Scalable Program Verification by Lazy Abstraction
|
|
- Teresa Mitchell
- 5 years ago
- Views:
Transcription
1 Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley ars, July, 997 Lost contact due to real-time priority inversion bug ars, December, 999 Crashed due to uninitialized variable
2 French Guyana, June, 996 $600 million software failure Something Uptime: 67 Reliable years
3 Why don t Bridges Crash? Abstraction Building Blocks. Relevant facts* 2. odel. Analysis * w.r.t. property of interest Bridges echanics ass, Tensile Strength Free Body Diagram Solve Equations Programs Logic??? Contributions CProgram Property Search [POPL 02] BLAST Refine [POPL 0] Yes No Safe Trace
4 Property : Double Locking lock unlock unlock lock An attempt to re-acquire an acquired lock or release a released lock will cause a deadlock. Calls to lock and unlock must alternate. Property 2: Drop Root Privilege [Chen-Dean-Wagner 02] User applications must not run with root privilege When execv is called, must have suid 0
5 Property : IRP Handler IRP accessible PR start NP synch not pending returned CallDriver PR2 PR NP PR completion Skip prop completion no prop completion SKIP CallDriver SKIP2 PPC N/A CallDriver CallDriver Complete request CallDriver IPC DC N/A synch return child status return not Pend PR CallDriver start P synch PR PR2not pending returned NP PR completion ark Pending Skip prop completion no prop completion CallDriver SKIP SKIP2 PPC N/A CallDriver CallDriver Complete request IPC CallDriver DC return Pending [Fahndrich] Property : Data Races x:= x+ x x:= x-5 A data race on x is a state where:. Two threads can access x 2. One of the accesses is a write There should be no races on shared variables
6 Contributions Program Property BLAST Yes No Safe Trace Sequential Programs Counterex.-Guided Abstraction-Refinement For large programs, complex properties New Algorithms: Abstraction [POPL 02],Refinement [POPL 0] Property : Double Locking (Linux/Windows Drivers) Property 2: Drop Root Privilege (Linux Daemons ~59kloc) Precise: No false Errors Property : IRP Handler (NT Drivers ~0Kloc) Large Programs Contributions Program Property BLAST Yes No Safe Trace ultithreaded Programs New models for thread interactions New algorithms to compute models and Verify multithreaded programs [CAV 0] [PLDI 0] Property : Data Races Linux/Windows Drivers Sensor Network Apps. (TinyOS/NesC) ~0kloc Arbitrarily many threads Any synchronization mechanisms Real counterexamples, Safety Proofs
7 Plan. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs ultithreaded Programs. Future Work Example un : while(new!= old); return; unlock lock unlock lock
8 What a program really is State Transition pc lock old new q a a a 5 a 5 a 0xa : un new++; : un : while(new!= old); return; pc a lock a old a 5 new a 6 q a 0xa The Safety Verification Problem Error Safe Initial Is there a path from an initial to an error state? Problem: Infinite state graph Solution : Set of states ' logical formula
9 Idea : Predicate Abstraction Predicates on program state: lock old = new States satisfying same predicates are equivalent erged into one abstract state #abstract states is finite [Graf-Saidi 97] Abstract States and Transitions State pc lock old new q a a a 5 a 5 a 0xa : un new++; : pc a lock a old a 5 new a 6 q a 0xa Theorem Prover lock old=new : lock : old=new
10 Abstraction State pc lock old new q a a a 5 a 5 a 0xa : un new++; : pc a lock a old a 5 new a 6 q a 0xa Theorem Prover Existential Lifting lock old=new : lock : old=new Abstraction State pc lock old new q a a a 5 a 5 a 0xa : un new++; : pc a lock a old a 5 new a 6 q a 0xa lock old=new : lock : old=new
11 Analyze Abstraction Analyze finite graph Over Approximate: Safe ) System Safe No false negatives Problem Spurious counterexamples Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction! [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]
12 Idea 2: Counterex.-Guided Refinement Solution Use spurious counterexamples to refine abstraction. Add predicates to distinguish states across cut 2. Imprecision Build refined due abstraction to merge [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0] Iterative Abstraction-Refinement Solution Use spurious counterexamples to refine abstraction [Kurshan et al 9] [Clarke et al 00] [Ball-Rajamani 0]. Add predicates to distinguish states across cut 2. Build refined abstraction -eliminates counterexample. Repeat search Till real counterexample or system proved safe
13 Plan. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs [POPL 02] [POPL0] ultithreaded Programs. Future Work Scaling Sequential Verification CProgram Property Abstract [POPL 02] BLAST Refine [POPL 0] Yes No Safe Trace
14 Problem: Abstraction is Expensive Reachable Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Observe Fraction of state space reachable #Preds ~ 00 s, #States ~ 2 00, #Reach ~ 000 s Solution: Only Abstract Reachable States Safe Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Build abstraction during search
15 Solution2: Don t Refine Error-Free Regions Error Free Problem #abstract states = 2 #predicates Exponential Thm. Prover queries Solution Don t refine error-free regions Key Idea: Reachability Tree Initial 2 Unroll Abstraction. Pick tree-node (=abs. state) 2. Add children (=abs. successors). On re-visiting abs. state, cut-off 5 Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds.
16 Key Idea: Reachability Tree Initial 2 Unroll Abstraction. Pick tree-node (=abs. state) 2. Add children (=abs. successors). On re-visiting abs. state, cut-off Find min infeasible suffix - Learn new predicates - Rebuild subtree with new preds. Error Free Key Idea: Reachability Tree Initial 2 Unroll. Pick tree-node (=abs. state) 2. Add children (=abs. successors). On re-visiting abs. state, cut-off Find min spurious suffix - Learn new predicates - Rebuild subtree with new preds. Error Free SAFE S: Only Abstract Reachable States S2: Don t refine error-free regions
17 Build-and-Search un :while(new!= old); Predicates Reachability Tree Build-and-Search un :while(new!= old); lock() old = new q=q->next 2 LOCK 2 Predicates Reachability Tree
18 Build-and-Search un :while(new!= old); [q!=null] 2 LOCK LOCK 2 Predicates Reachability Tree Build-and-Search un :while(new!= old); q->data = new unlock() new++ 2 LOCK LOCK 2 Predicates Reachability Tree
19 Build-and-Search un :while(new!= old); 2 LOCK LOCK 5 [new==old] 5 2 Predicates Reachability Tree Build-and-Search un :while(new!= old); 2 LOCK LOCK 5 2 Predicates 5 unlock() Reachability Tree
20 Analyze Counterexample un :while(new!= old); 2 LOCK LOCK lock() old = new q=q->next [q!=null] q->data = new unlock() new++ [new==old] 5 5 unlock() 2 Predicates Reachability Tree Analyze Counterexample un :while(new!= old); 2 5 Predicates 5 2 LOCK LOCK old = new new++ [new==old] Inconsistent new == old Reachability Tree
21 Repeat Build-and-Search un :while(new!= old); Predicates, new==old Reachability Tree Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 lock() old = new q=q->next 2 Predicates, new==old Reachability Tree
22 Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 LOCK, new==old, : new = old q->data = new unlock() new++ 2 Predicates, new==old Reachability Tree Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 LOCK, new==old, : new = old [new==old] 2 Predicates, new==old Reachability Tree
23 Repeat Build-and-Search un :while(new!= old); LOCK, new==old 2 LOCK, new==old, : new = old [new!=old] 2 Predicates, new==old, : new == old Reachability Tree Repeat Build-and-Search un :while(new!= old); LOCK, new==old LOCK, new==old 2 SAFE, : new = old LOCK, new=old 5 2 Predicates, new==old, : new == old 5, new==old Reachability Tree
24 Scaling Sequential Verification CProgram Abstract [POPL 02] Yes Safe Property Refine No Trace Problem: Abstraction is Expensive Solution:. Abstract reachable states, 2. Avoid refining error-free regions Key Idea: Reachability Tree Property: Results IRP Handler Win NT DDK Program Lines* Previous Time(mins) Time (mins) Predicates Total Average kbfiltr 2k floppy 7k diskprf k cdaudio 8k parport 6k DNF parclss 8k DNF * Pre-processed
25 Analyzing Programs Abstraction Building Blocks. Relevant facts* 2. odel. Analysis Programs Logic Predicates Reach Tree Search * w.r.t. property of interest Plan. C.G. Abstraction-Refinement 2. Lazy Abstraction Sequential Programs [POPL 02, POPL 0] ultithreaded Programs. Future Work
26 ultithreaded Programs Thread x Thread Shared emory Curse of Interleaving Non-deterministic scheduling Exponentially many behaviors Errors are hard to detect, reproduce, eliminate Testing exercises a tiny fraction of possible behaviours Data Races x:= x+ x x:= x-5 A data race on x is a state where: Two threads can access x One of the accesses is a write Unpredictable, undesirable program
27 Brute Force Approach odel Checking: Explore (abstract) State Space The curse of Interleavings #Control Combinations = m.n 250,000 if 500 lines/thread, ignoring predicates,,5,,k threads? Unbounded threads? A Thread-odular Approach Key Idea: Summarize each thread Interactions with others w.r.t. property while(){ atomic{ old := s; if(s==0){ s :=; if(old==0){ x++; s :=0; s,x s=0 s 0 s= [PLDI 0] s Automaton on predicates on global variables
28 A Thread-odular Approach Analysis Time» Thread Summary Problem: Find Summary which:. [Scalability] is small 2. [Verification] has all behaviors of thread Verify (Thread Other s Summary) safe safe Control Combinations: Thread Summary Small (if summary is small)
29 Check that Summaries are Valid µ µ safe safe Thread-odular Verification µ µ safe safe Assume-Guarantee [Owicki-Gries 7] [Jones 8] [Stark 85] [Abadi-Lamport 9] [Alur-Henzinger 96] [cillan 97] [Flanagan-Qadeer 0] safe Q: Finding Summaries?
30 Data Races in NesC Programs [PLDI 0] PL for Networked Embedded Systems [Gay et al. 0] TinyOS Sensor Networks Applications Interrupts fire events, which fire other events or post tasks which run asynchronously Race-freedom important Non-trivial synchronization idioms Flow-based analysis Compiled to C Case Study: sense.nc [PLDI 0] atomic{ old:= state; if(state==0){ state:=; if(old==0){ x++; Interrupt fires old := state if (state ==0){ state := If (old == 0){ about to write x Interrupt 2 fires state := 0 Interrupt handler disables interrupt 2 BLAST finds information - proves no races Interrupt fires old := state if (state ==0){ state := If (old == 0){ about to write x
31 Analyzing Programs Abstraction Building Blocks. Relevant facts* 2. odel. Analysis Programs Logic Predicates Reach Tree Search ultithreaded Predicates Summary Thread-odular * w.r.t. property of interest
Having a BLAST with SLAM
Having a BLAST with SLAM Meeting, CSCI 555, Fall 20 Announcements Homework 0 due Sat Questions? Move Tue office hours to -5pm 2 Software Model Checking via Counterexample Guided Abstraction Refinement
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationSoftware Model Checking with Abstraction Refinement
Software Model Checking with Abstraction Refinement Computer Science and Artificial Intelligence Laboratory MIT Armando Solar-Lezama With slides from Thomas Henzinger, Ranjit Jhala and Rupak Majumdar.
