Verifying Multithreaded Software with Impact

Size: px

Start display at page:

Download "Verifying Multithreaded Software with Impact"

Myron Hoover
5 years ago
Views:

1 Verifying Multithreaded Software with Impact Björn Wachter, Daniel Kroening and Joël Ouaknine University of Oxford

2 Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers, databases,... coming to embedded systems Verification Challenges Multi threading WMM SC data variables pointers loops 2 / 20

3 Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers, databases,... coming to embedded systems Verification Challenges Multi threading WMM SC data variables pointers loops symbolic reasoning SMT SAT 2 / 20

4 Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers, databases,... coming to embedded systems Verification Challenges Multi threading WMM SC data variables pointers abstraction predicate abstraction Impact algorithm [McMillan 2006] loops symbolic reasoning SMT SAT 2 / 20

5 Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers, databases,... coming to embedded systems Verification Challenges partial orders modular reasoning Multi threading WMM SC data variables pointers abstraction predicate abstraction Impact algorithm [McMillan 2006] loops symbolic reasoning SMT SAT 2 / 20

6 Software model checkers CBMC ESBMC LLBMC SatAbs SLAM Threader Kratos Blast Impact UFO CPAChecker Ultimate ARMC Magic Wolverine 3 / 20

7 Software model checkers multithreading support CBMC ESBMC LLBMC SatAbs SLAM Threader Kratos Blast Impact UFO CPAChecker Ultimate ARMC Magic Wolverine 3 / 20

8 Software model checkers multithreading support CBMC ESBMC LLBMC SatAbs SLAM Threader Kratos Blast? Impact UFO CPAChecker Ultimate ARMC Magic Wolverine 3 / 20

9 Software model checkers multithreading support CBMC ESBMC LLBMC SatAbs SLAM Threader Kratos Blast Impara Impact UFO CPAChecker Ultimate ARMC Magic Wolverine 3 / 20

10 Software model checkers multithreading support CBMC SatAbs Impara Threader ESBMC Contribution: Kratos 1st Impact-style analysis SLAM for multithreaded software Impact LLBMC Partial-Order Reduction implemented in Impara Blast CPAChecker UFO Ultimate ARMC Magic Wolverine 3 / 20

11 Outline Recap: Impact for Sequential Software Impact for Multithreaded Software Partial order reduction Experiments with our tool Impara 4 / 20

12 Impact algorithm expand refine interpolation UNSAT check SAT CEX maintain abstract reachability tree node labels covering relation v w implies label(v) label(w) 5 / 20

13 Impact algorithm expand complete proof refine interpolation UNSAT check SAT CEX maintain abstract reachability tree node labels covering relation v w implies label(v) label(w) complete iff all nodes either covered expanded 5 / 20

14 Classical SLAM example do { lock(); old=new; if(*) { unlock(); new++; } } while (new!=old); 6 / 20

15 Classical SLAM example do { lock(); old=new; if(*) { unlock(); new++; } } while (new!=old); ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] 6 / 20

16 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] Abstract Reachability Tree T rue T rue L=0 [L!=0] T rue ERR 6 / 20

17 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR 6 / 20

18 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] T rue ERR Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR L=1 old=new T rue L=0 new++ T rue [new!=old] [L!=0] T rue [new==old] T rue 6 / 20

19 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] F alse ERR Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR L=1 old=new T rue L=0 new++ L = 0 [new!=old] [L!=0] L = 0 [new==old] T rue 6 / 20

20 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR L=1 old=new T rue L=0 new++ L = 0 [new!=old] [new==old] F alse [L!=0] T rue ERR L = 0 6 / 20

21 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR L=1 old=new T rue L=0 new++ L = 0 [new!=old] [new==old] F alse [L!=0] T rue ERR L = 0 [new!=old] [L!=0] ERR 6 / 20

22 reachable states label ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR L=1 old=new old = new L=0 new++ L = 0 old = new [new!=old] [new==old] F alse [L!=0] T rue ERR L = 0 [new!=old] [L!=0] F alse F alse ERR 6 / 20

