Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA."— Presentation transcript:

1 1 Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA

2 Checking Multithreaded C Code The Goal: Check Multithreaded C Code /* Peterson's algorithm (adapted from Wikipedia) ‏ */ static int sh_f0, sh_f1, sh_last; void * run_thread0 () { struct pa_desc d; d.f0 = &sh_f0; d.f1 = &sh_f1; d.last = 1; for (;;) { *(d.f0)=1; sh_last=d.last ; while (*(d.f1)==1 && (last==d.last)) { ; /* busy wait */ } /* critical section */ d.f0=0; } … Limitations –need to redo manual translation whenever implementation changes –the absence of errors in the design does not guarantee that the implementation (the executable) is error free express design as a PROMELA model bool turn, flag[2]; active proctype run_thread0 () { again: flag[0] = 1; turn = 1; (flag[1] == 0 || turn == 0) -> /* busy wait */ /* critical section */ flag[0] = 0; goto again; }... 2

3 Checking Multithreaded C Code Model-Driven Verification static int sh_f0, sh_f1, sh_last; void * run_thread0 () { struct pa_desc d; d.f0 = &sh_f0; d.f1 = &sh_f1; d.last = 1; for (;;) { *(d.f0)=1; sh_last=d.last ; while (*(d.f1)==1 && (last==d.last)) { ; /* busy wait */ } /* critical section */ d.f0=0; } … Ref: Model-Driven Software Verification, G.J.Holzmann & R.Joshi, SPIN 2004 c_decl { extern void * run_thread0 (void *); extern void * run_thread1 (void *); } ;... active proctype main() { init() ; do :: choose(thread0) -> c_code {run_thread0 (); } :: choose(thread1) -> c_code {run_thread1 (); }... od } 3 Embed C code within PROMELA - C code is executed by SPIN during search Main drawback: Not useful for verification of multithreaded C programs Need to explore the interleavings within the function

4 Checking Multithreaded C Code Our Solution – Introducing pancam Build pancam interpreter that can be embedded within an existing model checker pancam inherits all SPIN optimizations and future enhancements:  bit-state verification  hash compression  multi-core checking pancam does not rely on any customization of SPIN 4

5 Checking Multithreaded C Code The LLVM Compiler Infrastructure pancam interprets optimized LLVM bytecode (a typed bytecode language) catches errors that manifest themselves only after the optimization phase 5 Ref: LLVM compiler (originated from University of Illinois Urbana-Champaign), http://llvm.org /* Peterson's algorithm (adapted from Wikipedia) ‏ */ static volatile int sh_f0, sh_f1, sh_last; void * run_thread0 () { struct pa_desc d; d.f0 = &sh_f0; d.f1 = &sh_f1; d.last = 1; for (;;) { *(d.f0)=1; sh_last=d.last ; while (*(d.f1)==1 && (sh_last==d.last)) { ; /* busy wait */ } /* critical section */ d.f0=0;}

6 6 The pancam Checker SPIN orchestrates the state space search - decides which thread to execute next - stores visited states in the hash - restores to the previous step during DFS backtracking pancam computes the transition by code interpretation - can execute any number of instructions of a specific thread - can check predicates at any point Spin (pan.c) Spin (pan.c) take_step (thread_id, granularity, &state) &state pancam Checking Multithreaded C Code

7 Spin Model for pancam active proctype main() { c_code { pancam_init(“petersons.bc”); init_thread(0, “run_thread0”); init_thread(1, “run_thread1”); }; do :: c_expr { is_enabled(0) } -> c_code { take_step(0); } :: c_expr { is_enabled(1) } -> c_code { take_step(1); } od } 7

8 Checking Multithreaded C Code Program State cs[N] 8 c_track “cs” “N” “Matched”; active proctype main() { c_code { pancam_init(“petersons.bc”); init_thread(0, “run_thread0”); init_thread(1, “run_thread1”); }; do :: c_expr { is_enabled(0) } -> c_code { take_step(0); } :: c_expr { is_enabled(1) } -> c_code { take_step(1); } od } global state system heap program stack FREE enabled

9 Checking Multithreaded C Code Addressing State Space Explosion Three Strategies  support user-defined abstraction functions  use context-bounded checking  do on-the-fly partial-order reduction 9

10 Checking Multithreaded C Code User Defined Abstractions c_track “cs” “N” “UnMatched”; c_track “as” “K” “Matched”; as is populated through the user defined function compute_abst(void *as) Abstract State as[K] 10 Concrete State cs[N] system heap program stack FREE user defined  cs is stored on Spin’s stack, which is used for DFS backtracking  as is used for state hashing global state enabled

11 Checking Multithreaded C Code Context-Bounded Checking Enforce upper bound on number of allowed preemptive context-switches  a switch from p to q is preemptive provided p is enabled  explore state space exhaustively with increasingly larger bounds  works well in practice - most concurrency bugs can be triggered with a small number of switches 11 Ref: Iterative context bounding for systematic testing of multithreaded programs, M. Musuvathi, S. Qadeer, POPL 2007

12 Checking Multithreaded C Code pancam Implementation of Context Bounding Implemented as an optional extension requires no modification to Spin 12

13 Checking Multithreaded C Code Experimental Results: Context Bounding peterson.c without abstraction 13

14 Checking Multithreaded C Code On-the-fly Partial-order Reduction pancam “transitions” have no structure : c_code { take_step (th_id, s); } Spin’s traditional partial-order reduction doesn’t apply - even if we modified Spin, computing independence relation is too hard Shift the burden to pancam by  increasing the granularity of a “pancam step”  hiding unnecessary states from Spin Spin take_step (th_id, s) s’ pancam

