Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Transcription

1 Verifiation of Parameterized Conurrent Programs By Modular Reasoning about Data and Control Azadeh Farzan Zahary Kinaid University of Toronto Abstrat In this paper, we onsider the problem of verifying thread-state properties of multithreaded programs in whih the number of ative threads annot be statially bounded. Our approah is based on deomposing the task into two modules, where one reasons about data and the other reasons about ontrol. The data module omputes thread-state invariants (e.g., linear onstraints over global variables and loal variables of one thread) using the thread interferene information omputed by the ontrol module. The ontrol module omputes a representation of thread interferene, as an inrementally onstruted data flow graph, using the data invariants provided by the data module. These invariants are used to rule out patterns of thread interferene that an not our in a real program exeution. The two modules are inorporated into a feedbak loop, so that the abstrations of data and interferene are iteratively oarsened as the algorithm progresses (that is, they beome weaker) until a fixed point is reahed. Our approah is sound and terminating, and appliable to programs with infinite state (e.g., unbounded integers) and unboundedly many threads. The verifiation method presented in this paper has been implemented into a tool, alled DUET. We demonstrate the effetiveness of our tehnique by verifying properties of a seletion of Linux devie drivers using DUET, and also ompare DUET with previous work on verifiation of parameterized Boolean program using the Boolean abstrations of these drivers. Categories and Subjet Desriptors D.2.4 [Software Engineering]: Software/Program Verifiation Assertion Chekers, Corretness Proofs; F.3.1 [Logis and Meanings of Programs]: Speifying and Verifying and Reasoning about Programs Invariants, Assertions; D.3.1 [Programming Languages]: Formal Definitions and Theory Semantis; D.4.6 [Operating Systems]: Seurity and Protetion Verifiation General Terms Verifiation, Algorithms, Reliability Keywords Conurreny, Abstrat Interpretation, Compositional Reasoning, Data Flow Graphs, Parameterized Programs, Thread Invariants Both authors were partially supported by an National Siene and Engineering Researh Counil (NSERC) Disovery Grant for this work. Permission to make digital or hard opies of all or part of this work for personal or lassroom use is granted without fee provided that opies are not made or distributed for profit or ommerial advantage and that opies bear this notie and the full itation on the first page. To opy otherwise, to republish, to post on servers or to redistribute to lists, requires prior speifi permission and/or a fee. POPL 12, January 25 27, 2012, Philadelphia, PA, USA. Copyright 2012 ACM /12/01... $ Introdution Conurrent programs are notoriously hard to verify. Verifiation of onurrent systems has been a very ative area of researh in the past few years. There has been signifiant progress with testing and bug finding tehniques, but due to a huge number of possible shedules (even with a fixed input), it is hard to provide useful overage guarantees. Standard model heking tehniques provide overage, but suffer from the state explosion problem. Stati analysis tehniques [7, 14, 26, 27, 31, 32] have been suessful in heking simple generi properties suh as rae and deadlok freedom. There is a large lass of onurrent programs that are designed to be exeuted by an arbitrary number of lients (for example, devie drivers, onurrent data struture libraries, and file systems). This lass of programs, ommonly alled parameterized onurrent programs, are more diffiult to verify than onurrent programs with a fixed number of threads. The verifiation problem for parameterized systems has been studied extensively [2, 3, 6, 10, 12, 13, 16, 20, 21, 23, 29, 30]; however, the fous has mostly been on verifying protools. These protools (for example, Lamport s Bakery protool [24] and Peterson s mutual exlusion algorithm) are often small programs, but the reasoning behind their orretness is usually ompliated (see Setion 7 for a more detailed disussion), speially when funtional orretness is the goal (e.g. mutual exlusion). In ontrast, we are interested in large programs suh as devie drivers and file systems, where the reasoning behind their orretness is more straightforward. In these programs, undesired inter-thread interferene is usually prevented by simple synhronization mehanisms, and the majority of the verifiation effort is spent in reasoning about the sequential behaviour of eah thread. Moreover, we are interested in proving program assertions, whih is easier to handle than proving funtional orretness of protools. Program assertions are Boolean ombinations of program expressions that relate shared variables to loal variables of a speifi thread at a loation in that thread. They are expressive enough to inlude interesting properties of onurrent programs suh as the absene of null pointer dereferenes or out of bounds array aesses. We believe that this ombination of programs and properties is a good andidate for automated verifiation in the parameterized setting, and is the target of the work presented in this paper. We propose a stati analysis tehnique that separates the verifiation task into a data module and a ontrol module. This separation ahieves both preision and salability for proving assertions orret in onurrent programs with unboundedly many threads. The data module, using an abstrat interpreter, omputes data invariants for eah program loation. These invariants are guaranteed to be onsistent with the most reent information about inter-thread interferene, provided by the ontrol module. The ontrol module, using a dedution system, determines the pattern of inter-thread interferene by using the most reent information from the data module about data invariants. The two modules are ombined into a

