Verifying Concurrent Programs

Size: px

Start display at page:

Download "Verifying Concurrent Programs"

Egbert Lambert Cunningham
5 years ago
Views:

1 Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01

2 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D. Kroening: SSFT1 Verifying Concurrent Programs

Models, APLAS 011 Symmetry-Aware Predicate Abstraction

Dynamic Cutoff Detection in Parameterized Concurrent

Checking One Step Further, TACAS 010 Symbolic Counter

3 J. Alglave A. Donaldson A. Kaiser T. Wahl Soundness of Data Flow Analyses for Weak Memory Models, APLAS 011 Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs, CAV 011 Dynamic Cutoff Detection in Parameterized Concurrent Programs, CAV 010 Boom: Taking Boolean Program Model Checking One Step Further, TACAS 010 Symbolic Counter Abstraction for Concurrent Software, CAV 009 D. Kroening: SSFT1 Verifying Concurrent Programs

4 Forms of Concurrency Shared-variable concurrency (Linux pthread library, Win thread API,... ) Share all memory Share OS API (e.g., file descriptors) Multiple processes on the same machine Share file system Can share memory via mmap Programs on different machines Can communicate e.g. via UDP or TCP D. Kroening: SSFT1 Verifying Concurrent Programs

5 Asynchronous vs. Synchronous Concurrency Synchronous Partition state: S = S 1... S n T i : S S i Overall system: T (s, s ) n T i (s, s (i) ) i=0 Each process can perform a step in each transition Asynchronous Transition relation for each process: T i : S S Overall system: T (s, s ) i.t i (s, s ) Only one process performs a step in a transition D. Kroening: SSFT1 Verifying Concurrent Programs

6 Asynchronous Shared-Variable Concurrency We focus on asynchronous shared-variable concurrency Motivated by Intel s multi-core story Doubling the gate count doubles the power consumption Increasing the clock speed requires raising voltage, with manifold increase in power! Scaling micro-processors is easier by replicating CPU cores CPUs with 100 cores are around D. Kroening: SSFT1 Verifying Concurrent Programs

7 Thread Interleavings: Example (1) XX Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=0, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 7

8 Thread Interleavings: Example (1) XX Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=10, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 7

9 Thread Interleavings: Example (1) XX Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=10, y=1 D. Kroening: SSFT1 Verifying Concurrent Programs 7

10 Thread Interleavings: Example (1) XX Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=10, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 7

11 Thread Interleavings: Example (1) XX Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=11, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 7

12 Thread Interleavings: Example (1) XX Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=11, y=1 D. Kroening: SSFT1 Verifying Concurrent Programs 7

13 Thread Interleavings: Example () Alternative Schedule Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=0, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 8

14 Thread Interleavings: Example () Alternative Schedule Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=10, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 8

15 Thread Interleavings: Example () Alternative Schedule Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=11, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 8

16 Thread Interleavings: Example () Alternative Schedule Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=11, y=1 D. Kroening: SSFT1 Verifying Concurrent Programs 8

17 Thread Interleavings: Example () Alternative Schedule Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=11, y= D. Kroening: SSFT1 Verifying Concurrent Programs 8

18 Thread Interleavings: Example () Alternative Schedule Thread 1 Thread Thread x=10; y++; y=0; x++; y++; Current state: x=11, y=0 D. Kroening: SSFT1 Verifying Concurrent Programs 8

19 Races The example program has a race, i.e., the result depends on the schedule D. Kroening: SSFT1 Verifying Concurrent Programs 9

20 Races The example program has a race, i.e., the result depends on the schedule This may indicate a program bug, but need not Locks may help, but need not Enumerate? Exponential blowup! D. Kroening: SSFT1 Verifying Concurrent Programs 9

21 Ordering of Loads/Stores Thread 1 Thread mov [x], 1 mov [y], 1 mov eax, [y] mov ebx, [x] Suppose x and y are shared and initialized with 0 D. Kroening: SSFT1 Verifying Concurrent Programs 10

22 Ordering of Loads/Stores Thread 1 Thread mov [x], 1 mov [y], 1 mov eax, [y] mov ebx, [x] Suppose x and y are shared and initialized with 0 Unfortunately, the program may terminate with eax=ebx=0! D. Kroening: SSFT1 Verifying Concurrent Programs 10

23 Shared Memory in Hardware Computer vendors do not guarantee atomicity of loads/stores Only very special commands are guaranteed to be atomic, e.g., the Compare-and-Swap (CAS) instruction D. Kroening: SSFT1 Verifying Concurrent Programs 11