More informationHaving a BLAST with SLAM
Having a BLAST with SLAM # #2 Topic: Software Model Checking via Counter-Example Guided Abstraction Refinement There are easily two dozen SLAM/BLAST/MAGIC papers; I will skim. #3 SLAM Overview INPUT: Program
More informationHaving a BLAST with SLAM
Announcements Having a BLAST with SLAM Meetings -, CSCI 7, Fall 00 Moodle problems? Blog problems? Looked at the syllabus on the website? in program analysis Microsoft uses and distributes the Static Driver
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationTopic: Software Model Checking via Counter-Example Guided Abstraction Refinement. Having a BLAST with SLAM. Combining Strengths. SLAM Overview SLAM
Hving BLAST with SLAM Topic: Softwre Model Checking vi Counter-Exmple Guided Abstrction Refinement There re esily two dozen SLAM/BLAST/MAGIC ppers; I will skim. # # Theorem Proving Combining Strengths
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationPredicate Abstraction Daniel Kroening 1
Predicate Abstraction 20.1.2005 Daniel Kroening 1 Motivation Software has too many state variables State Space Explosion Graf/Saïdi 97: Predicate Abstraction Idea: Only keep track of predicates on data
More informationSynchronizing the Asynchronous
Synchronizing the Asynchronous Bernhard Kragl IST Austria Shaz Qadeer Microsoft Thomas A. Henzinger IST Austria Concurrency is Ubiquitous Asynchronous Concurrency is Ubiquitous Asynchronous programs are
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationUfo: A Framework for Abstraction- and Interpolation-Based Software Verification
Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationSelf Stabilization. CS553 Distributed Algorithms Prof. Ajay Kshemkalyani. by Islam Ismailov & Mohamed M. Ali
Self Stabilization CS553 Distributed Algorithms Prof. Ajay Kshemkalyani by Islam Ismailov & Mohamed M. Ali Introduction There is a possibility for a distributed system to go into an illegitimate state,
More informationLazy Abstraction with Interpolants
Lazy Abstraction with Interpolants Kenneth L. McMillan Cadence Berkeley Labs Abstract. We describe a model checker for infinite-state sequential programs, based on Craig interpolation and the lazy abstraction
More informationUsing Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction
Using Counterexample Analysis to Minimize the Number of Predicates for Predicate Abstraction Thanyapat Sakunkonchak, Satoshi Komatsu, and Masahiro Fujita VLSI Design and Education Center, The University
More informationStatic Analysis of Embedded C
Static Analysis of Embedded C John Regehr University of Utah Joint work with Nathan Cooprider Motivating Platform: TinyOS Embedded software for wireless sensor network nodes Has lots of SW components for
More informationProgram verification. Generalities about software Verification Model Checking. September 20, 2016
Program verification Generalities about software Verification Model Checking Laure Gonnord David Monniaux September 20, 2016 1 / 43 The teaching staff Laure Gonnord, associate professor, LIP laboratory,
More informationPredicate Refinement Heuristics in Program Verification with CEGAR
Predicate Refinement Heuristics in Program Verification with CEGAR Tachio Terauchi (JAIST) Part of this is joint work with Hiroshi Unno (U. Tsukuba) 1 Predicate Abstraction with CEGAR Iteratively generate
More informationIntroduction. Preliminaries. Original IC3. Tree-IC3. IC3 on Control Flow Automata. Conclusion
.. Introduction Preliminaries Original IC3 Tree-IC3 IC3 on Control Flow Automata Conclusion 2 of 22 Lifting IC3 to Control Flow Automata Tim Lange tim.lange@cs.rwth-aachen.de Introduction Preliminaries
More informationVerifiable Hierarchical Protocols with Network Invariants on Parametric Systems
Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems Opeoluwa Matthews, Jesse Bingham, Daniel Sorin http://people.duke.edu/~om26/ FMCAD 2016 - Mountain View, CA Problem Statement
More informationTRACER: A Symbolic Execution Tool for Verification
TRACER: A Symbolic Execution Tool for Verification Joxan Jaffar, Vijayaraghavan Murali, Jorge A. Navas, and Andrew E. Santosa 3 National University of Singapore The University of Melbourne 3 University
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationProof Pearl: The Termination Analysis of Terminator
Proof Pearl: The Termination Analysis of Terminator Joe Hurd Computing Laboratory Oxford University joe.hurd@comlab.ox.ac.uk Abstract. Terminator is a static analysis tool developed by Microsoft Research
More informationPredicate Abstraction of ANSI C Programs using SAT Λ
Predicate Abstraction of ANSI C Programs using SAT Λ Edmund Clarke and Daniel Kroening and Natalia Sharygina and Karen Yorav School of Computer Science Carnegie Mellon University, Pittsburgh, PA, USA Software
More informationVerifying Multithreaded Software with Impact
Verifying Multithreaded Software with Impact Björn Wachter, Daniel Kroening and Joël Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers,
More informationAbstraction Refinement for Quantified Array Assertions
Abstraction Refinement for Quantified Array Assertions Mohamed Nassim Seghir 1,, Andreas Podelski 1, and Thomas Wies 1,2 1 University of Freiburg, Germany 2 EPFL, Switzerland Abstract. We present an abstraction
More informationSubsumer-First: Steering Symbolic Reachability Analysis
Subsumer-First: Steering Symbolic Reachability Analysis Andrey Rybalchenko 1 and Rishabh Singh 2 1 Max Planck Institute for Software Systems (MPI-SWS) 2 Massachusetts Institue of Technology (MIT) Abstract.
