Presentation is loading. Please wait.

Presentation is loading. Please wait.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer."— Presentation transcript:

1 Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer

2 Introduction Model Checking Software –“Automatic” –Path sensitive properties –Partial correctness –Limited to sequential programs Thread-modular Reasoning –Efficiently decompose checks –Requires manual (or divine) intervention TAR: Thread-modular Abstraction Refinement –Eliminate the divine using abstraction-refinement –Safety checking for concurrent programs

3 The story so far... Analyzing Sequential programs –BLAST/SLAM/… –Iterative Abstraction-Refinement YES SAFE explanation NO! (Trace) BUG feasible Seed Abstraction Program Why infeasible ? infeasible Refine Abstract Is model safe ? Check

4 … and what of Concurrent Programs ? Shared Memory (multithreaded) Message Passing Hard to analyze ! –Interleavings / State explosion One approach: Thread-modular analysis –a.k.a. “divide and conquer” –Analyse threads in isolation –Put analyses together

5 The Problem boxes = threads white denotes shared variables Safety checking: Is an ERROR state reachable ?

6 Thread-modular analysis (take1) safe

7 Thread-modular analysis (take1) safe Rarely happens ! Threads are only correct in a constrained environment

8 Second Attempt: Summaries Divine “summaries” of each thread’s behaviour Use/verify summaries (circular)

9 safe Use Summaries (“Assume”) safe

10 Verify Summaries (“Guarantee”) µ µ safe

11 Thread-modular analysis (take 2) µ safe µ

12 Our Contribution Problem with TM Reasoning: –Divining (small) summaries ! ? ? Algorithm TAR –Divine/use/verify summaries –Using iterative abstraction-refinement

13 An Example: Race Detection Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Shared variables: data, flag, P, C Error states: P Æ C Initial states: : P Æ : C ( Æ : flag) P´P´ ´ C

14 An Example: Race Detection Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } P´P´ ´ C Correctness Invariant: –Producer ensures: P ) : flag –Consumer ensures: C ) flag

15 S Producer { : flag ! (flag’ Ç : flag’) Æ : P’ | : flag ! : flag’ Æ P’ } Summaries S Consumer { flag ! (flag’ Ç: flag’) Æ : C’ | flag ! flag’ Æ C’ } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Summary: Set of (present state, next state) pairs

16 Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Checking Safety [use] Sequential program: Producer+ use BLAST/SLAM/ESC/… [verify] Every action of Producer+ is in S Producer Producer+{ 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } while(*){ s Consumer ();} safe µ

17 Abstraction & Reachability Abstraction gives finite state space Conservative – Abstraction safe ) System safe – Too coarse ) spurious counterexample Initial Error

18 Refinement Using “spurious” error traces

19 Refinement Using “spurious” error traces –Add information to rule out spurious trace –e.g. Track more variables or predicates Repeat reachability –Till safe or real trace is found

20 Abstraction & Reachability Using “spurious” error traces –Add information to rule out spurious trace –e.g. Track more variables or predicates Repeat reachability –Till safe or real trace is found safe

21 To Summarize Nodes labeled by abstract states Each parent-child pair ! (present, next) pair –Quantify out local state (e.g. program counter) –Take pairs where global state changes Reachability Tree ’

22 Producer+{ 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } while(*){ s Consumer ();} Tying up the threads ;; Refine using “spurious” error traces Not yet the reachable set! Summarize

23 Refined System ;; safe Fixpoint

24 Running TAR on Example Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Shared variables: data, flag, P, C Error states: P Æ C Initial states: : P Æ : C Æ : flag P´P´ ´ C

25 ; Summary: : P Æ : C ! : P’ Æ C’ : P Æ C ! : P’ Æ : C’ Running TAR 1 ; Init: : P Æ : C Error: P Æ C Abs: P, C Reach: : P Æ : C P Æ : C Reach: : P Æ : C : P Æ C Summary: : P Æ : C ! P’ Æ : C’ P Æ : C ! : P’ Æ : C’ Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } P Æ C P´P´ ´ C

26 Summary: C Æ flag ! : C’ Æ flag’ : C Æ flag ! : C’ Æ : flag’ ; Summary: Running TAR 2 ; Init: : P Æ : C Æ : flag Error: P Æ C Abs: P, C, flag Reach: : P Æ : C Æ : flag P Æ : C Æ : flag : P Æ : C Æ flag Reach: : P Æ : C Æ : flag Summary: : P Æ: flag ! P‘ Æ : flag’ ! : P’ Æ flag’ P Æ : flag ! : P Æ: flag Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } : P Æ C Æ flag : C Æ flag : C Æ : flag P´P´ ´ C Only change if : flag Only change if flag : P Fixpoint Track flag : flagflag

27 ; Summary: flag ! ( flag’ Ç : flag’) Æ : C’ ! flag’ Æ C’ Running TAR 2 ; Reach: P Æ : C Æ : flag : P Reach: : P Æ C Æ flag : C Summary: : flag ! (flag’ Ç : flag’) Æ : P’ ! : flag Æ P’ Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } P´P´ ´ C safe Fixpoint SUMMARIES DIVINED !

28 Wrapping Up The moral: –TAR can check concurrent software –w/o (really) exploring all interleavings The devil … –Shared memory via pointers –Explicating local state Need to track some local state of “other” threads –Counterexample analysis Implemented TAR in BLAST –Race checking for drivers (each client is a thread) –Linux/Windows drivers 1-10 Kloc Looking for examples and properties …

29 BLAST www.eecs.berkeley.edu/~tah/blast/ Berkeley Lazy Abstraction Software * Tool

30 Race Detection w/ Pointers Producer { p = &buf; while (*) { while (p->flag) {}; p->data = newdata(); p->flag = true; p = p->next; } Consumer { q = &buf; while (*) { while (q->flag) {}; read = q->data; q->flag = false; q = q->next; }

Download ppt "Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SCIENCES USC INFORMATION INSTITUTE Pedro C. Diniz University of Southern California / Information Sciences Institute 4676 Admiralty Way, Suite 1001 Marina.

SCIENCES USC INFORMATION INSTITUTE Pedro C. Diniz University of Southern California / Information Sciences Institute 4676 Admiralty Way, Suite 1001 Marina.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

Similar presentations

Ads by Google