23 reachable states label terminates if all nodes covered or fully expanded ERR [L!=0] L=0;new++ L=0 L=1; old=new * [new!=old] [new==old] Abstract Reachability Tree T rue F alse L=0 [L!=0] L = 0 ERR L=1 old=new old = new L=0 new++ L = 0 [new!=old] [new==old] F alse [L!=0] T rue ERR L = 0 old = new [new!=old] [L!=0] F alse F alse ERR 6 / 20

24 Impact for Multithreaded Software 7 / 20

25 Naive Impact for Multi-threading interleave at every step threads 1,2, / 20

26 Example assert(x==0) 0, 0 0, 1 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: 9 / 20

27 Example assert(x==0) 0, 0 0, 1 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: 2, 0 3, 0 x=0 assert(x==0) 3, 1 9 / 20

28 Example assert(x==0) 0, 0 0, 1 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: 3, 0 2, 0 T rue x=0 x = 0 assert(x==0) 3, 1 9 / 20

29 Example assert(x==0) 0, 0 0, 1 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: 3, 0 2, 0 x = 0 x=0 assert(x==0) x = 0 2, 1 assert(x==0) 3, 1 9 / 20

30 Example assert(x==0) 0, 0 0, 1 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: CEX 1, 0 x=1 2, 0 2, 0 x = 0 assert(x==0) x=0 assert(x==0) 2, 1 3, 0 x = 0 2, 1 assert(x==0) 3, 1 9 / 20

31 Naive Impact blows up ART from a concrete case study (Peterson s algorithm) 10 / 20

32 Partial-Order Reduction [Godefroid 94, Peled 93, Valmari 90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create(t 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create(t 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join(t 1 ); pthread_join(t 2 ); assert(v[j] 0); A a B a A b C a B b A c a C b B c A b C c B c C A a and T ID(A) < T ID(a) 11 / 20

33 Partial-Order Reduction [Godefroid 94, Peled 93, Valmari 90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create(t 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create(t 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join(t 1 ); pthread_join(t 2 ); assert(v[j] 0); A a B a A b C a B b A c a C b B c A b C c B c C A a and T ID(A) < T ID(a) 11 / 20

34 Partial-Order Reduction [Godefroid 94, Peled 93, Valmari 90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create(t 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create(t 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join(t 1 ); pthread_join(t 2 ); assert(v[j] 0); consecutive independent actions only occur in the order of increasing thread ids, e.g., Aa but not aa A a B a A b C a B b A c a C b B c A b C c B c C A a and T ID(A) < T ID(a) B b and T ID(B) < T ID(b) A b and T ID(A) < T ID(b) 11 / 20

35 Partial-Order Reduction [Godefroid 94, Peled 93, Valmari 90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create(t 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create(t 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join(t 1 ); pthread_join(t 2 ); assert(v[j] 0); consecutive independent actions only occur in the order of increasing thread ids, e.g., Aa but not aa A a B a A b C a B b A c a C b B c A b C c B c C A a and T ID(A) < T ID(a) B b and T ID(B) < T ID(b) A b and T ID(A) < T ID(b) 11 / 20

36 Algorithm: POR+Impact (First Attempt) POR restricts expansion 1: procedure Expand (v) 2: for T T with Skip (v, T ) do 3: Expand-thread(T, v) 12 / 20

37 Algorithm: POR+Impact (First Attempt) POR restricts expansion 1: procedure Expand (v) 2: for T T with Skip (v, T ) do 3: Expand-thread(T, v) 4: 5: procedure Skip (v, T ) 6: select unique parent action T, a s.t. u T,a v 7: return T < T Action(v, T ) a }{{} dependence check 12 / 20

38 Algorithm: POR+Impact (First Attempt) POR restricts expansion 1: procedure Expand (v) 2: for T T with Skip (v, T ) do 3: Expand-thread(T, v) 4: 5: procedure Skip (v, T ) 6: select unique parent action T, a s.t. u T,a v 7: return T < T Action(v, T ) a }{{} dependence check Is that sound? 12 / 20

39 Impact + POR 0, 0 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: CEX 1, 0 x=1 2, 0 assert(x==0) 2, 1 2, 0 x = 0 x=0 assert(x==0) 3, 0 x = 0 2, 1 assert(x==0) 3, 1 and assert(x==0) independent 13 / 20