More informationCMSC421: Principles of Operating Systems
CMSC421: Principles of Operating Systems Nilanjan Banerjee Assistant Professor, University of Maryland Baltimore County nilanb@umbc.edu http://www.csee.umbc.edu/~nilanb/teaching/421/ Principles of Operating
More informationINF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen
INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network
More informationCalFuzzer: An Extensible Active Testing Framework for Concurrent Programs Pallavi Joshi 1, Mayur Naik 2, Chang-Seo Park 1, and Koushik Sen 1
CalFuzzer: An Extensible Active Testing Framework for Concurrent Programs Pallavi Joshi 1, Mayur Naik 2, Chang-Seo Park 1, and Koushik Sen 1 1 University of California, Berkeley, USA {pallavi,parkcs,ksen}@eecs.berkeley.edu
More informationOn Reasoning about Finite Sets in Software Checking
On Reasoning about Finite Sets in Software Model Checking Pavel Shved Institute for System Programming, RAS SYRCoSE 2 June 2010 Static Program Verification Static Verification checking programs against
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationStatic Analysis of Embedded C Code
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider Relevant features of C code for MCUs Interrupt-driven concurrency Direct hardware access Whole program
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationOver-Approximating Boolean Programs with Unbounded Thread Creation
Over-Approximating Boolean Programs with Unbounded Thread Creation Byron Cook Microsoft Research Cambridge Email: bycook@microsoft.com Daniel Kroening Computer Systems Institute ETH Zurich Email: daniel.kroening@inf.ethz.ch
More informationCounter-Example Guided Program Verification
Counter-Example Guided Program Verification Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Bui Phi Diep Uppsala University, Sweden {parosh,mohamed faouzi.atig,bui.phi-diep}@it.uu.se Abstract. This paper
More informationCHESS: Analysis and Testing of Concurrent Programs
CHESS: Analysis and Testing of Concurrent Programs Sebastian Burckhardt, Madan Musuvathi, Shaz Qadeer Microsoft Research Joint work with Tom Ball, Peli de Halleux, and interns Gerard Basler (ETH Zurich),
More informationVerifying Parallel Programs
Verifying Parallel Programs Stephen F. Siegel The Verified Software Laboratory Department of Computer and Information Sciences University of Delaware, Newark, USA http://www.cis.udel.edu/~siegel SIG-NEWGRAD
More informationDesigning Memory Consistency Models for. Shared-Memory Multiprocessors. Sarita V. Adve
Designing Memory Consistency Models for Shared-Memory Multiprocessors Sarita V. Adve Computer Sciences Department University of Wisconsin-Madison The Big Picture Assumptions Parallel processing important
More informationModel Checking: Back and Forth Between Hardware and Software
Model Checking: Back and Forth Between Hardware and Software Edmund Clarke 1, Anubhav Gupta 1, Himanshu Jain 1, and Helmut Veith 2 1 School of Computer Science, Carnegie Mellon University {emc, anubhav,
More informationInterpolation-based Software Verification with Wolverine
Interpolation-based Software Verification with Wolverine Daniel Kroening 1 and Georg Weissenbacher 2 1 Computer Science Department, Oxford University 2 Department of Electrical Engineering, Princeton University
More informationAreas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1
Areas related to SW verif. Trends in Software Validation Abhik Roychoudhury CS 6214 Formal Methods Model based techniques Proof construction techniques Program Analysis Static Analysis Abstract Interpretation