2 feedbak loop to ollaboratively ompute a solution to the verifiation problem. This strategy an be used to generate thread-state invariants for program loations, i.e. invariants that do not refer to the loal variables of more than one thread. These invariants an be used for proving the absene of program assertion failures. One of the enabling ideas of our modular approah is to use a data flow graph as a program representation for performing abstrat interpretation. In data flow graphs, only the flow of data is modeled; ontrol onstruts (whih are irrelevant to a data analysis) are abstrated away. Data flow graphs offer a onvenient way to represent the interferene between threads: for example, if one thread writes to a global variable at some loation u whih is subsequently read by another thread at loation v, then u and v are onneted by a data flow edge. Also, sine eah program loation (regardless of the number of threads in the system) is represented by one vertex in the data flow graph (i.e. there is no expliit representation for threads), it is possible to use them to analyze data in parameterized systems. Computing data invariants over a data flow graph is mostly as straightforward as abstrat interpretation for sequential programs; the idea is that the struture of a data flow graph aptures the interferene among threads, and therefore, one only needs to fous on how data flows through this struture. The figure on the right illustrates the idea behind our approah. We start by assuming no interferene among threads (as if threads are running sequentially), and through abstrat interpretation ompute the first set of Data Invariant Generation Data Invariants Data Flow Edges Interferene Dedution data invariants (per program loation). At this stage, the data flow graph only ontains data flow edges that orrespond to the sequential exeutions of program threads. Then, the data invariants are passed to a dedution system, whih uses them to ompute a new set of data flow edges. The dedution system uses the data invariants to reason about what patterns of inter-thread interferene are feasible, and adds the orresponding data flow edges, whih apture these new interferene patterns, to the data flow graph. These new data flow edges may result in omputing weaker data invariants in the next round. These weaker invariants may trigger the addition of more data flow edges (oarsening the data flow graph). This loop ontinues until a fixed point is reahed. The analysis we use for omputing data flow edges is semiompositional. Inter-thread data flow is a property that intuitively involves two threads: one that writes to a global variable, and one that reads from it. Ideally, one would like to reason about the existene of data flow edges by onsidering only two threads at a time. However, it is not generally sound to reason using only two threads, sine a program path (e.g. from a write to a read) may involve many threads synhronizing with eah other. We overome this problem by using data invariants (from the data invariant generation module) to soundly approximate the effets of other threads that may ontribute to a data flow path being realizable. An invariant assoiated with a program loation orresponds to an overapproximation of the values of the program variables when at least one thread is at that loation. Therefore, we may reason about data flow paths that may require the partiipation of arbitrarily many threads while onsidering only two threads at a time. We all our approah semiompositional (in ontrast to fully ompositional) beause our reasoning method over two threads is non-ompositional (all pairs of loations are onsidered), while every other thread in the system is aounted for in a ompositional manner. We implemented our approah in a tool alled DUET and evaluated it on a set of 15 Linux devie drivers. DUET an prove a total of 1312 (out of 1597) of array bounds and integer over/underflow assertions safe in 13 minutes. We also ompared DUET against two reent tools that deal with parameterized onurrent Boolean programs, namely Getafix [22], and the dynami utoff detetion (DCD) algorithm of [19], whih are both based on model heking. We ompared against DCD [19] and Getafix [22] on the set of benhmarks provided by the authors, whih are Boolean abstrations (generated by the SatAbs [9] tool) of the aforementioned Linux devie drivers. DUET has the lear advantage of being diretly appliable to the drivers (as opposed to their Boolean abstrations), but we performed these experiments to show that it does outperform these tools even at the level of Boolean programs. Our experiments shows that DUET substantially outperforms Getafix, by proving 2505 (ompared to 1382 for Getafix) Boolean programs orret. DUET also outperforms DCD by proving 58 programs safe in ontrast to only 19 programs that DCD an prove safe. 1.1 Motivating example In onurrent programs, threads ommuniate using many different methods. They may ommuniate through synhronization primitives suh as loks or wait/notify, whih an be viewed as ontrol type primitives that only affet the feasible ontrol paths in a thread, and not the data. Threads may also ommuniate via reading from and writing to shared memory, whih are data type primitives. In the presene of both patterns of ommuniation among threads, preise reasoning about the program often involves reasoning about both data and ontrol simultaneously. But, doing so an be very expensive, speially for a programs with an unbounded number of threads. In this paper, we present a salable approah to reason about data and ontrol in separate but ollaborating modules. In this setion, we use an example that inludes both modes of ommuniation among threads (through both data variables and loks) to provide a high level understanding of our approah. Figure 1 illustrates a simplified onurrent produer-onsumer example. Let us assume that eah statement is exeuted atomially, and that initially no thread holds any loks, and ounter is 0. The produer an produe items one-by-one or in bath mode, and keeps trak of the number of produed items waiting to be onsumed using the global variable ounter. Two produers annot produe items simultaneously, but a onsumer an run in parallel with a produer in bath mode. The onsumer, if there are items to proess, onsumes them one-by-one, by derementing ounter. The assertion at v 6 states a orretness property for the onsumer: the number of items waiting to be onsumed must be non-negative. At position u 10 in the produer, the value of ounter is always zero, so the assignment at u 10 does not add any behaviour, but it helps us demonstrate an interesting point. This program demonstrates the use of both synhronization primitives (loks in this ase), and onditional statements to rule out undesired interferene from other threads. For example, if the goal is to prove that the assertion at v 6 holds, then one must prove that the zero value assigned to ounter at u 10 annot reah the derement at v 5, and onsequently falsify the assertion. In other words, we need to rule out a pattern of thread interferene in order to prove the desired invariant at v 5 and v 6. The interesting aspet of this example is that the reverse is also true: sine the loations u 10 and v 5 are not proteted by a ommon lok, in order to rule out the undesired interferene, one needs to rely on the fat that at v 5, the value of ounter is always stritly positive. In this senario, if one starts from a weak invariant at v 5, one annot rule out interferene from u 10, and (reversely), if one starts by assuming the interferene from u 10 may our, one annot prove the data invariant needed to rule out this interferene.

