1 / 39

Over-Approximating Boolean Programs with Unbounded Thread Creation

An exploration of verifying programs with concurrent Boolean models involving unbounded thread creation, discussing the application of over-approximation to check reachability properties using symbolic representations.

delorismurray
Download Presentation

Over-Approximating Boolean Programs with Unbounded Thread Creation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Over-Approximating Boolean Programswith Unbounded Thread Creation Natasha Sharygina Byron Cook, Daniel Kroening

  2. Introduction • Counterexample guided abstraction refinement (CECAR) is a successful method to verify programs Initial Abstraction Verification No erroror bug found C Programwith threads Concurrent BooleanProgram ModelChecker Property holds Simulation successful Refinement Simulator Bug found

  3. Boolean Programs • Expressions • Usual Boolean operators • Non-deterministic choice • Control Flow • if then else • goto • Functions • Assignments • Simultaneous assignments to multiple variables • Constrained assignments • assert

  4. Boolean Programs with Threads • Created by version of SLAM for concurrent programs called SLING (G. Weissenbacher) • Threads are marked by special labels • Dynamic creation of threads • Arbitrary interleavings of the threads

  5. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end Thread Creation

  6. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end STATE g0 F

  7. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end STATE g0 T

  8. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end STATE g0 F

  9. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end STATE g0 F Alternative Schedule

  10. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end STATE g0 T Alternative Schedule

  11. Boolean Programs: Example decl g0; void t1() begin end void t2() begin assert(g0); end void main() begin g0:=T; ASYNC_1: t1(); ASYNC_2: t2(); g0:=F; end STATE g0 F  Alternative Schedule

  12. Available Model Checkers • With translator: • NuSMV • SPIN • Zing BOPPO – partial order reduction + QBF [Spin 2005] Fixed number of threads

  13. Unbounded Thread Creation • Actual number of threads always finite • May be very large • Actual number usually lost duringpredicate abstraction • Must check abstract program withunbounded number of threads • Checking the abstract model is now undecidable! • Must give up • Soundness or • Completeness

  14. Our Approach • Other tools (SPIN, ZING) won’t terminate • Not a good fit for the CEGAR loop • Our approach: Over-approximating reachability in Boolean programs with unbounded thread creation

  15. Our Approach Initial Abstraction Verification No erroror bug found CProgramwith threads Concurrent BooleanProgram ModelChecker Property holds Simulation successful Refinement Simulator Bug found • Guarantees termination • If no bug is found, the loop terminates • Otherwise, provide a “helpful trace”to CEGAR loop to make progress

  16. Thread States • Explicit State, :Triple (n, pc, ) with • n   - number of threads • pc : {1,…,n}  L – vector of program locations •  : ({1,…,n}  Vl)  Vg  B – valuation of program variables • Thread State, :Tuple (PC, ) with • PC  L •  : V B Let S denote the set of explicit states and denote a set of thread states

  17. Execution Semantics A scheduler picks a thread to execute an instruction The transition relation of a thread is defined by a case-split on the instruction (i.e., goto, assume, start_thread, lock, unlock, etc.) Current thread state Next thread state

  18. Execution Semantics The set of all reachable states is The property to check: reachability of states with particular locations

  19. Thread Projection Projection from a state to the value of the pc of thread t • Thread Projection Function Maps an explicit state of the full state space to the state visible to a thread t  {1,…,.n} Projection from a state to the values of the program variables of thread t

  20. Thread-Visible States  1 2 3 4 5 *()

  21. Thread-Visible States • The set of thread-visible states reachable in i transitions is • We compute an over-approximation of • This is sufficient to prove reachability properties that are expressed in terms of thread visible states • Example: assertions

  22. Over-Approximating Relation

  23. Over-Approximating Relation 1 2 ‘ ‘

  24. Over-Approximation

  25. Approximation Algorithm

  26. Making it Symbolic Mapping from a set of variables into a set of formulae

  27. Making it Symbolic Represents the guard of the state symbolically

  28. Symbolic States • Guard and values of variables are stored as Boolean formulae with sharing • No blowup – linear space in number oftransitions • Assertions are checked symbolically by checking satisfiability of SAT instances

  29. Fixpoint Detection with QBF • Did we get a new thread state? • Fixpoint Detection easy for explicit state (hash-table) • Symbolic case:a set of explicit thread states is represented by a symbolic thread state • Give that to QBF solver (e.g., Quantor)

  30. Refinement • Imprecision caused by over-approximating relation might lead to traces that are spurious within the abstract model • Can be ruled out by adding more predicates (i.e., classical refinement)

  31. Recursion • Reachability alreadyundecidable with only two threads • Our algorithm can be extended to handlerecursion • Idea: replace recursive callsby thread creation

  32. Experimental Results • Ran on • many sequential programsgenerated by SLAM • a few concurrent programsgenerated by SLING • Using • MiniSAT for assertions • Quantor for fixpoint detection

  33. Experimental Results

  34. Tool for Experimentation • BOPPO with support for unbounded thread creation is available for download http://www.verify.ethz.ch/boppo/

  35. Related Work • Zing: restricted form of recursion and unbounded thread creation • Qadeer and Rehof, TACAS05: unsounded approach for bounding the number of context switches • Flanagan and Qadeer, SPIN03: loosely coupled multhreaded programs: thread states in order of programs with little interaction.

  36. Questions?

  37. Modeling Recursion • For function f(p1,…,pk)| p1,…pkVl are the parameters of the function • p1,…,pk := e1,…ek • A new global variable is introduced for synchronization of the function return • Function call is replaced by start_thread ,  - the first program location of f • After the function call, is inserted and set to false • When f returns, it sets  to true. The return values are passed by means of global variables

  38. Over-approximating recursive calls Over-approximation of a recursive call f(e1,e2) with thread creation

  39. Partial Order Reduction with SAT • Implemented in GETSUCCESSORS • Computes subset of threads that are considered for symbolic execution in a particular state • Commonly used in explicit state model checkers, BOPPO does it symbolically

More Related