40 Impact + POR 0, 0 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: CEX 1, 0 x=1 2, 0 assert(x==0) 2, 1 3, 0 2, 0 x = 0 x=0 x = 0 assert(x==0) 3, 1 and assert(x==0) independent reduction 13 / 20

41 Impact + POR 0, 0 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: CEX 1, 0 x=1 2, 0 assert(x==0) 2, 1 3, 0 2, 0 T rue x=0 x = 0 assert(x==0) 3, 1 and assert(x==0) independent reduction 13 / 20

42 Impact + POR 0, 0 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: CEX 1, 0 x=1 2, 0 assert(x==0) 2, 1 3, 0 2, 0 T rue x=0 x = 0 assert(x==0) 3, 1 and assert(x==0) independent reduction 13 / 20

43 Impact + POR 0, 0 int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: CEX x=1 1, 0 2, 0 3, 0 2, 0 T rue x=0 x = 0 assert(x==0) 3, 1 and assert(x==0) independent reduction 13 / 20

44 Let s take a step back expand? 14 / 20

45 Let s take a step back POR inspects node history dep expand? POR: yes 14 / 20

46 Let s take a step back POR inspects node history covers merge distinct histories dep expand? POR: yes 14 / 20

47 Let s take a step back POR inspects node history covers merge distinct histories dep indep expand? POR: yes expand? POR: no 14 / 20

48 Let s take a step back POR inspects node history covers merge distinct histories incomplete: lost program path no corresponding ART path dep indep expand? POR: yes cover: no expand? POR: no 14 / 20

49 Let s take a step back POR inspects node history covers merge distinct histories incomplete: lost program path no corresponding ART path How to fix this? corresponding path? allow cover edges jump to more abstract node dep 14 / 20

50 Let s take a step back POR inspects node history covers merge distinct histories incomplete: lost program path no corresponding ART path How to fix this? corresponding path? allow cover edges jump to more abstract node dep 14 / 20

51 Complete Algorithm v w consider both histories v s and w s dep v w indep expand 15 / 20

52 Complete Algorithm v w consider both histories v s and w s Note: we re still doing POR dep v w indep expand 15 / 20

53 Π-completeness Π determined by POR strategy Definition (Π-complete ART) ART A is Π-complete iff: for every π Π, there is a corresponding path v 0,..., v n. 16 / 20

54 Π-completeness v 0 v 1 u 2 v 3 v 4 v 2 Π determined by POR strategy Definition (Π-complete ART) ART A is Π-complete iff: for every π Π, there is a corresponding path v 0,..., v n. 16 / 20

55 Π-completeness v 0 v 1 u 2 v 3 v 4 v 2 Π determined by POR strategy Definition (Π-complete ART) ART A is Π-complete iff: for every π Π, there is a corresponding path v 0,..., v n. Soundness 16 / 20

56 Impara C++ implementation CBMC frontend bit-precise interpolation unsatisfiable cores + weakest preconditions 17 / 20

57 Impara vs. other tools CBMC 4.5 ESMBC SatAbs Threader Impara technique BMC BMC Pred. Abs. Pred. Abs. Interpolation threads PO encoding POR POR Modular Reasoning POR unbounded loops bit-precise weak memory SVCOMP 13 multi-threading benchmarks program safe CBMC ESBMC SatAbs Threader Impara dekker y TO 0.1 lamport y peterson y szymanski y read_write_u n 0.2 TO read_write_s y 0.4 TO time_var_mutex y stack_u n 1.0 TO TO stack_s y 33.5 TO TO / 20

58 Conclusion Impact abstraction + POR take-home message: look at both histories Experiments SVCOMP 13 weak memory benchmarks (low-lock algorithms) Impara gives correct results which gives us confidence Binary & benchmarks at: 19 / 20

59 Thank you! 20 / 20

Verifying Multi-threaded Software with Impact

Verifying Multi-threaded Software with Impact Björn Wachter Department of omputer Science University of Oxford Email: bjoern.wachter@cs.ox.ac.uk Daniel Kroening Department of omputer Science University