Translating C programs using POSIX thread into CSP for refinement checking

Size: px

Start display at page:

Download "Translating C programs using POSIX thread into CSP for refinement checking"

Randolf Newton
6 years ago
Views:

1 Translating C programs using POSIX thread into CSP for refinement checking Hisabumi HATSUGAI hatsugai@principia-m.com PRINCIPIA Limited PRINCIPIA Limited 1

2 Pthread Model Checker An easy-to-use model checker for C programs using POSIX thread Models can be written in C Three types of checks can be performed: Assertions Deadlock detection Invalid operations for mutexes and condition variables Checking can be performed in parallel. 25 Producers/Consumers BUFLEN=23 Np=Nc=4 20 Speed up PRINCIPIA Limited Number of workers

3 Internal Process of PTMC Model in C convert to LTS LTS convert to checker checker in C void *producer(void *arg) { while (true) { pthread_mutex_lock(&mutex); while (count == N) { pthread_cond_wait(&cv, &mutex); count++; pthread_cond_signal(&cv2); pthread_mutex_unlock(&mutex); return NULL; (lock mutex):23 [24] IN() [25] IN(t18) OUT(t18) [23] IN() (lock mutex):21 [29] IN() (unlock mutex):27 (load-scalar t18 count):22 (signal cv2):26 (lock mutex):37 [17] IN() [18] IN(t16) OUT(t16) [16] IN() (lock mutex):35 [22] IN() (unlock mutex):41 (load-scalar t16 count):36 (signal cv):40 void *consumer(void *arg) { while (true) { pthread_mutex_lock(&mutex); while (count == 0) { pthread_cond_wait(&cv2, &mutex); count--; pthread_cond_signal(&cv); pthread_mutex_unlock(&mutex); return NULL; [26] IN() [(= t18 4)] [(not (= t18 4))] (wait cv mutex):22 (load-scalar t19 count):22 [27] IN(t19) OUT(t19) (store-scalar count (+ t19 1)): PRINCIPIA Limited 3 [28] IN() [19] IN() [(= t16 0)] [(not (= t16 0))] (wait cv2 mutex):36 (load-scalar t17 count):36 [20] IN(t17) OUT(t17) (store-scalar count (- t17 1)):39 [21] IN()

4 Checking assertions is not enough Pthread Model Checker supports "Global Assertions" which can be used for checking simple safety properties. int count; >= 0 && count <= N) The following checks are not supported Divergence detection Liveness Refinement relations 2017 PRINCIPIA Limited 4

5 Translating LTS into CSP Model in C convert to LTS LTS convert to checker checker in C (def (S1 ($pid Ip)) (par (set) (S2 $pid) (S22 (+ 1 0))))) (def SYSTEM (par X (seq (S1 0) (! terminate SKIP)) (par (set terminate) CVM0 PM0 (GVS-count 0) (GVS-putp 0) (GVS-getp 0) (GVA-buf (make-list L-buf 0))))) translate into CSP CSP model CSP refinemt checker SSG 2017 PRINCIPIA Limited 5

6 Transition labels Transition Labels in LTS tau assert Accessing to global variables load-scalar/load-array store-scalar/store-array Thread creation and termination create exit join Mutex operations lock unlock Condition variables operations wait signal broadcast (lock mutex):23 [26] IN() [24] IN() [25] IN(t18) OUT(t18) [27] IN(t19) OUT(t19) [23] IN() (lock mutex):21 [29] IN() (unlock mutex):27 (load-scalar t18 count):22 [(= t18 4)] [(not (= t18 4))] (wait cv mutex):22 (load-scalar t19 count):22 (store-scalar count (+ t19 1)):25 [28] IN() (signal cv2): PRINCIPIA Limited 6

7 Structure of CSP processes thread 0 thread 1 thread 2 thread 3 Mutex and Condition Variables lock unlock wait signal broadcast Retcode exit join global var rd-* wr-* 2017 PRINCIPIA Limited 7

8 Mutexes and condition variables (def (CVM (ms (list mutex-state Nm)) (mss (list (set Ip) Nm)) (css (list (set pmpair) Nc))) (? lock (p m) (CVM ms (update mss m (adjoin (ref mss m) p)) css)) (? unlock (p m) (CVM (update ms m Unlock) mss css)) (? wait (p c m) (CVM (update ms m Unlock) mss (update css c (adjoin (ref css c) (PMPair p m))))) (? signal (p c) (let ((s (ref css c))) (if (empty? s) (CVM ms mss css) (xndc pm s (case pm ((PMPair q m) (CVM ms (update mss m (adjoin (ref mss m) q)) (update css c (remove s pm))))))))) (xalt m (collect-mutex-index ms mss) (xalt q (ref mss m) (! (ret q) (CVM (update ms m (Lock q)) (update mss m (remove (ref mss m) q)) css)))) (! terminate SKIP))) (defch ret (defch lock (defch unlock (defch wait (defch signal (defch broadcast Ip) Ip Im) Ip Im) Ip Ic Im) Ip Ic) Ip Ic) 2017 PRINCIPIA Limited 8