3 Here, we explain how our algorithm operates on the program in Figure 1 at a high level. In Setion 5 (in Example 5.1), we will revisit this example and explain it in more detail. First, we assume that Produer and Consumer are exeuted sequentially with no interation, and ompute a sequential data flow graph P 1. Next, a set of data invariants is generated from P 1. This analysis determines that the Consumer threads annot reah loation v 5 and that in Produer threads, loation u 4 is unreahable. Using the previously omputed data invariants, the interferene dedution unit omputes new data flows, and adds the appropriate edges to P 1 to get a data flow graph P 2. For example, this analysis determines that the value of ounter from u 12 may reah the beginning of the Produer and Consumer threads, and so adds the edges u 12 v 4 and u 12 u 3. The interferene dedution unit uses the fat that ounter=0 is an invariant at u 10 to infer that the value of ounter from u 10 annot flow to v 5 without passing through v 4, and therefore, does not add an edge from u 10 to v 5. Data invariants are then generated for the data flow graph P 2, whih determines that u 4 and v 5 are now reahable, and that ounter [0, ) at u 1. The subsequent interferene analysis omputes new data flow edges, for example u 4 u 1, whih is possible as the result of u 1 s new (weaker) invariant. The invariants are still strong enough to prove that there is no data flow from u 10 to v 5. These edges are added to P 2 to get a new data flow graph P 3. The data analysis runs on P 3, but does not produe weaker invariants, and onsequently, the subsequent interferene analysis does not produe any new data flow edges. The algorithm then terminates, having omputed a set of invariants that soundly approximate the dynami behaviours of the program. These invariants are strong enough to prove that the assertion at v 6 never fails. The rest of this paper is organized as follows. In Setion 2, we define our program model. We define the data flow graphs in Setion 3, and disuss how data invariants an be omputed by abstrat interpretation of data flow graphs; this onstitutes the data portion of our analysis. We then disuss onstrution of the data flow graphs in Setion 4 where we explain how data invariants are used to infer new data flow edges. The omplete algorithm as an iterative framework is presented in Setion 5. Setion 6 presents our experiments, Setion 7 disusses related work, and Setion 8 onludes. 2. Notation and the program model We define a program to be a 4-tuple P = H, GV, LV, L, where H = Lo, CF is a finite ontrol flow graph (CFG) whose verties we all loations, GV is a finite set of global variables, LV is a finite set of loal variables, and L assigns to eah ontrol loation a transition relation. For the rest of this setion, we will formalize this program model and introdue notation to be used in the rest of the paper. We will identify threads with natural numbers, where the behaviour of an individual thread is given by the ontrol flow graph H = Lo, CF together with the semanti funtion L. The initial vertex of H, whih is assumed to have no ontrol flow predeessors, is denoted by init lo. The behaviour of the program P is defined to be that of the infinite parallel omposition of all threads n N. Sine we are interested in thread invariants, we an restrit ourselves to finite exeutions, in whih only finitely many threads an partiipate. Thus, for proving thread invariants, our program model is equivalent to the parameterized model in whih P is taken to be the finite parallel omposition of all threads up to some k N, where k is a parameter. We also note that we lose no generality in assuming that every thread n N exeutes the same ode, sine several ode segments an be simply ombined into one. { u 1: u 2: u 3: u 4: u 5: u 6: u 7: u 8: u 9: u 10: u 11: u 12: u 13: u 14: u 15: u 16: int Produer(int bath) } aquire(lok2) aquire(lok1) if (*) { assume(ounter>0) ounter++ unlok(lok1) unlok(lok2) return 1 } else { assume(ounter<=0) unlok(lok1) ounter = 0 while(*) { assume(bath>0) ounter++ bath-- } assume(bath<=0) unlok(lok2) return bath } void Consumer() { v 1: v 2: v 3: v 4: v 5: v 6: v 7: } Figure 1. Produer-Consumer Example. lok(lok1) while(*) { unlok(lok1) lok(lok1) } assume(ounter>0) ounter-- assert(ounter>=0) unlok(lok1) We will assume that GV, LV, and N LV are pairwise disjoint (a pair n, x N LV is oneptually thread n s opy of the loal variable x) and define the set of variables Var = GV LV. For simpliity, we will assume that all variables are of type integer. A global state is a pair s = s env, s lo onsisting of a global environment s env GEnv = (GV N LV) Z and an assignment of a ontrol loation to eah thread s lo : N Lo. A thread state is a mapping e TEnv = Var Z from variables to values. For a given thread n N and global state s, the thread state of n in s, whih we denote by s[n], and whih is defined by { s env(x) if x GV s[n](x) = s env( n, x ) otherwise The funtion L : Lo TEnv TEnv assoiates a transition relation on thread states to every loation. We all a pair a = n, v, v onsisting of a thread n N and a ontrol flow edge v, v CF an ation. If the target v of the ontrol flow edge v, v is understood from the ontext or irrelevant, we simply write n, v. We use A a to denote the (global state) transition relation assoiated with the ation a, whih is obtained by lifting L v from thread states to global states as follows: s, s A n, v, v e, e L v suh that s[n] = e and s [n] = e s lo (n) = v and s lo(n) = v n N \ {n}. s lo (n ) = s lo(n ) n N \ {n}, x LV. s env( n, x ) = s env( n, x ). Given a sequene of ations ρ and a subset N N, the projetion of ρ onto N, denoted ρ N, is the subsequene of ρ onsisting of all ations whose thread identifiers belong to N. A trae σ is a finite sequene of ations suh that, when projeted onto a single thread, orresponds to a path in the CFG H beginning at the initial loation init lo. For a trae σ, the post states of σ (denoted σ ) is the set of final states of that exeution. A trae τ is feasible if τ is nonempty. For a trae σ and a thread n N, we use endlo(σ, n) to denote the end loation of the CFG path

