinement  The implementation performs refinement by extracting new predicates from counterexample via WP calculations. Remainder CEGAR loop with concurrency

75 Experimental results

76  Symmetry-aware vs. Symmetry oblivious  Sound abstraction vs. unsound abstraction

77 Symmetry aware vs. Symmetry oblivious Reminder: SOPA: an n-thread symmetric concurrent program expanded so that variables for all threads are explicitly duplicated and n copies of all non-shared predicate are generated.

78

79 Sound Abs vs. Unsound Abs Reminder: we saw Unsound Abstraction in the two naïve solutions to the mixed predicate problem.

80

Download ppt "Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.

A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 4.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Similar presentations

Ads by Google