24 Shared Memory in Hardware Computer vendors do not guarantee atomicity of loads/stores Only very special commands are guaranteed to be atomic, e.g., the Compare-and-Swap (CAS) instruction Stores are not even guaranteed to be visible to other threads unless a memory barrier (memory fence) is inserted. But: memory fences are expensive (>100 cycles), so we cannot put them everywhere D. Kroening: SSFT1 Verifying Concurrent Programs 11

25 Boolean Programs Let s look at a Windows device driver example: 1 void DecrementIo(DEVICE OBJECT DeviceObject) { EXT ext = (EXT )DeviceObject >DeviceExtension; int IoIsPending = InterlockedDecrement (&ext >IoIsPending); 7 if (! IoIsPending) { 8 KeSetEvent (&ext >event, IO NO INCREMENT, FALSE); } 9 } D. Kroening: SSFT1 Verifying Concurrent Programs 1

26 Boolean Programs The initial abstraction, without any predicates: 1 void DecrementIo() { InterlockedDecrement(); goto L1,L; L1: KeSetEvent(); L: return; } D. Kroening: SSFT1 Verifying Concurrent Programs 1

27 Adding Some Predicates Some predicate refinement scheme computes a set of predicates: b1 ext == &envext b envext.ioispending == 1 b envext.ioispending == b IoIsPending == b IoIsPending == 1 b ( ext).ioispending == 1 b7 ( ext).ioispending == D. Kroening: SSFT1 Verifying Concurrent Programs 1

28 Boolean Programs This results in the following new abstract model: 1 bool b1,b,b; // global void DecrementIo() { bool b,b,b,b7; // local b1,b,b7 =,, constrain((!(b1 && b) b ) && 7 (!( b1 && b) b7 )); 8 b,b = InterlockedDecrement(b,b7); 9 goto L1,L; 10 L1: assume(!b &&!b); 11 KeSetEvent(); 1 L: return; 1 } D. Kroening: SSFT1 Verifying Concurrent Programs 1

29 Concurrent Boolean Programs Suppose we could dynamically create threads in Boolean Programs: 1 bool b1,b,b; // global void DecrementIo() { bool b,b,b,b7; // local b1,b,b7 =,, constrain((!(b1 && b) b ) && 7 (!( b1 && b) b7 )); 8 b,b = InterlockedDecrement(b,b7); 9 start thread L1, L; 10 L1: assume(!b &&!b); 11 KeSetEvent(); 1 L: return; 1 } D. Kroening: SSFT1 Verifying Concurrent Programs 1

30 Predicate Abstraction for Concurrent Programs Can we apply our refinement loop to concurrent software? C program 1.) Compute Abstraction.) Check Abstraction [no error] OK.) Refine Predicates.) Check Feasibility [feasible] report counterexample D. Kroening: SSFT1 Verifying Concurrent Programs 17

31 Predicate Abstraction for Concurrent Programs Claim: Yes, we can! Abstraction: as before! Checking ˆM: use Model Checker for concurrent Boolean programs Simulation: as before use thread switches from abstract counterexample Refinement: as before! D. Kroening: SSFT1 Verifying Concurrent Programs 18

32 Example 1 int g; void t1(void arg) { g=0; if (g==1) { g=; if (g==) 7 g=; 8 } 9 } 10 void t(void arg) { 11 g=1; 1 if (g==) { 1 g=; 1 assert(g!=); 1 } 1 } D. Kroening: SSFT1 Verifying Concurrent Programs 19

33 Example 1 int main() { 17 pthread t id1, id; pthread create(&id1, NULL, t1, NULL); 0 pthread create(&id, NULL, t, NULL); 1 } D. Kroening: SSFT1 Verifying Concurrent Programs 0

34 Initial Abstraction 1 decl g eq ; void t1() begin g eq :=0; // g=0; if then begin // g==1 g eq :=0; // g=; if then // g== 7 g eq :=1; // g=; 8 end 9 end 10 void t() begin 11 g eq :=0; // g=1; 1 if then begin // g== 1 g eq :=0; // g=; 1 assert(!g eq ); // g!= 1 end 1 end 17 void main() begin g eq :=0; start thread... end D. Kroening: SSFT1 Verifying Concurrent Programs 1

35 Abstract Counterexample Thread Line Instruction 0 19 g eq := 0; 11 g eq := 0; 1 if then... 1 g eq := 0; 1 g eq := 0; 1 if then... 1 g eq := 0; 1 if then g eq := 1; 1 assert(!g eq ); D. Kroening: SSFT1 Verifying Concurrent Programs