4 σ {n}. Note that endlo has the property that s σ, n N, s lo (n) = endlo(σ, n). A thread-state property is an assertion ϕ with free variables in Var. We will denote the set of suh formulae by F(Var) (and more generally, F(V ) will denote first-order formulae with free variables in V ). For a thread state e, we write e = ϕ to denote that e satisfies ϕ. To provide some intuition on our program model, we will desribe how to represent loking. A lok is represented by a global variable lok GV. Let aq be a loation where lok is to be aquired, and let rel be a loation where it is to be released. Then we an define L aq = { e, e[lok 1] : e(lok) = 0} L rel = { e, e[lok 0] : e(lok) = 1} Note that, given a feasible trae τ, the fat that τ is nonempty implies that there is no point along τ in whih two threads hold the same lok. Our program model does not support onditional branhing, but this an be simulated with nondeterministi branhing and assume ations, where L assume() = { e, e : e = }. Programs that depend on the initial state satisfying some property ϕ an be simulated by defining L init lo as L assume(ϕ). Although our algorithm (and our implementation) handles dynami thread reation, we omit it from this presentation for the sake of simpliity. 3. Data flow graphs Data flow graphs (DFGs) are a program representation that expliitly represents the flow of data in a program, rather than the flow of ontrol as in a ontrol flow graph. Our analysis uses DFGs to ompute program invariants by interpreting eah edge of the DFG as a onstraint and then omputing an overapproximation of the least solution to this onstraint system via abstrat interpretation. 1 A DFG for a program P is a direted graph P = Lo, DF, where DF Lo Var Lo is a set of direted edges labeled by program variables, and where we assume that Lo ontains an additional loation uninit (with no inoming or outgoing edges in the ontrol flow graph of P ). We will use u x v to denote the triple u, x, v Lo Var Lo. We define the olleting semantis of a DFG P = Lo, DF to be the least solution to the following set of equations: VAL(u, x) = {e(x) : e OUT(u)} IN(v) = {e TEnv : u x v DF.e(x) VAL(u, x)} x Var { TEnv if v = uninit OUT(v) = {e : e IN(v). e, e L v } otherwise Consider the example in Figure 2. This figure depits a program with two ode segments, eah of whih may be exeuted by arbitrarily many threads. Variable is global, and variable inr is loal. Eah vertex (exept the speial vertex uninit) has at least one inoming edge for eah variable. Eah of these inoming edges provides a value for a partiular variable. For example, the edge u 2 v 2 represents the onstraint that any value for after exeuting u 2 is a possible value for before exeuting v 2 (that is, {e() : e IN(v 2)} {e() : e OUT(u 2)}). The two edges from uninit to init lo indiate that any value is possible for inr and at init lo, the loation at whih both threads begin exeution. The vertex init lo sets the initial ondition of the program, ating as assume( = 0 inr = 0). Thus, edges originating at init lo 1 For a similar use of data-flow graphs, see for example [17]. Global: Loal: inr u 1: inr = 1 u 2: = + inr // v 1: inr = -1 v 2: assert( > 0) uninit inr inr inr u 1 : inr=1 u 2 : =+inr init lo inr v 1 : inr=-1 inr v 2 : assert(>0) Figure 2. A program and a data flow graph representing it. indiate that a partiular variable may get its value from the initial state. The fat that v 1 inr u 2 does not belong to this graph indiates that the value of inr at v 1 is not observable at u 2. Intuitively, a DFG for a program P represents a trae σ if it has enough edges to ensure that any thread state reahed by σ belongs to IN(v) for some v. The remainder of this setion formalizes this notion. We will assume the existene of a funtion mod : Lo P(Var) that maps every ontrol loation to the set of variables modified at that loation. We require that mod satisfies the following: for any x Var, if there exists some e, e L v with e(x) e (x), then x mod(v). A notable feature of the mod we use in pratie is that a loation of the form assume(ϕ) is onsidered to be a modifiation of every variable ourring in ϕ. This allows us to take advantage of information at onditional branhes that otherwise would not be possible in a data flow graph. For a trae σ, variable x, and thread n, we define latest(σ, x, n) to be the loation of the last ation to write to the variable x along σ (or thread n s opy of x, if x is loal). More formally, if x is a global variable, latest(σ, x, n) is the unique loation v suh that σ = π m, v ρ (for some m N) and where no ation (of any thread) along ρ modifies x if suh a v exists, and uninit otherwise. Similarly, if x is a loal variable, latest(σ, x, n) is the unique loation v suh that σ = π n, v ρ and no ation of thread n along ρ modifies x if suh a v exists, and uninit otherwise. DEFINITION 3.1 (Witness). Let u, v be loations, x be a variable, and σ be a trae. We say that σ is a witness for the data flow edge u x v if there exists some thread n N suh that latest(σ, x, n) = u and endlo(σ, n) = v. Coneptually, σ is a witness for u x v if, on σ, u sets a value for x whih is not hanged until the end of the trae, where some thread is at v. We are now ready to define a representation ondition for traes and program. DEFINITION 3.2 (Representation). A DFG P = Lo, DF represents a trae σ iff for every u, v Lo and x Var, if some subtrae (not neessarily proper) σ of σ is a witness for u x v, then u x v DF. P represents a program P if it represents τ for every feasible trae τ of P. The relationship between the olleting semantis of a DFG and the traes it represents is given by the following: THEOREM 3.3 (DFG Soundness). Let σ be a trae and let P be a DFG suh that P represents σ. Then the olleting semantis of P overapproximates the set of thread states reahed by σ. Formally, for all s σ, for all n N, we have that s[n] IN(s lo (n)).

