Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.

Published byKelley Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili."— Presentation transcript:

1 Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili

2 Our Contributions New model-checking techniques for Communicating Pushdown Systems  Multi-level semi-decision procedure Addresses 3 challenging verification issues  Large and infinite domains  Recursion  Concurrency and synchronization Implemented on top of model checker MAGIC

3 Real Bugs! 2 process race condition found in Windows NT Bluetooth Driver [KISS 04] New 3 process race condition found in “corrected” version of Windows NT Bluetooth driver  Found while attempting to verify the driver

4 Model checking Program is a collection of states Program statements define transitions in state space

5 Model checking Predicate abstraction generates model of program Check model against a specification Model Spec

6 Concurrent model checking Multiple transition systems Model 1Model 2 Predicate abstraction generates multiple models Combine models and check specification Spec

7 Related Work SLAM  No concurrency BLAST and MAGIC  No recursion KISS  2 context switches k-bounded context switches  Under-approximation  No implementation

8 Outline Pushdown Systems Review Communicating Pushdown Systems Experiments

9 Pushdown Systems (PDS) Finite state machine with a stack (P, ,  ) P = {p, q,...} : finite set of states      : finite set of stack symbols Configuration c   P £  *   : finite set of rules µ (P £  ) £ (P £  * )  if h p,   i ! h q,   i then h p,    i ) h q,    i     *

10 Pushdown System from a CFG void f() { if( e 1 ) { message a f() message b } f enter message a e1e1 f exit message b call f ret f

11 PDS encoding of function f  p,f enter  !  p,e 1  f enter message a e1e1 f exit message b call f ret f  p,message b  !  p,f exit   p,ret f  !  p,message b   p,e 1  !  p,message a   p,e 1  !  p,f exit   p,call f  !  p,f enter ret f   p,message a  !  p,call f   p,f exit  !  p, " 

12 PDS encoding of a CFG Intraprocedural edge  p,  1  p,    Interprocedural call edge  p,  1  p,      Interprocedural return edge  p,  1  p,  f enter message a e1e1 f exit message b call f ret f

13 PDS Reachability Queries Let C be a set of PDS configurations {c 1, …, c n } pre*(C) backwards reachability from C post*(C) forwards reachability from C If C is regular, then pre*(C) (post*(C)) is regular

14 PDS Reachability Example f enter message a e1e1 f exit message b call f ret f f enter p ret f f enter, e 1, message a, call f p ret f f enter, e 1, message a, call f, messageb, ret f, f exit, " message b, ret f, f exit, "

15 Model checking PDS Is C reachable from C? If C is regular, then pre*(C) is regular Model checker checks configuration reachability I.e., is C  pre*(C) = 

16 Concurrent Message-Passing Program void f() { if( e 1 ) { message a f() message b } void g() { if( e 2 ) { message a message b g() } else { message b }

17 Reachability isn’t enough! Does not capture inter-process synchronization Must associate synchronization messages with execution paths Solution - Communicating Pushdown Systems  Model a process by language of synchronization messages  Language intersection checks inter-process reachability

18 Outline Review of Pushdown Systems Communicating Pushdown Systems Experiments

19 Communicating Pushdown Systems (CPDS) CPDS CP is a tuple of PDSs  1  …,  n  Global configuration of CP is a tuple of PDS configurations g =  c 1  …, c n  Set of global actions (Act) = {Lab}  {Lab} set of synchronizing actions  represents an internal action

20 Concurrent Message-Passing Program void f() { if( e 1 ) { message a f() message b } void g() { if( e 2 ) { message a message b g() } else { message b }

21 CPDS for Message-Passing Program CP = (P f, P g ) Configuration g = (c f,c g ) Act = {a, b,  }

22 Reachability Analysis of CPDS “From  c 1  c 2 , is  c 1  c 2  reachable?” True if L  c 1  c 1   L  c 2  c 2  [BET03] L 1 = L  c 1  c 1  & L 2 =L  c 2  c 2  What is L 1 & L 2 ?

23 Process’s Language of Messages void f() { if( e 1 ) { message a f() message b } L( f ) " ab aabb aaabbb aaaabbbb 

24 Language of Synchronizing Messages void f() { if( e 1 ) { message a f() message b } L( f )  a k b k

25 Generating the Process Language Use Weighted Pushdown System  Associates weight to each valid path  Reachability query returns “combined” weight over all valid paths  “Combined” weight is the language of synchronizing messages for each process

26 Language of Synchronizing Messages void f() { if( e 1 ) { message a f() message b } L( f )  a k b k

27 Language of Reachability in WPDS f enter message a e1e1 f exit message b call f ret f L(  p,f enter ,  p, f exit  )  a k b k

28 Problem: L 1  L 2 =  is undecidable! L(  p,f enter ,  p, f exit  )  akbk  akbkakbk  akbk f enter message a e1e1 f exit message b call f ret f f enter message a e1e1 f exit message b call f ret f

29 Multi-level semi-decision procedure Level 1 in MAGIC  Extract CPDS from C program  Query Level 2 Level 2 in WPDS++  use CounterExample Guided Abstraction Refinement (CEGAR)  Over-approximate L i as A i using i th -prefix  A i is regular because it is finite!