More information20b -Advanced-DFA. J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 1977, pp
State Propagation Reading assignment J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 1977, pp. 223-252. Sections 1-4 For reference only M. Pezzè, R. N. Taylor and M. Young, Graph Models
More informationC++ Memory Model. Don t believe everything you read (from shared memory)
C++ Memory Model Don t believe everything you read (from shared memory) The Plan Why multithreading is hard Warm-up example Sequential Consistency Races and fences The happens-before relation The DRF guarantee
More informationPage # 20b -Advanced-DFA. Reading assignment. State Propagation. GEN and KILL sets. Data Flow Analysis
b -Advanced-DFA Reading assignment J. L. Peterson, "Petri Nets," Computing Surveys, 9 (3), September 977, pp. 3-5. Sections -4 State Propagation For reference only M. Pezzè, R. N. Taylor and M. Young,
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationOutline. Petri nets. Introduction Examples Properties Analysis techniques. 1 EE249Fall04
Outline Petri nets Introduction Examples Properties Analysis techniques 1 Petri Nets (PNs) Model introduced by C.A. Petri in 1962 Ph.D. Thesis: Communication with Automata Applications: distributed computing,
More informationPush-button verification of Files Systems via Crash Refinement
Push-button verification of Files Systems via Crash Refinement Verification Primer Behavioral Specification and implementation are both programs Equivalence check proves the functional correctness Hoare
More informationNOW Handout Page 1. Memory Consistency Model. Background for Debate on Memory Consistency Models. Multiprogrammed Uniprocessor Mem.
Memory Consistency Model Background for Debate on Memory Consistency Models CS 258, Spring 99 David E. Culler Computer Science Division U.C. Berkeley for a SAS specifies constraints on the order in which
More informationFinding Concurrency Bugs in Java
July 25, 2004 Background Our Work Recommendations Background Our Work Programmers are Not Scared Enough Java makes threaded programming too easy Language often hides consequences of incorrect synchronization
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationLast Time. Think carefully about whether you use a heap Look carefully for stack overflow Especially when you have multiple threads
Last Time Cost of nearly full resources RAM is limited Think carefully about whether you use a heap Look carefully for stack overflow Especially when you have multiple threads Embedded C Extensions for
More informationThe ComFoRT Reasoning Framework
Pittsburgh, PA 15213-3890 The ComFoRT Reasoning Framework Sagar Chaki James Ivers Natasha Sharygina Kurt Wallnau Predictable Assembly from Certifiable Components Enable the development of software systems
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationUsing Model Checking with Symbolic Execution to Verify Parallel Numerical Programs
Using Model Checking with Symbolic Execution to Verify Parallel Numerical Programs Stephen F. Siegel 1 Anastasia Mironova 2 George S. Avrunin 1 Lori A. Clarke 1 1 University of Massachusetts Amherst 2
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationVerifying Data Structure Invariants in Device Drivers
Verifying Data Structure Invariants in Device Drivers Scott McPeak (smcpeak@cs) George Necula (necula@cs) Chess Review May 10, 2004 Berkeley, CA Motivation Want to verify programs that use pointers Need
More informationModel Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).
Sérgio Campos scampos@dcc.ufmg.br Why? Imagine the implementation of a complex hardware or software system: A 100K gate ASIC perhaps 100 concurrent modules; A flight control system dozens of concurrent
More informationCOMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University
Eugene Syriani Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science McGill University 1 OVERVIEW In the context In Theory: Timed Automata The language: Definitions and Semantics
More informationLinked Lists: The Role of Locking. Erez Petrank Technion
Linked Lists: The Role of Locking Erez Petrank Technion Why Data Structures? Concurrent Data Structures are building blocks Used as libraries Construction principles apply broadly This Lecture Designing
More informationPANDA: Simultaneous Predicate Abstraction and Concrete Execution
PANDA: Simultaneous Predicate Abstraction and Concrete Execution Jakub Daniel and Pavel Parízek Charles University in Prague, Faculty of Mathematics and Physics, Department of Distributed and Dependable
More informationModel Checking Transactional Memories
Model Checking Transactional Memories Abstract Rachid Guerraoui Thomas A. Henzinger Barbara Jobstmann Vasu Singh Model checking software transactional memories (STMs) is difficult because of the unbounded
More informationPROVING THINGS ABOUT PROGRAMS
PROVING THINGS ABOUT CONCURRENT PROGRAMS Lecture 23 CS2110 Fall 2010 Overview 2 Last time we looked at techniques for proving things about recursive algorithms We saw that in general, recursion matches
More informationUnbounded Symbolic Execution for Program Verification
Unbounded Symbolic Execution for Program Verification JOXAN JAFFAR 1, JORGE A. NAVAS 1, AND ANDREW E. SANTOSA 2 1 National University of Singapore 2 University of Sydney, Australia {joxan,navas}@comp.nus.edu.sg,
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationAN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION
AN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION Edmund M. Clarke, Flavio Lerda, Muralidhar Talupur Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 {flerda,tmurali,emc}@cs.cmu.edu
More informationA Verifier for Temporal Properties
A Verifier for Temporal Properties David Mandelin May 3, 2002 1 Background Before distributing a program, programmers would like to know for certain that it does what it is intended to do. The only way
More informationPetri Nets ee249 Fall 2000
Petri Nets ee249 Fall 2000 Marco Sgroi Most slides borrowed from Luciano Lavagno s lecture ee249 (1998) 1 Models Of Computation for reactive systems Main MOCs: Communicating Finite State Machines Dataflow
More information[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION
v1.0 20130407 Programmazione Avanzata e Paradigmi Ingegneria e Scienze Informatiche - UNIBO a.a 2013/2014 Lecturer: Alessandro Ricci [module 2.2] MODELING CONCURRENT PROGRAM EXECUTION 1 SUMMARY Making
More informationTowards a Software Model Checker for ML. Naoki Kobayashi Tohoku University
Towards a Software Model Checker for ML Naoki Kobayashi Tohoku University Joint work with: Ryosuke Sato and Hiroshi Unno (Tohoku University) in collaboration with Luke Ong (Oxford), Naoshi Tabuchi and
More informationPermissive Interfaces
Permissive Interfaces Thomas A. Henzinger Ranjit Jhala Rupak Majumdar EPFL, Switzerland UC Berkeley UC Los Angeles Abstract A modular program analysis considers components independently and provides succinct
More informationPredicate Abstraction and CEGAR for Higher Order Model Checking
Predicate Abstraction and CEGAR for Higher Order Model Checking Naoki Kobayashi, Ryosuke Sato, and Hiroshi Unno Tohoku University (Presented at PLDI2011) 1 Our Goal Software model checker for functional
More informationEECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization
EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Dataflow Lecture: SDF, Kahn Process Networks Stavros Tripakis University of California, Berkeley Stavros Tripakis: EECS
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationEQUIVALENCE CHECKING IN C-BASED SYSTEM-LEVEL DESIGN BY SEQUENTIALIZING CONCURRENT BEHAVIORS
EQUIVALENCE CHECKING IN C-BASED SYSTEM-LEVEL DESIGN BY SEQUENTIALIZING CONCURRENT BEHAVIORS Thanyapat Sakunkonchak 1, Takeshi Matsumoto 2, Hiroshi Saito 3, Satoshi Komatsu 1, Masahiro Fujita 1 1 VLSI Design
More information1. Introduction to Concurrent Programming
1. Introduction to Concurrent Programming A concurrent program contains two or more threads that execute concurrently and work together to perform some task. When a program is executed, the operating system
More informationPower Analysis of Interrupt-Driven and Multi-Threaded Programs
Power Analysis of Interrupt-Driven and Multi-Threaded Programs Fang Yu Department of Computer Science University of California, Los Angeles September 5, 2006 1 Abstract We aim to combine software verification
More informationThe Embedded Machine
The Embedded Machine Predictable, Portable Real-Time Code PLDI 2002 Thomas A. Henzinger, Christoph M. Kirsch UC Berkeley www.eecs.berkeley.edu/~cm It s Tricky Mars, July 4, 1997 Lost contact due to embedded
More informationMore BSOD Embarrassments. Moore s Law. Programming With Threads. Moore s Law is Over. Analysis of Concurrent Software. Types for Race Freedom
Moore s Law Analysis of Concurrent Software Types for Race Freedom Transistors per chip doubles every 18 months Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationLecture 9: Reachability
Lecture 9: Reachability Outline of Lecture Reachability General Transition Systems Algorithms for Reachability Safety through Reachability Backward Reachability Algorithm Given hybrid automaton H : set
More informationComputer Lab 1: Model Checking and Logic Synthesis using Spin (lab)
Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu Calornia Institute of Technology AFRL, 25 April 2012 Outline Spin model checker: modeling
More informationBoolean Functions (Formulas) and Propositional Logic
EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving Part I: Basics Sanjit A. Seshia EECS, UC Berkeley Boolean Functions (Formulas) and Propositional Logic Variables: x 1, x 2, x 3,, x
More informationA Serializability Violation Detector for Shared-Memory Server Programs
A Serializability Violation Detector for Shared-Memory Server Programs Min Xu Rastislav Bodík Mark Hill University of Wisconsin Madison University of California, Berkeley Serializability Violation Detector:
More informationTesting Concurrent Java Programs Using Randomized Scheduling
Testing Concurrent Java Programs Using Randomized Scheduling Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/ stoller/ 1 Goal Pillars of
More informationRewriting Models of Boolean Programs
Rewriting Models of Boolean Programs Javier Esparza University of Stuttgart Joint work with Ahmed Bouajjani Automatic verification using model-checking Initiated in the early 80s in USA and France. 25
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationCounterexamples with Loops for Predicate Abstraction
Counterexamples with Loops for Predicate Abstraction Daniel Kroening and Georg Weissenbacher Computer Systems Institute, ETH Zurich, 8092 Zurich, Switzerland {daniel.kroening, georg.weissenbacher}@inf.ethz.ch
More informationProgramming Languages
: Winter 2010 Principles of Programming Languages Lecture 1: Welcome, etc. Ranjit Jhala UC San Diego Computation & Interaction Precisely expressed by PL Dependence means need for analysis Safety Security
More informationThreads Questions Important Questions
Threads Questions Important Questions https://dzone.com/articles/threads-top-80-interview https://www.journaldev.com/1162/java-multithreading-concurrency-interviewquestions-answers https://www.javatpoint.com/java-multithreading-interview-questions
More informationDiagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline
More informationFoundations of the C++ Concurrency Memory Model
Foundations of the C++ Concurrency Memory Model John Mellor-Crummey and Karthik Murthy Department of Computer Science Rice University johnmc@rice.edu COMP 522 27 September 2016 Before C++ Memory Model
More informationSynthesis of Synchronization using Uninterpreted Functions
Synthesis of Synchronization using Uninterpreted Functions* October 22, 2014 Roderick Bloem, Georg Hofferek, Bettina Könighofer, Robert Könighofer, Simon Außerlechner, and Raphael Spörk * This work was
More informationAutomated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania
Automated Refinement Checking of Asynchronous Processes Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ Intel Formal Verification Seminar, July 2001 Problem Refinement Checking Given two
More informationAlgorithms for Software Model Checking: Predicate Abstraction vs. IMPACT
Algorithms for Software Model Checking: Predicate Abstraction vs. IMPACT Dirk Beyer University of Passau, Germany Philipp Wendler University of Passau, Germany Abstract CEGAR, SMT solving, and Craig interpolation
More information