5 Proof sketh Let P = Lo, DF be a DFG and let σ be a trae represented by P. We proeed by indution on σ. Base ase: follows from the fat that for all x, uninit x init lo DF (sine P represents ɛ) and the fat that for all x, VAL(uninit, x) = Z. Indutive step: suppose σ is a trae suh that P represents σ, let n N, and let v = endlo(σ, n). We need to show that s[n] IN(s lo (n)). To prove this, it is suffiient to show that x Var, u Lo suh that u x v DF and s[n](x) VAL(u, x). Let x be a variable, and take u to be latest(σ, x, n). Then u x v DF beause σ witnesses this data flow and P represents σ. If u = uninit, we are done sine VAL(uninit, x) = Z. If u uninit, it follows that σ = π m, u ρ for some thread m N, trae π, and sequene of ations ρ suh that x is not modified along ρ (by the definition of latest(σ, x, n)). Moreover, we must have that there is some s π suh that s with s, s A m, u and s [n](x) = s[n](x). By the indution hypothesis, s [m] IN(u), so s [m] OUT(u) and s[n](x) = s [n](x) = s [m](x) VAL(u, x). We also note that, unlike typial definitions of data flow graphs, we require that eah loation has inputs for every variable, rather than just the variables read by that loation. This is a tehnial onveniene that simplifies the presentation of our algorithm. 3.1 Abstrat interpretation of data flow graphs In this setion, we disuss how invariants are omputed over a data flow graph. For larity of this presentation, we will assume a onrete representation of an abstrat domain as a subset of F(Var). The semantis of program loations is given by an abstrat transition relation L : Lo F(Var) F(Var) that overapproximates the strongest postondition (i.e., e, e L v implies e = L v (e)). An annotation for a DFG P is a map ι : Lo F(Var) that assigns eah loation v Lo a threadstate formula ι(v). We define an indutiveness ondition for annotations that follows the struture of the olleting semantis, and whih holds when the annotation overapproximates the olleting semantis of the DFG. DEFINITION 3.4. An annotation ι is indutive for a data flow graph Lo, DF if: ι(uninit) = true For all v Lo, [ ( x Var u x v DF L u (ι(u)) x)] ι(v) where L u (ι(u)) x denotes the formula obtained from the formula L u (ι(u)) by existentially quantifying every variable exept x. Standard tehniques an be used to ompute indutive annotations from a DFG (indutive annotations orrespond to postfixpoint solutions in the terminology of abstrat interpretation). For example, in our implementation, we use a variation of the wellknown worklist algorithm. The following is a onsequene of Theorem 3.3 and the fat that indutive annotations overapproximate the olleting semantis: COROLLARY 3.5. Let σ be a trae, let P be a dataflow graph that represents σ (Definition 3.2), and let ι be an indutive annotation for P (Definition 3.4). Then for all states s σ, and all threads n N, s[n] = ι(s lo (n)) (i.e., the thread state of thread n in the global state s is overapproximated by the annotation at the loation of thread n). Note that in the olleting semantis, and therefore in indutive annotations, the values of different variables annot be orrelated. For example, if v is a loation, x and y are variables, and e, e IN(v) are reahable thread states suh that e(x) = e(y) = 0 and e (x) = e (y) = 1, then there exists an e IN(v) in whih e (x) = 0 1 = e (y). This suggests that DFGs are most appropriate for analyses based on non-relational abstrat domains, suh as intervals, signs, or the even/odd domain, whih are also inapable of representing relationships between variables. In Setion 5.1, we will disuss a variation of DFGs whih are more appropriate for relational abstrat domains. 4. Interferene analysis We now address the problem of how to ompute a DFG that represents a program. We start by defining a subset of traes, alled ι- feasible traes (where ι is a given annotation), and then develop an interferene analysis that omputes the set of data flow edges that are witnessed by ι-feasible traes. The definition of ι-feasibility is suh that if ι is a weak enough annotation, then every feasible trae is ι-feasible. With suh an annotation ι, every edge whih is witnessed by a feasible trae will also be witnessed by an ι-feasible trae, and thus will be found by our interferene analysis. Our interferene analysis relies on a finite domain of data invariants, whih is defined using finite set of observable onditions. 2 An observable ondition is a prediate with free variables in GV. In the remainder of this setion, we assume a fixed finite set of observable onditions, whih we denote by C. We define the set of observable formulae F (GV) F(GV) to be the set of formulae ϕ that an be expressed as a onjuntion i ϕi, where for eah i, ϕ i C or ϕ i C. An annotation ι : Lo F(Var) (along with the set of observable onditions C) determines an abstrat annotation ι : Lo F (GV) that assigns to eah loation u Lo an observable formula ϕ that is implied by ι(u) and whih is at least as strong as any other observable formula with this property. Thus, going from onrete to abstrat (and using to denote is more preise than ), we have IN(v) ι(v) ι (v) for any loation v. The set of observable onditions C determines an enabling ondition enabled : Lo F (GV) where e. e, e A v e, v = enabled(v) and enabled(v) is at least as strong as any other observable formula with this property. We are now ready to state our definition of ι-feasibility: DEFINITION 4.1. Let σ be a trae and ι be an annotation. Then σ is ι-feasible if: σ = ɛ, or σ = σ n, v, where σ is an ι-feasible trae, and for all m N, ι (endlo(σ, m)) enabled(v) is satisfiable. Note that the ondition for extending an ι-feasible path σ by an ation n, v depends only on the annotations at the end loations of eah thread, rather than on the states in σ. EXAMPLE 4.2. Consider the trae σ = 0, u 1 0, u 2 0, u 3 of the program in Figure 1. This trae is not feasible, beause every state in ( 0, u 1 0, u 2 ) has ounter = 0, so 0, u 3 is not enabled. However, assuming that ι(u 2) = ounter 0 lok1 = 1, ι(u 1) = ounter 0, and C = {ounter > 0, lok1 = 0, lok2 = 0} (whih implies ι (u 1) = true, ι (u 1) = (lok1 = 0), and enabled(u 3) = ounter > 0), this trae is ι-feasible. To illustrate how ι-feasibility depends on ι, onsider the infeasible trae 0, u 1 0, u 2 1, v 1. This trae is 2 This finiteness ondition is not stritly neessary, but makes for a more effiient analysis.

6 INIT-COREACH oreahable(init lo, init lo ) COREACH-SYM oreahable(u, v) oreahable(v, u) MAYREACH mayreah(u 0, x, u 1, v) u 0 x v COREACH-STEP oreahable(u 0, v) enabled(u 0, ι (v)) enabled(u 0, ι (u 0)) u 0, u 1 CF oreahable(u 1, v) MAYREACH-BASE oreahable(u 0, v) x mod(u 0) enabled(u 0, ι (v)) enabled(u 0, ι (u 0)) u 0, u 1 CF mayreah(u 0, x, u 1, v) MAYREACH-STEPL mayreah(u 0, x, u 1, v) x / mod(u 1) enabled(u 1, ι (v)) enabled(u 1, ι (u 1)) u 1, u 2 CF mayreah(u 0, x, u 2, v) MAYREACH-STEPR mayreah(u 0, x, u 1, v 0) x / mod(v 0) enabled(v 0, ι (u 1)) enabled(v 0, ι (v 0)) v 0, v 1 CF mayreah(u 0, x, u 1, v 1) Figure 3. Interferene analysis. ι-feasible if ι(u 3) = ounter 0 lok1 = 1, and ι-infeasible if ι(u 3) = ι(u 8) = ounter 0 lok1 = 1 lok2 = 1. By ombining the definition of ι-feasibility with the definition of a witness of a data flow edge, we arrive at the following: DEFINITION 4.3. Let σ be a trae, ι be an annotation, u and v be loations, and x be a variable. Then σ is an ι-feasible witness of the data flow u x v if σ is ι-feasible and witnesses the data flow u x v (that is, σ simultaneously satisfies definitions 3.1 and 4.1). A key property of our notion of ι-feasibility is that it is preserved under projetions; that is, for any ι, if σ is an ι-feasible trae, then for any sets of threads N N, σ N is also ι-feasible. The following lemma states a projetion result that forms the basis of our semiompositional algorithm for interferene analysis. It implies that, in order to ompute the set of data flow edges that are witnessed by ι-feasible traes, it is suffiient to onsider only traes that involve two threads. LEMMA 4.4 (Projetion). Let ι be an annotation, u, v be loations, and x be a variable. Let σ be an ι-feasible witness for the data flow u x v. Then there exists m, n N suh that σ {m,n} is an ι-feasible witness for u x v. Proof sketh We will first prove that for any N N and any ι- feasible trae σ, σ N is an ι-feasible trae, by indution on σ. The base ase is obvious. For the indutive step, let σ n, v be an ι-feasible trae, and assume that σ N is ι-feasible. If n / N, then σ n, v N = σ N, and the result is immediate from the indution hypothesis. If n N, then σ n, v N = σ N n, v. In this ase, we need to show that for all m N, ι (endlo(σ N, m)) enabled(v) is satisfiable. Let m N and distinguish two ases: m N: then endlo(σ N, m) = endlo(σ, m), and the fat that ι (endlo(σ N, m)) enabled(v) is satisfiable follows from the fat that σ n, v is ι-feasible. m / N: then endlo(σ N, n) = init lo. Sine σ is finite, only finitely many threads exeute ations in σ, so there exists a thread i N that does not exeute ations in σ. Sine σ n, v is ι-feasible, ι (endlo(σ, i)) enabled(v) is satisfiable. Sine endlo(σ, i) = init lo = endlo(σ N, m), we are done. Now, we must prove that the property of being a witness is preserved by projetions. Let u, v be loations and x be a variable, and let σ by a witness of the data flow u x v. We assume that x is a global variable the ase of loal variables is similar. It follows from Definition 3.1 that there exists some m, n N, a trae π, and a sequene of ations ρ suh that σ = π n, u ρ suh that x mod(u), x is not modified by any ation along ρ, and v = endlo(σ, m). It is easy to hek that σ {m,n} witnesses u x v. 4.1 Inferring data flow edges Our algorithm for inferring data flow edges is stated delaratively in Figure 3 as a set of dedution rules for ι-feasible witnesses. For u, v Lo and x Var, we write u x ι v iff an ι- feasible witness for the data flow u x v exists. These proof rules are sound and omplete for determining whether a witness for an inter-thread data flow edge exists intra-thread data flows an be omputed independently using a standard sequential reahing definitions analysis. The rules use an input relation enabled(u, ϕ) whih holds iff ϕ enabled(u) is satisfiable. Additionally, two auxiliary relations are used: oreahable(u, v) holds iff there is some ι-feasible trae σ suh that u = endlo(σ, 0) and v = endlo(σ, 1). mayreah(u, x, v, w) holds iff there is some ι-feasible trae σ suh that u = latest(σ, x, 0), v = endlo(σ, 0) and w = endlo(σ, 1). Sine the set of loations and the set of variables are finite, oreahable, mayreah, and ι all must be finite. As a result, we may ompute all members of ι in finite time by iteratively applying these rules until no new members of any relation are dedued (i.e., until a fixed point is reahed). Moreover, the fat that these relations are all finite allows us to leverage effiient propositional tehniques, for example representing relations by binary deision diagrams. LEMMA 4.5 (Interferene analysis soundness & ompleteness). Let u, v Lo and x Var. There exists an ι-feasible trae that witnesses data flow the u x v iff there exists a single-threaded

7 witness, or if u x ι v belongs to the least fixpoint solution of the system of interferene rules in Figure 3. Note that this lemma implies that, although we lose information in our interferene analysis by going from feasible traes to ι- feasible traes, we do not lose information by going from n-thread ι-feasible traes to 2-thread ι-feasible traes. The rules in Figure 3 are a simplified version of the ones we implement in DUET. DUET handles some additional language features (thread reation and atomi bloks) and has several optimizations to make it more effiient. However, all the essential ideas of the analysis are present in the rules of Figure Iterative oarsening In Setion 3, we gave a method for omputing an annotation for a data flow graph; in Setion 4, we gave a method for omputing data flow edges given an annotation. By inorporating both omponents into a feedbak loop, we obtain our main algorithm, COARSEN (Algorithm 1). Given a parameterized multi-threaded program, COARSEN omputes a DFG that represents that program as well as an annotation that is indutive for that DFG. Given a program P, COARSEN begins by omputing a data flow graph P 1 with only intra-thread (sequential) data flow edges. It then omputes an indutive annotation ι 1 for P 1 as disussed in Setion 3. This annotation ι 1 is used as input to the interferene analysis of Setion 4, whih omputes the set of ι 1-feasible data flow edges and adds them to P 1 to obtain a DFG P 2. After adding these edges, a new (possibly weaker) annotation is omputed that is indutive for P 2. This proess ontinues until a fixed point is reahed; that is, until we reah some k suh that P k = P k+1. At this point, P k represents the program P and ι k is indutive for P k, and therefore ι k overapproximates the reahable thread states of P by Theorem 3.3. This algorithm makes use of several auxiliary funtions, whih are defined below. SequentialDFG(P ) omputes a sequential data flow graph for P. This omputation is a standard sequential reahing definitions analysis. This graph ontains all intra-thread data flow edges, inluding all those for loal variables, and all those originating from uninit. ExtratCond(P ) omputes a set of observable onditions for P by mining the program for loks and prediates q suh that q only uses global variables and assume(q) ours in P. Invariants( Lo, DF ) omputes an annotation that is indutive for the DFG Lo, DF using a modifiation of the standard worklist algorithm, as disussed in Setion 3. AbstratAnnotation(ι, C) omputes an observable formula ι (v) for every loation v that is implied by ι(v) and is at least as strong as any other observable formula with that property. FeasibleDataflows(P, ι ) omputes the relation ι through a bottom-up evaluation of the logi program given in Figure 3. EXAMPLE 5.1. Consider the program in Figure 1. Figure 4 depits how the DFG and annotation omputed by COARSEN evolve on this program. For simpliity, we show only information that is relevant to the ounter variable. In partiular, the DFG ontains only verties that modify or blok on ounter and all the ounterlabeled edges between them, and the annotation is restrited to refer only to the variable ounter. A speial vertex X appears in the DFG to improve readability by fatoring edges; it does not represent a real DFG vertex. An edge u X from some arbitrary vertex u to X represents four Algorithm 1 COARSEN Input: A program P = Lo, CF, GV, LV, L Output: A sound annotation for P Lo, DF SequentialDFG(P ) C ExtratCond(P ) DF repeat DF DF DF ι Invariants( Lo, DF ) ι AbstratAnnotation(ι, C) DF FeasibleDataflows(P, ι ) until DF DF return ι edges: u init lo, u u 8, u u 3 and u v 4. The vertex init lo is the initial loation of the program where every thread begins its exeution, and whih has u 1 and v 1 as its ontrol flow suessors. Its ation is to assume the ondition of the initial state, as in: assume(ounter = 0 lok1 = 0 lok2 = 0 bath 0) The solid edges in Figure 4 are added in the first round, the dashed edges are added in the seond round, and the dotted edges are added in the third round. The olumns labeled ι 1, ι 2, and ι 3 represent the annotation of the orresponding loation in the first, seond, and third rounds. Note that there is no edge from u 10 to v 5. This is very important for proving the assertion at v 6. Sine the invariant at u 10 always remains ounter=0, the interferene analysis an infer that there is no feasible path of the program witnessing this edge. Any feasible path of the program that visits u 10 has to go through a ounter inrement (u 11) or an assume statement (v 4) before it an reah v 5, and sine eah of those paths ontains a loation modifying ounter in the segment from u 10 to v 5, they annot be witnesses for a data flow edge from u 10 to v 5. Finally, the orretness ondition of Algorithm 1 is stated in the following theorem: THEOREM 5.2 (Soundness). For any program P, COARSEN omputes an annotation ι and a DFG P suh that P represents P, and for every reahable state s of P and thread n, s[n] = ι(s lo (n)). Proof sketh Let ι and P be the be the annotation and data flow graph omputed by COARSEN. The termination ondition of COARSEN implies that ι is indutive for P and every ι-feasible trae of P is represented in P. We first prove that every feasible trae τ of P is ι-feasible by indution on τ. The base ase is trivial, sine ɛ is ι-feasible for any ι. For the indution step, assume that τ n, v is a feasible trae and τ is ι- feasible; we must prove that τ n, v is ι-feasible. Sine τ n, v is feasible, there must exist some s τ and s State suh that s, s A n, v. By the definition of enabled(v), we have that s = enabled(v). We note that for a formula ϕ with free variables in GV, the meaning of s = ϕ is unambiguous sine s env assigns a single value to eah global variable x GV; moreover, we note that if ϕ s free variables are in GV then s[n] = ϕ iff s = ϕ, sine s[n] and s agree on the values of all global variables. Let m N be an arbitrary thread. Sine τ is ι-feasible, τ is represented by the DFG Lo, DF. Sine ι is indutive for Lo, DF and s τ, we have that s[m] = ι(s lo (m)) by Corollary 3.5. It follows from the definition of ι that s = ι (s lo (m)), and thus

8 init lo u 8 : assume(ounter 0) v 4 : assume(ounter > 0) X u 3 : assume(ounter > 0) u 10 : ounter=0 u 11 : ounter++ u 4 : ounter++ v 5 : ounter-- ι 1 ι 2 ι 3 init lo true true true u 3 ounter=0 ounter 0 ounter 0 u 4 ounter=0 ounter 0 ounter 0 u 8 ounter=0 ounter 0 ounter 0 u 10 ounter=0 ounter=0 ounter=0 u 11 ounter 0 ounter 0 ounter 0 v 4 ounter=0 ounter 0 ounter 0 v 5 false ounter>0 ounter>0 v 6 false ounter 0 ounter 0 v 6 : assert(ounter 0) Figure 4. COARSEN omputation on the program in Figure 1. s = ι (s lo (m)) enabled(v). Sine this holds for all m, τ n, v is ι-feasible (noting that s lo (m) = endlo(τ, m)). Sine every feasible trae is an ι-feasible trae, and every ι- feasible trae is represented by P, every feasible trae is represented by P, and so P is represented by P. Finally, let s be a reahable thread state and let n N be a thread. Then there exists some feasible trae τ suh that s τ. Sine τ is ι-feasible (by the above argument), it follows that τ is represented by P. Finally, sine τ is represented by P and ι is indutive for P, we have that s[n] = ι(s lo (n)) by Corollary Relational abstrat domains We have disussed only the use of non-relational (also known as independent attribute) abstrat domains up to this point. Although suh domains are typially very effiient, the fat that they annot enode relationships between variables limits their expressive power. In our framework, it is possible to use relational domains, suh as otagons and polyhedra, by modifying the data flow graph. Instead having data flow graph edges labeled with a single variable, we allow sets of variables as labels, indiating that the value of every variable in this set flows from the soure to the target. Sine a value for eah x X flows along suh an edge u X v, relationships between variables in X an be maintained. A partiularly simple instane of this idea is to reate a partition P of the set of variables Var into semantially related sets. Intuitively, we an think of eah ell X P as a reord-typed variable, with one field for eah x X. For a given partition P of Var, the olleting semantis for a relational DFG Lo, DF with P-labeled edges is given by the following: VAL(u, X) = {e : e OUT(u). x X.e(x) = e (x)} IN(v) = X P{e TEnv : u X v DF.e VAL(u, X)} { TEnv if v = uninit OUT(v) = {e : e IN(v). e, e L v } otherwise Using the olleting semantis as a guideline, it is straightforward to define indutive invariants for relational DFGs. The interferene analysis of Setion 4 must then be adapted to infer relational data flow edges. Towards this end, we redefine mod to at on ells rather than variables as follows: mod P (v) = {X P : mod(v) X } By re-instantiating the interferene analysis in Figure 3 with mod P in plae of mod, we obtain our algorithm for alulating data flows in a relational DFG. Sine nonrelational analyses and relational analyses operate on different data flow graphs, it is not generally true (as in the ase of sequential analyses) that a relational analysis is neessarily more aurate than a non-relational analysis. There is a positive side and a negative side to grouping variables when it omes to onurrent program analysis. On the positive side, grouping variables together makes it possible to infer relationships between variables, whih results in a more preise analysis. On the negative side, grouping variables together may reate additional interferene edges (resulting in a less preise analysis), as mod P (v) is generally larger than mod(v) (for v Lo). For example, if bath and ounter are grouped together in the relational DFG onstrution for Figure 1, then the interferene analysis will infer the {bath, ounter}- labeled edges v 5 u 13 and u 13 v 5. With these edges present, the invariant that ounter 0 at v 5 an no longer be proved, beause the indutiveness ondition for annotations implies that there is no lower bound for ounter at v 5. In our experiments in Setion 6, there are ases when interval analysis sueeds in proving a property orret when otagon analysis fails, and vie versa. In Setion 6.1, we briefly disuss the simple algorithm that we use to partition variables into semantially related sets. While simple, this algorithm performs fairly well on our benhmarks. However, we believe that there is onsiderable room for improvement with a better variable grouping algorithm. 6. Experiments The approah presented in this paper is implemented into a tool alled DUET. 3 We used a benhmark suite of 15 Linux devie drivers to evaluate DUET. Additionally, we ran DUET on the set of Boolean programs generated by SatAbs [9] from these Linux drivers to ompare DUET with two reent tehniques on verifiation of parameterized Boolean programs. 3 For more information on this tool, see

9 Devie Drivers #assertions DUET: Interval Analysis DUET: Otagon Analysis safe time safe time i8xx to m51s 71 1m25s ib700wdt s 64 20s mahzwd s 67 14m44s mixomwd s pwd m43s m48s pwd pi m18s 188 2m59s sb60xxwdt s 69 11m27s s520 wdt s 65 13m20s s1200wdt s 66 33s sms37b787 wdt s 80 47s w83877f wdt s 72 13m24s w83977f wdt s 82 34s wdt s 86 25s wdt s 75 28s wdt pi s 66 5m33s total m9s m21s Table 1. DUET s Performane on Parameterized Integer Programs, run on an 3.16GHz Intel(R) Core 2(TM) mahine with 4GB of RAM. 6.1 Implementation DUET is written in OCaml, and makes use of the CIL front-end for the C language [28] and the goto program front-end distributed with CBMC [8]. Our abstrat interpreter uses the APRON library [5] for its numerial abstrat domains. We use the BDD-based Datalog implementation bddbddb[33] to perform the interferene analysis desribed in Setion 4. Currently, DUET aepts three types of inputs: (1) C programs using pthreads library for thread operations, (2) Boolean programs in the input language of Boom [19] as an input, or (3) goto programs, as produed by the goto- C/C++ frontend (part of the CPROVER projet [1]. Our implementation urrently inlines all funtion alls and then performs an intraproedural analysis. Alias Analysis. We use a type-based alias analysis to handle pointers. For eah variable whose address is not taken, we assign a memory loation whih reeives strong updates. For every type in the program, we assign a memory loation whih reeives weak updates, and eah aess path of that type (other than variables whose address is not taken) is onsidered to be a referene to that memory loation. The interferene analysis implemented in DUET operates on these memory loations rather than variables. This sheme is sound under the assumption that pointer-typed expressions are never ast. For the benhmark suite used in Setion 6.2, aliasing is not partiularly important for proving array bounds and integer overflow properties. Therefore, we expet the onsequenes of our unsound and impreise alias analysis to be negligible. We use Algorithm 2 to partition variables into semantially related sets for our implementation of otagon analysis. While simple, it seems to be effetive in pratie when performing an otagon analysis on Boolean abstrations of Linux devie drivers. 6.2 Evaluation Below, we provide the results of experimenting with DUET on a olletion of Linux devie drivers and on Boolean abstrations of those drivers. Sine a driver may have arbitrary many lients, it is important to verify these drivers in a parameterized setting. Parameterized Integer Programs. Table 1 presents the result of running DUET on a olletion of 15 Linux devie drivers. These drivers are all written in C, and inlude infinite data (suh as integer types). We know of no other tool that an verify numerial Algorithm 2 Variable partitioning algorithm Input: A set of program loations Lo, a set of loal variables LV and global variables GV Output: A partition of Var //P is a disjoint set data struture P {{x} : x Var} for v Lo do if v is an assignment statement then vs mod(v) ref(v) if vs = 2 (vs LV vs GV) then Merge the partitions of eah x vs end if else if v = assume(p) then if vars(v) LV vars(v) GV then Merge the partitions of eah x vars(v) end if end if end for return P properties of suh large programs with arbitrarily many threads, 4 and therefore we present the result of running DUET on these integer benhmarks without omparison with other tools. DDVerify and goto- are used to (automatially) proess eah driver into a fully-inlined goto program annotated with assertions heking array bounds and integer overflows/underflows. With an interval analysis, DUET manages to prove most of the assertions orret (1312 out of a total 1597), and does so in 13 minutes. DUET s performane using an otagon analysis is slightly worse, proving 1277 assertions orret in 90 minutes. Most false positives for DUET appear to be aused by one of two reasons: impreision in the abstrat domain, and impreision in how DUET handles the treatment of spinloks in goto programs. 4 It is possible to run Boom on the integer benhmarks by first extrating Boolean programs with SatAbs. However, SatAbs is designed for sequential programs rather than onurrent ones, and the Boolean programs extrated by the version of SatAbs that was available at the time we ran our experiments produed poor results: the ombined SatAbs+Boom proedure took 2 days and did not prove any assertions orret.