30 i th -prefix Associate finite string to each path in WPDS String length can be at most i  Bounded string concatenation Over-approximates CFL for a process  Separate concrete from abstract strings Defines a set of refinable finite chain abstractions

31 i th -prefix - 2 recursive calls f enter message a e1e1 f exit message b call f ret f i ∞ = aabb i 5 = aabb i 3 = aab  3 (aab) = aab(a+b)*

32 i th -prefix L(  p,f enter ,  p, f exit  ) f enter message a e1e1 f exit message b call f ret f i 1 = { ", a } i 2 = { ", aa, ab } i 3 = { ", ab, aaa, aab } i 4 = { ", ab, aaaa, aaab, aabb } i 5 = { ", ab, aabb, aaaaa, aaaab, aaabb } …

33 Level 2 CEGAR semi-decision procedure Given CP,  c 1  c 2 , and  c 1  c 2  Let C i = c i  Pre*(P i, c i ) Let A i =  over all paths in C i Let I = A 1  A 2

34 Level 2 CEGAR semi-decision procedure If I =  then L 1  L 2 =  L(  c 1  c 2 ,  c 1  c 2  )  I If I contains concrete string, report back the shortest counterexample Else, increment i and repeat

35 CPDS Example L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

36 CPDS Example i 1 = { ", a}i 1 = {a, b} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

37 CPDS Example  1 (i 1 = { ", a}) = " +a(a+b)*  1 ( i 1 = {a,b}) = (a+b)(a+b)* L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

38 CPDS Example i 2 = { ",ab}i 2 = {b,ab} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

39 CPDS Example i 3 = { ",ab,aaa,aab}i 3 = {b,aba,abb} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

40 CPDS Example =  i 3 = { ",ab,aaa,aab}i 3 = {b,aba,abb} L(  p,f enter ,  p, f exit  )L(  p,g enter ,  p, g exit  )  f enter message a e1e1 f exit message b call f ret f g enter message a e2e2 g exit message b call g ret g

41 Experiment - Bluetooth Driver Abstract Bluetooth driver from Windows NT  Reentrant multi-threaded library  Has known bug -- found by KISS [QW04]  Two handler processes: receive one request each  2 context switches: RUN; STOP; RUN   Modeled with a CPDS  Counterexample consists of 8 actions  Found in 5 seconds, using 334 MB

42 Bluetooth CPDS Model CPDS uses 5 processes Two handler processes  RUN  STOP Three processes that model global variables  2 Booleans  1 integer counter

43 Experiment 2 – Revised Bluetooth Driver “Corrected” version of model in which KISS found a bug Challenge: Could we verify that it was correct? Answers obtained by CPDS model checking:  For 2 processes (RUN, STOP) … correct!  For 3 processes (RUN1, RUN2, STOP) … incorrect  Six processes in CPDS model  Three handler processes (RUN1, RUN2, STOP)  Three processes for globals (2 Booleans, 1 integer counter) Counterexample consisted of 14 actions Found in 20 seconds, using 391 MB

44 “Correct” Bluetooth Bug n0: rc = atomicIncr(); n1: if( rc ) { n2: // do work n3: assert(Counter); } n4: atomicDecr(); RUN1STOPRUN2 n2 decr; wait; n1 n4 cleanup n3  Counter: 0Counter: 1Counter: 2Counter: 1

45 Conclusion Model each process as a language of messages L1L1 L2L2 Combine languages via intersection Reachability is emptiness of intersection  = Ø?

46 Questions?

47 Thank You Nicholas Kidd University of Wisconsin-Madison

Download ppt "Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Pushdown Automata (PDA) Informally: –A PDA is an NFA-ε with a stack. –Transitions are modified to accommodate stack operations. Questions: –What is a.

1 Pushdown Automata (PDA) Informally: –A PDA is an NFA-ε with a stack. –Transitions are modified to accommodate stack operations. Questions: –What is a.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.

The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.

Reducing Context-bounded Concurrent Reachability to Sequential Reachability Gennaro Parlato University of Illinois at Urbana-Champaign Salvatore La Torre.
Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

Similar presentations

Ads by Google