15 Checking Multithreaded C Code On-the-fly Partial-order Reduction pancam “transitions” have no structure : c_code { take_step (th_id, s); } Spin’s traditional partial-order reduction doesn’t apply - even if we modified Spin, computing independence relation is too hard Shift the burden to pancam by  increasing the granularity of a “pancam step”  hiding unnecessary states from Spin Example  execute a thread until it accesses a global variable or the shared heap  Can we do better? Spin take_step (th_id, s) s’ pancam

16 Checking Multithreaded C Code Superstep Reduction: Key Ideas  Unlike classical POR, which considers subsets of enabled transitions from state s, we consider subsets of enabled finite paths from s 16 S 1 2

17 Checking Multithreaded C Code Superstep Reduction: Key Ideas  Unlike classical POR, which considers subsets of enabled transitions from state s, we consider subsets of enabled finite paths from s  Each selected path is replaced with a single superstep transition 17 S 1 2

18 Checking Multithreaded C Code Superstep Reduction: Key Ideas  Unlike classical POR, which considers subsets of enabled transitions from state s, we consider subsets of enabled finite paths from s  Each selected path is replaced with a single superstep transition  The conflicts (dependencies) are computed dynamically 18 S 1 2

19 Checking Multithreaded C Code Superstep Requirments Compute superstep i for each enabled thread i  a superstep is finite and nonempty  only the last transition in a superstep may conflict with transitions in other supersteps  only the last transition of a superstep can be visible From these, we can show that superstep reduction is sound and complete for checking any LTL property without the next- time operator 19 Can be seen as an extension of the Cartesian partial-order reduction to LTL Ref: Cartesian partial-order reduction, G. Gueta, C. Flanagan, E. Yahav, M. Sagiv, SPIN 2007

20 Checking Multithreaded C Code Efficient DFS Implementation DFS is essential for liveness support Precomputing the supersteps leads to run time overhead Supersteps are computed on-the-fly using a scheme that maintains bookkeeping information across Spin backtracking steps no modification to SPIN is required 20

21 Checking Multithreaded C Code Experimental Results: Superstep Reduction 21 robots.c benchmark

22 Checking Multithreaded C Code Other Related Work Modex tool extracts PROMELA models from C implementations A practical method for verifying event-driven software, G. Holzmann, M. Smith, SE1999 Java Pathfinder integrates model checking with the virtual machine Model checking programs, W. Visser, K. Havelund, G. Brat, S. Park, F. Lerda, ASE 2003 VeriSoft [God97] and Inspect [YCGK07] tools are state-less model checkers for C Model checking for programming languages using VeriSoft, P. Godefroid, POPL 1997 Dynamic partial-order reduction for model checking software, C. Flanagan, P. Godefroid, POPL 2005 CHESS model checker for concurrent C code checks for livelocks Fair stateless model checking, M. Musuvathi, S. Qadeer, PLDI 2008 CMC explicit-state model checking requires manual translation from C A pragmatic approach to model checking real code, M. Musuvathi, et al., OSDI 2002 In CodeSurfer tool, program analysis is applied to a model constructed from an executable Wysinwyx : What you see is not what you execute, G. Balakrishnan, et al., VSTTE 2005 22

23 Checking Multithreaded C Code Summary First version of pancam completed  implements abstraction support, context-bounding, superstep reduction  applied to several small programs (~200 lines of C)  applied to an inter-process communication module (~2800 lines of C)  fixed bug in Wikipedia implementation of Peterson’s protocol  extended the tool to support liveness properties Ongoing work  reduce the size of a concrete state  combine superstep reduction with static POR  make some conservative approximations to reduce overhead of POR  reduce run time overhead 23

24 Checking Multithreaded C Code Questions? 24

25 25 Cap Sets Unlike classical POR, which looks at subsets of enabled transitions from state s, we look at subsets of enabled finite paths from s Given a state s, choose Cap(s) - a subset of finite prefixes of paths from s :  :   paths from s : ( ,  :  Cap(s)    ext( ):    ) S 1 2  

26 26 Reduced System Given a transition state graph M =  S, T, S 0, L  The reduced graph M‘ =  S, T’, S 0, L , such that T’ = { s  : s  S,  Cap(s) }, where s  is a superstep transition summarizing execution of path If M and M' are stuttering equivalent, for any LTL formula Af without the next time operator, and every initial state s : s ╞ Af in M if and only if s ╞ Af in M'

27 27 Independence Requirement [  :   paths from s : ( ,  :  Cap(s)    ext( ):    ); let  =  ] Independence Requirement: transitions of   are independent from    is enabled at s, and results in the same state as  then choose  =     s    r’ r 

28 28 Visibility Requirement [ have to show that (    )  (     )  ] Visibility Requirement: both and  have the same visible transition and at most one is allowed All states on the paths  and   can be partitioned into two sets Seq and Req :   s’  Seq : L(s) = L(s’)   r’  Req: L(r) = L(r’)  s   r’ r L(r) L(s) L(r)

29 29 Visibility Requirement [ have to show that (    )  ( s     )  ] Visibility Requirement: both and  have the same visible transition and at most one is allowed All states on the paths  and   can be partitioned into two sets Seq and Req :   s’  Seq : L(s) = L(s’)   r’  Req: L(r) = L(r’) No need to show the intermediate states Path is substituted by one superstep transition  s ss   r’ r L(r) L(s) L(r)

Download ppt "1 Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA."

Similar presentations

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.

Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐

SPIN Verification System The Model Checker SPIN By Gerard J. Holzmann Comp 587 – 12/2/09 Eduardo Borjas – Omer Azmon ☐ ☐
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Similar presentations

Ads by Google