9 Retcode process for exit and join (deftype proc-state Running (Done Di)) (defch exit Ip Di) (defch join Ip Di) (def (PM (xs (list proc-state Np))) (? exit (pid retcode) (PM (update xs pid (Done retcode)))) (? join (pid retcode) (= (Done retcode) (ref xs pid)) (PM xs)) (! terminate SKIP))) 2017 PRINCIPIA Limited 9

10 Global variables Scalar (defch rd-count Di) (defch wr-count Di) (def (GVS-count (x Di)) (! (rd-count x) (GVS-count x)) (? wr-count (x) (GVS-count x)) (! terminate SKIP))) Array (def L-buf 3) (deftypename I-buf (int 0 L-buf)) (defch rd-buf I-buf Di) (defch wr-buf I-buf Di) (def (GVA-buf (xs (list Di 3))) (? rd-buf (k x) (= x (ref xs k)) (GVA-buf xs)) (? wr-buf (k x) (GVA-buf (update xs k x))) (! terminate SKIP))) 2017 PRINCIPIA Limited 10

11 example Threads (defch internal) (defch assertion-violation) (def (S32 ($pid Ip) (c Di)) (! (wr-count (+ c 1)) (S33 $pid)))) (def (S31 ($pid Ip) (k Di) (c Di)) (if (= (if (= (if (= k 2) 1 0) 0) 1 0) 0) STOP (! (wr-putp (+ k 1)) (S32 $pid c))) (if (= (if (= k 2) 1 0) 0) STOP (! (wr-putp 0) (S32 $pid c))))) (def (S30 ($pid Ip) (c Di) (k Di)) (let (((x Di) 2)) (! internal (S28 $pid x k c))))) 2017 PRINCIPIA Limited 11

12 Specification: Assertion Violation (def NO-ASSERTION-VIOLATION (RUN (diff event (set assertion-violation)))) (def (RUN A) (xalt e A (! e (RUN A)))) (check (deadlock SYSTEM)) (check (traces NO-ASSERTION-VIOLATION SYSTEM)) 2017 PRINCIPIA Limited 12

13 Safety verification void *producer(void *arg) { while (true) { int c, k, x; pthread_mutex_lock(&mutex); loop: c = count; if (c == N) { pthread_cond_wait(&cv, &mutex); goto loop; k = putp; AMB x = 0; OR AMB x = 1; OR x = 2; buf[k] = x; if (k == N - 1) putp = 0; else putp = k + 1; count = c + 1; pthread_cond_signal(&cv2); pthread_mutex_unlock(&mutex); return NULL; void consumer0(void) { while (true) { int c, k, x; pthread_mutex_lock(&mutex); loop: c = count; if (c == 0) { pthread_cond_wait(&cv2, &mutex); goto loop; k = getp; x = buf[k]; if (k == N - 1) getp = 0; else getp = k + 1; count = c - 1; pthread_cond_signal(&cv); pthread_mutex_unlock(&mutex); 2017 PRINCIPIA Limited 13 Producer 0 Producer 1 Producer 2 Producer 3 Queue Consumer 0 Consumer 1 Consumer 2 AMB x = 0; OR AMB x = 1; OR x = 2; Nondeterministic choice statement

14 Specification: Safety (def SPEC (let ((A (diff event (chset rd-buf wr-buf assertion-violation)))) (OBSERVER A (list)))) (def (OBSERVER (A (set event)) (xs (list Di L-buf))) (? rd-buf (k x) (and (not (null? xs)) (= x (car xs))) (OBSERVER A (cdr xs))) (? wr-buf (k x) (< (length xs) L-buf) (OBSERVER A (append1 xs x))) (xalt e A (! e (OBSERVER A xs))))) 2017 PRINCIPIA Limited 14

15 Conclusion Developped a LTS to CSP translator in Pthread Model Checker. Refinement checking can be performed for C programs using POSIX thread with Pthread Model Checker and SSG. Pthread Model Checker SSG Specification in CSP Model in C using POSIX thread 2017 PRINCIPIA Limited 15

Parallel and On-the-fly CSP Refinement Checking

Parallel and On-the-fly CSP Refinement Checking Hisabumi HATSUGAI isaac@principia-m.com PRINCIPIA Limited. http://www.principia-m.com/ 2014 PRINCIPIA Limited. Contents 1. SSG Goals and Design Decisions