36 Abstract Counterexample Thread Line Instruction 0 19 g eq := 0; 11 g eq := 0; 1 if then... 1 g eq := 0; 1 g eq := 0; 1 if then... 1 g eq := 0; 1 if then g eq := 1; 1 assert(!g eq ); Concrete Instr. SSA-Constraint g=0; g 0 = 0 g=1; g 1 = 1 if (g==) g 1 = g=; g = g=0; g = 0 if (g==1) g = 1 g=; g = if (g==) g = g=; g = assert(g!=); g = D. Kroening: SSFT1 Verifying Concurrent Programs

37 Example In total, iterations, and predicates: g==, g==, g==1, g== Final counterexample has a thread switch after each assignment to g D. Kroening: SSFT1 Verifying Concurrent Programs

38 Tricky Details 1 volatile unsigned value; unsigned NonblockingCounter increment() { unsigned v = 0; lock (); 7 if (value == 0u 1) { 8 unlock(); 9 return 0; 10 }else{ 11 v = value; 1 value = v + 1; 1 unlock(); 1 assert(value > v); 1 return v + 1; 1 } 17 } D. Kroening: SSFT1 Verifying Concurrent Programs

39 Tricky Details 1 volatile unsigned value; unsigned NonblockingCounter increment() { unsigned v = 0; lock (); 7 if (value == 0u 1) { 8 unlock(); 9 return 0; 10 }else{ 11 v = value; 1 value = v + 1; 1 unlock(); 1 assert(value > v); 1 return v + 1; 1 } 17 } Is value>v global or local? D. Kroening: SSFT1 Verifying Concurrent Programs

40 Tricky Details 1 volatile unsigned value; unsigned NonblockingCounter increment() { unsigned v = 0; lock (); 7 if (value == 0u 1) { 8 unlock(); 9 return 0; 10 }else{ 11 v = value; 1 value = v + 1; 1 unlock(); 1 assert(value > v); 1 return v + 1; 1 } 17 } Is value>v global or local? CAV 011: neither. We need broadcast! D. Kroening: SSFT1 Verifying Concurrent Programs

41 The Problem We Consider Definition Consider thread state (s, l). thread state reachability problem: Is there a reachable global state (s, l 1,..., l n ) such that l = l i for some i? Note: can express single-index properties of threads can also encode MutEx: using shared variable as monitor D. Kroening: SSFT1 Verifying Concurrent Programs

42 Boolean Programs with Bounded Replication We have an effective Model Checker for Boolean programs with a bounded number of threads BDD-based Exploits symmetry between threads [CAV 009, FMSD 010] D. Kroening: SSFT1 Verifying Concurrent Programs

43 Symbolic Experiments [sec] [sec] Plain Symbolic Exploration Symbolic Boom with Counter Abstraction D. Kroening: SSFT1 Verifying Concurrent Programs 7

44 Boolean Programs with Unounded Replication But we really want an unbounded number of threads Programs with a large number of theads (>10) Server with dynamic thread spawning (say dependent on load) Or when thread-count is lost during predicate abstraction! Our answer: reduction to Petri net coverability D. Kroening: SSFT1 Verifying Concurrent Programs 8

45 Experimental Results 1. Boolean programs Proper concurrent ones (extracted from Linux kernel) Pseudo concurrent ones (SLAM). Petri Net benchmarks Bounded and unbounded Bingham and Ganty/Begin/Delzanno/Raskin Comparison with Lola (Karsten Wolf) and MIST D. Kroening: SSFT1 Verifying Concurrent Programs 9

46 Experimental Results On Boolean Programs: #P Sh Lcs Loc Time c Safe Unsafe ? We now need to make harder models! D. Kroening: SSFT1 Verifying Concurrent Programs 0

47 Experimental Results Checking coverability on standard Petri Net benchmarks: time (s) Comparison with numerous algorithms implemented in MIST #solved D. Kroening: SSFT1 Verifying Concurrent Programs 1

48 Experimental Results Checking coverability on Petri Nets with transfer arcs: time (s) #solved Comparison with two algorithms implemented in MIST D. Kroening: SSFT1 Verifying Concurrent Programs

49 Conclusion Model Checking for C programs with unbounded threads Symmetry-aware abstraction to VASS/Petri net coverability (with transfer arcs) Enables verification of C programs with unbounded concurrency D. Kroening: SSFT1 Verifying Concurrent Programs

50 Watch the video! Download me! D. Kroening: SSFT1 Verifying Concurrent Programs

Duet: Static Analysis for Unbounded Parallelism

Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing