VCC: A Practical System for Verifying Concurrent C

Similar documents
Local Verification of Global Invariants in

VERIFYING CONCURRENT C PROGRAMS WITH VCC, BOOGIE AND Z3

Modular Specification and Verification of Interprocess Communication

Object Ownership in Program Verification

Verifying C Programs: A VCC Tutorial

Program Verification (6EC version only)

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

The Spin Model Checker : Part I/II

Local Verification of Global Invariants in Concurrent Programs

Towards imperative modules: reasoning about invariants and sharing of mutable state

Lecture 5. Towards a Verifying Compiler: Multithreading

Lecture 4. Towards a Verifying Compiler: Data Abstraction

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

The VCC Manual. Working draft, version 0.2, July 10, Abstract. 1. Introduction. 2. Overview. VCC User Manual (working draft, ver. 0.

Objects as Session-Typed Processes

Programming Languages

Why. an intermediate language for deductive program verification

Design of Thread-Safe Classes

Concurrent Objects and Linearizability

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

Software Engineering using Formal Methods

Testing, Debugging, and Verification

Concurrent Objects. Companion slides for The Art of Multiprocessor Programming by Maurice Herlihy & Nir Shavit

New Programming Abstractions for Concurrency in GCC 4.7. Torvald Riegel Red Hat 12/04/05

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Software Engineering

Deductive Functional Verification of Safety-Critical Embedded C-Code: An Experience Report

Formally Certified Satisfiability Solving

MultiJav: A Distributed Shared Memory System Based on Multiple Java Virtual Machines. MultiJav: Introduction

Software Engineering Testing and Debugging Testing

Synchronization. CS61, Lecture 18. Prof. Stephen Chong November 3, 2011

SPIN, PETERSON AND BAKERY LOCKS

Static program checking and verification

250P: Computer Systems Architecture. Lecture 14: Synchronization. Anton Burtsev March, 2019

Synchronizing the Asynchronous

CS533 Concepts of Operating Systems. Jonathan Walpole

New Programming Abstractions for Concurrency. Torvald Riegel Red Hat 12/04/05

Runtime Checking for Program Verification Systems

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Cache Coherence and Atomic Operations in Hardware

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

The Java Modeling Language (Part 2)

Goldibear and the 3 Locks. Programming With Locks Is Tricky. More Lock Madness. And To Make It Worse. Transactional Memory: The Big Idea

Marwan Burelle. Parallel and Concurrent Programming

Modular Reasoning about Aliasing using Permissions

CS5460: Operating Systems

Motivation was to facilitate development of systems software, especially OS development.

CMSC 330: Organization of Programming Languages

Software Engineering using Formal Methods

Kernel Scalability. Adam Belay

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

15 418/618 Project Final Report Concurrent Lock free BST

Lecture 18 Restoring Invariants

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Section 5: Thread Synchronization

CS3733: Operating Systems

Motivation was to facilitate development of systems software, especially OS development.

Advanced Topic: Efficient Synchronization

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Kernel Synchronization I. Changwoo Min

Spin: Overview of PROMELA

Proving well-formedness of interface specifications. Geraldine von Roten

OCL Support in MOF Repositories

Programming Paradigms for Concurrency Lecture 3 Concurrent Objects

Introduction. Coherency vs Consistency. Lec-11. Multi-Threading Concepts: Coherency, Consistency, and Synchronization

Verification and Parallelism in Intro CS. Dan Licata Wesleyan University

Deterministic Futexes Revisited

FreePascal changes: user documentation

Formal Specification and Verification

Program Verification Using the Spec# Programming System

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Review of last lecture. Peer Quiz. DPHPC Overview. Goals of this lecture. Lock-based queue

Effective Data-Race Detection for the Kernel

Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

From IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich

CSC D70: Compiler Optimization Register Allocation

CITS5501 Software Testing and Quality Assurance Formal methods

Hypertext A Case Study of Formal Object-Oriented Software Development

CSE332: Data Abstractions Lecture 25: Deadlocks and Additional Concurrency Issues. Tyler Robison Summer 2010

Formal Specification and Verification

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

CMSC 433 Programming Language Technologies and Paradigms. Composing Objects

Synchronization: Basics

Pace University. Fundamental Concepts of CS121 1

Specification tips and pitfalls

Appendix. Grammar. A.1 Introduction. A.2 Keywords. There is no worse danger for a teacher than to teach words instead of things.

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Having a BLAST with SLAM

Slicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference

Implementing Interfaces. Marwan Burelle. July 20, 2012

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

EL6483: Brief Overview of C Programming Language

Order Is A Lie. Are you sure you know how your code runs?

Short Notes of CS201

ExplainHoudini: Making Houdini inference transparent

The Spin Model Checker : Part I. Moonzoo Kim KAIST

Transcription:

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1, Markus Dahlweid 2, Mark Hillebrand 3, Dirk Leinenbach 3, Michal Moskal 2, Thomas Santen 2, Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2 European Microsoft Innovation Center, Aachen, Germany 3 German Research Center for Artificial Intelligence (DFKI), Saarbrucken, Germany 4 Microsoft Research, Redmond, WA, USA May 6, 2013 Pavol Bielik

Introduction VCC stands for Verifying C Compiler deductive verifier for concurrent C code performs static modular analysis and sound verification of functional properties of low-level concurrent C code VCC translates annotated C code into BoogiePL Boogie translates BoogiePL into verification conditions Z3 solves them or gives couterexamples Pavol Bielik Research Topics in Software Engineering May 6, 2013 2 / 27

Motivation driven by the verification of the Microsoft Hyper-V hypervisor the hypervisor turns a single real multi-processor x64 machine into a number of virtual multiprocessor x64 machines own concurrency control primitives, complex data structures and dozens of tricky optimizations written in no verification in mind (100KLOC of C, 5KLOC of assembly) performance was of a great importance Pavol Bielik Research Topics in Software Engineering May 6, 2013 3 / 27

Function Contracts Specification (Contract) consisting of four kinds of clauses preconditions: (requires P) postconditions: (ensures Q) writes clause: (writes S) termination: (decreases T ) Modular only looks at function specification Pavol Bielik Research Topics in Software Engineering May 6, 2013 4 / 27

Function Contracts int min ( int a, int b) _( requires \ true ) _( ensures \ result <= a && \ result <= b) _( ensures \ result == a \ result == b) { if (a <= b) return a; else return b; } Pavol Bielik Research Topics in Software Engineering May 6, 2013 5 / 27

Pure functions _( pure ) int min ( int a, int b)... no side effects on programs state not allowed to allocate memory can only write to local variables can be called within VCC annotations However: empty writes clause pure Pavol Bielik Research Topics in Software Engineering May 6, 2013 6 / 27

Pure Ghost functions used only in specification along with other annotations removed before compilation by preprocessor _( def \ bool sorted ( int *arr, unsigned len ) { return \ forall unsigned i, j; i <= j && j < len == > arr [i] <= arr [j]; }) void sort ( int * arr, unsigned len ) _( writes \ array_range (arr, len )) _( ensures sorted (arr, len )) Pavol Bielik Research Topics in Software Engineering May 6, 2013 7 / 27

Type Invariants object invariants can be associated with compound types (structs and unions) support for both single and two-state predicates # define SSTR_MAXLEN 100 typedef struct SafeString { unsigned len ; char content [ SSTR_MAXLEN + 1]; _( invariant \this -> len <= SSTR_MAXLEN ) _( invariant content [ len ] == \0 ) } SafeString ; Pavol Bielik Research Topics in Software Engineering May 6, 2013 8 / 27

Type Invariants object invariants cannot hold at all times, e.g.: initialization destruction updates an object can be in two states controlled by \closed ghost field closed invariant holds but non-volatile fields can not be changed open invariant can not be assumed, but fields can be changed closedness is manipulated using \wrap and \unwrap helper methods type invariants are coupled with ownership Pavol Bielik Research Topics in Software Engineering May 6, 2013 9 / 27

Ownership ownership is expressed by adding a ghost field to every object and making it point to object owner the roots of trees in the ownership forest are objects representing threads of execution. threads are always closed, and own themselves the set of objects directly or transitively owned by an object is called the ownership domain of that object Pavol Bielik Research Topics in Software Engineering May 6, 2013 10 / 27

Ownership type invariants are coupled with ownership if an object is owned by a thread, only that thread can change its (nonvolatile) fields (and then only if the object is open), wrap or unwrap it, or change its owner to another object m u t ab l e!closed(o) owner(o)==me() wrap(o) unwrap(o) w r ap p ed 0 closed(o) owner(o)==me() unwrap(o' ) where o owns(o' ) or giveup closed owner(o,o' ) wrap(o' ) where o owns(o' ) or set closed owner(o,o' ) n est ed closed(o) owner(o)==o' o'!=me() Pavol Bielik Research Topics in Software Engineering May 6, 2013 11 / 27

Wrapping & Unwrapping Example 1 void sstr_ append ( struct SafeString * s, char c) 2 _( maintains \ wrapped (s)) 3 _( requires s-> len < SSTR_MAXLEN ) 4 _( ensures s-> len == \ old (s-> len ) + 1) 5 _( ensures s-> content [\ old (s-> len )] == c) 6... 7 _( writes s) 8 { 9 _( unwrap s) 0 s-> content [s-> len ++] = c; 1 s-> content [s-> len ] = \0 ; 2 _( wrap s) 3 } Pavol Bielik Research Topics in Software Engineering May 6, 2013 12 / 27

Verifying Concurrent Programs coarse-grained concurrency - ownership based fine-grained concurrency - atomic actions on volatile fields Pavol Bielik Research Topics in Software Engineering May 6, 2013 13 / 27

Volatile fields C meaning: value can be changed from outside prevents compiler from storing value in registers VCC meaning: field can be modified while the object is closed, as long as the update occurs inside an explicit atomic action that preserves the object invariant thread forgets the values of these fields when it makes an impure function call and just before an atomic action Pavol Bielik Research Topics in Software Engineering May 6, 2013 14 / 27

Spin-lock ownership used to control access to shared resource _( volatile_owns ) struct Lock { volatile int locked ; _( ghost \ object protected_obj ;) _( invariant locked == 0 == > \ mine ( protected_obj )) }; Pavol Bielik Research Topics in Software Engineering May 6, 2013 15 / 27

Spin-lock - Initialization void InitializeLock ( struct Lock * l _( ghost \ object obj )) _( requires \ wrapped ( obj )) _( ensures \ wrapped (l) && l-> protected_obj == obj ) _( ensures \ nested ( obj )) _( writes \ span (l), obj ) { l-> locked = 0; _( ghost { l- > protected_obj = obj ; l - >\ owns = { obj }; _( wrap l) }) } Pavol Bielik Research Topics in Software Engineering May 6, 2013 16 / 27

Spin-lock - Acquire void Acquire ( struct Lock * l) _( maintains \ wrapped (l)) _( ensures l- > locked == 1) _( ensures \ wrapped (l- > protected_obj ) && \ fresh (l- > protected_obj )) { int stop = 0; do { _( atomic l) { stop = InterlockedCompareExchange (& l- > locked, 1, 0) == 0; _( ghost if ( stop ) l - >\ owns -= l-> protected_obj ) } } while (! stop ); } Pavol Bielik Research Topics in Software Engineering May 6, 2013 17 / 27

Spin-lock - Release void Release ( struct Lock * l) _( maintains \ wrapped (l)) _( requires l-> locked == 1) _( requires \ wrapped (l-> protected_obj )) _( ensures l-> locked == 0 _( ensures \ nested (l-> protected_obj )) _( writes l-> protected_obj ) { _( atomic l) { l-> locked = 0; _( ghost l - >\ owns += l-> protected_obj ) } } Pavol Bielik Research Topics in Software Engineering May 6, 2013 18 / 27

Spin-lock - Problems acquire and release require that the lock is closed void Acquire ( struct Lock * l) _( requires \ wrapped (l))... definition of wrapped: \ bool \ wrapped (\ object o) _( ensures \ result <==> o - >\ owner == \me && o - >\ closed ) o \owner == \me is satisfiable by only single thread Pavol Bielik Research Topics in Software Engineering May 6, 2013 19 / 27

Claims _( ghost typedef struct { \ ptrset claimed ; _( invariant \ forall \ object o; o \ in claimed == > o - >\ closed ) } \ claim ; ) Ownership meta-states updated: Sequent ial C on cu r r en t mut able!closed(o) owner(o)==me() ref_cnt(o)==0 wrap(o) unwrap(o) w r ap p ed 0 closed(o) owner(o)==me() ref_cnt(o)==0 claim(o,) unclaim(,o,) w r ap p ed closed(o) owner(o)==me() ref_cnt(o)==1. unwrap(o' ) where o owns(o' ) or giveup closed owner(o,o' ) wrap(o' ) where o owns(o' ) or set closed owner(o,o' ) nest ed closed(o) owner(o)==o' o'!=me() ref_cnt(o)==0 claim(o,) unclaim(,o,) nest ed closed(o) owner(o)==o' o'!=me() ref_cnt(o)==1. Pavol Bielik Research Topics in Software Engineering May 6, 2013 20 / 27

Spin-lock revisited void Release ( struct Lock *l _( ghost \ claim c)) _( maintains \ wrapped (c) && \ claims_object (c, l)) _( requires l-> locked == 1 ) _( requires \ wrapped (l-> protected_obj )) _( ensures l-> locked == 0 ) _( ensures \ nested (l-> protected_obj )) _( writes l-> protected_obj ) { _( atomic c, l) { l-> locked = 0; _( ghost l - >\ owns += l-> protected_obj ) } } Pavol Bielik Research Topics in Software Engineering May 6, 2013 21 / 27

Invariant contraints what part of state are invariants allowed to mention how to make sure that updates dont break out of scope invariants? VCC allows invariants to mention arbitrary parts of the state, but requires them to be admissible VCC checks that no object invariant can be broken by invariant-preserving changes to other objects struct Counter { int n; _( invariant n = old ( n) n = old ( n) + 2) }; struct Low { Counter cnt ; int floor ; _( invariant floor <= cnt. n) }; struct High { Counter cnt ; int ceiling ; _( invariant cnt. n <= ceiling ) }; Pavol Bielik Research Topics in Software Engineering May 6, 2013 22 / 27

Locally checked invariant VCC enforces that all invariants are reflexive. refl(τ) p, h o, h.type(p) = τ inv τ (h o, h, p) inv τ (h, h, p) an action is legal iff it preserves the invariants of updated objects legal(h o, h) safe(h o ) p.h o [p] = h[p] inv(h o, h, p) a stable invariant is one that cannot be broken by legal actions stable(τ) p, h o h.type(p) = τ safe(h o ) legal(h o, h) inv τ (h o, h, p) An admissible invariant is one that is stable and reflexive adm(τ) stable(τ) refl(τ) Pavol Bielik Research Topics in Software Engineering May 6, 2013 23 / 27

VCC Workflow Annotate C code Verify with VCC Compile with regular C compiler erified Error Timeout Executable Inspect counterexample with Model Viewer Inspect Z3 log with Z3 Visualizer Fix code or specs with VCC VS plugin source: http://research.microsoft.com/en-us/projects/vcc/ Pavol Bielik Research Topics in Software Engineering May 6, 2013 24 / 27

Microsoft Hyper-V hypervisor Experience implementation of the SPT algorithm contains 700 lines of C code 4000 lines of the annotations overall proof time is 18 hours on one core of 2GHz Intel Core 2 Duo machine most functions in 0.5 to 500 seconds with an average of 25 seconds estimated person effort is 1.5 person-years, including VCC learning period Pavol Bielik Research Topics in Software Engineering May 6, 2013 25 / 27

Conclusion VCC follows largely the design of Spec# expressive enough for industrial program verification lot s of helper methods up to the user to guarantee that access annotated as \atomic is indeed atomic assumes sequential consistency Future work incorporate x86 memory model annotation overhead performance Pavol Bielik Research Topics in Software Engineering May 6, 2013 26 / 27

References Ernie Cohen, Markus Dahlweid, Mark Hillebrand, et. al., VCC: A practical system for verifying concurrent C, Artificial Intelligence, vol. 5674, no. 1753, pp. 23 42, 2009. Ernie Cohen, Micha l Moskal, Wolfram Schulte, and Stephan Tobies, Local Verification of Global Invariants in Concurrent Programs, Innovation, vol. 6174, pp. 480 494, 2010. Ernie Cohen and Mark A Hillebrand, The VCC Manual & Verifying C Programs : A VCC Tutorial, Tech. Rep., 2012. Ernie Cohen, Micha l Moskal, Stephan Tobies, and Wolfram Schulte, A precise yet efficient memory model for C, Electron. Notes Theor. Comput. Sci., vol. 254, pp. 85 103, Oct. 2009. Pavol Bielik Research Topics in Software Engineering May 6, 2013 27 / 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback