Sequentialization targeted to Bounded Model-Checkers Salvatore La - PowerPoint PPT Presentation

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di Informatica Università degli Studi di Salerno

Sequentialization Code-to-code translation from a multithreaded program to an • “equivalent” sequential one shared vars Conc. Seq. Seq. program loc loc loc progam Verifier … T 1 T 2 T m • Re-use of existing tools (delegate the analysis to the backend tool) • Fast prototyping (designers can concentrate only concurrency features) • Can work with different backends

Sequentialization • alters the original program structure by injecting control code (which is an overhead for the backend) • requires careful attention to the details of the translation for well-performing tools • replaces concurrency with nondeterminism

Backend: Bounded Model Checkers • Reduce program verification to SAT/SMT solvers • Very effective technique to discover bugs in seq. programs • Performance relies on the performance of underlying solvers 100000 • Impressive improvement of 10000 SAT solvers in last years 1000 Vars 100 10 1 1960 1970 1980 1990 2000 2010 Year

Implementations with BMC backend LR seq . [Lal-Reps, CAV’08]: eager, bounded round-robin • LMP seq. [La Torre-Madhusudan-Parlato]: lazy, any scheduling • With BMC, LR works better than LMP • [Ghafari-Hu-Rakamaric, SPIN’10] Implementations of LR: • – CSeq: Pthreads C programs [Fischer-Inverso-Parlato, ASE’13] – STORM: also dynamic memory allocation [Lahiri-Qadeer-Rakamaric, CAV’09] – Corral [Lal-Qadeer-Lahiri, CAV’12] – Delay bounded-scheduling [Emmi-Qadeer-Rakamaric, POPL’11] – Real-time systems [Chaki, Gurfinkel, Strichman – FMCAD’11]

Lal/Reps Sequentialization considers only round-robin schedules • ... with k rounds ... – thread → function, run to completion S 0,0 S 0,1 S 0,n global memory copy for each round ... • S 1,0 S 1,1 S 1,n – scalar → array ... S 2,0 S 2,1 S 2,n context switch → round counter++ • ... ... first thread starts with S k,0 S k,1 S k,n • T 0 T 1 T n nondeterministic memory contents – other threads continue with content left by predecessor

Lal/Reps Sequentialization considers only round-robin schedules • ... with k rounds ... – thread → function, run to completion S 0,0 S 0,1 S 0,n global memory copy for each round ... • S 1,0 S 1,1 S 1,n – scalar → array ... S 2,0 S 2,1 S 2,n context switch → round counter++ • ... ... first thread starts with S k,0 S k,1 S k,n • T 0 T 1 T n nondeterministic memory contents – other threads continue with content left by predecessor checker prunes away inconsistent simulations • – assume( Si+1,0 == S i,n ); – requires second set of memory copies – errors can only be checked at end of simulation • requires explicit error checks

CSeq Tool Architecture [Fischer-Inverso-Parlato, ASE’13] • pycparser , AST traversal with unparsing – insert new type declarations, modify memory accesses – insert context switch simulation code at each sequence point – insert explicit error checks – insert checker and code for pthread functions k, N sequential concurrent non-deterministic CSeq C program C program sequential SAFE tool UNSAFE P P'

Can we improve this? • Eager sequentializations – cannot rely on error checks built into the backend – also requires specific techniques to handle programs with heap-allocated memory • LR (but also LMP) uses additional copies of shared variables – BMC will make more copies with loop/recursion unwinding – can seriously affect the formula size

Two new sequentializations [Inverso-Tomasco-Fischer-LaTorre-Parlato] • Lazy-CSeq [CAV’14-TACAS/SVCOMP’14] – lazy – light-weight: few additional variables and code • MU-CSeq [TACAS/SVCOMP’14] – Bound on memory unwindings – Extension message-passing programs

Outline • Bounded Model-checking for programs • Lazy sequentialization: Lazy-CSeq • Memory unwindings: MU-CSeq • Experiments • Conclusions

How does it work Transform a programs into a set of equations • Simplify control flow • Unwind all of the loops • Convert into Static Single Assignment (SSA) • Convert into equations • Bit-blast • Solve with a SAT Solver • Convert SAT assignment into a counterexample

Control Flow Simplifications All side effect are removed • – e.g., j=i++ becomes j=i; i=i+1 Control Flow is made explicit • – continue , break replaced by goto All loops are simplified into one form • – for, do, while replaced by while

Loop Unwinding while() loops are unwound void f(...) { void f(...) { ... iteratively while( cond ) { Break / continue replaced by Body; } goto Remainder; }

Loop Unwinding while() loops are unwound void f(...) { void f(...) { ... iteratively if( cond ) { Break / continue replaced by Body; goto while( cond ) { Body; } } Remainder; }

Loop Unwinding while() loops are unwound void f(...) { void f(...) { ... iteratively if( cond ) { Break / continue replaced by Body; goto if( cond ) { Body; while( cond ) { Body; } } } Remainder; }

Unwinding assertion while() loops are unwound void f(...) { void f(...) { ... iteratively if( cond ) { Break / continue replaced by Body; goto if( cond ) { Body; Assume statements inserted if( cond ) { after last iteration: block Body; execution if program runs while( cond ) { longer than bound permits Body; } } } } Remainder; }

Unwinding assertion while() loops are unwound void f(...) { void f(...) { ... iteratively if( cond ) { Break / continue replaced by Body; goto if( cond ) { Body; Assume statements inserted if( cond ) { after last iteration: block Body; execution if program runs assume( !cond ); longer than bound permits } } } } Remainder; Unwinding } assume

Transforming Loop-Free Programs Into Equations (1) • Easy to transform when every variable is only assigned once! Program Constraints x = a && x = a; y = x + 1 && y = x + 1; z = y – 1 && z = y – 1;

Transforming Loop-Free Programs Into Equations (2) • When a variable is assigned multiple times, • use a new variable for the RHS of each assignment Program SSA Program

What about conditionals? Program SSA Program if (v) if (v 0 ) x 0 = y 0 ; x = y; else else x 1 = z 0 ; x = z; w 1 = x?? ; What should ‘x’ w = x; be?

What about conditionals? Program SSA Program if (v) if (v 0 ) x = y; x 0 = y 0; else else x = z; x 1 = z 0; x 2 = v 0 ? x 0 : x 1 ; w = x; w 1 = x 2 For each join point, add new variables with selectors

Example

CBMC: Bounded Model Checker for C A tool by D. Kroening/Oxford and Ed Clarke/CMU goto- C Program program Parser Static Analysis equations SAFE UNSAT CNF SAT solver CNF-gen SAT UNSAFE + CEX CBMC CEX-gen

BMC: from sequential to concurrent • BMC for sequential programs has been used to discover subtle errors in applications • robust BMC tools exist for C programs (e.g. CBMC, LLBMC, ESBMC) • attempts to apply BMC to multi-threaded programs face problems � number of interleavings grows exponentially with #threads and #statements Recent solutions for multi-threaded programs • partial orders • sequentializations

Outline � Bounded Model-checking for programs • Lazy sequentialization: Lazy-CSeq • Memory unwindings: MU-CSeq • Experiments • Conclusions

Lazy-CSeq schema • P' simulates all computations (up to K rounds) of P • lazy: avoid exploring unfeasible runs T ₁ ∥ T ₂ ∥ … ∥ T n ↝ (T ' 1 ; T ' 2 ; … ; T ' n ) K

Lazy-CSeq Sequentialization Translation P ↝ P' : – unwinding, inlining (bounded program) – thread T ↝ function T ' – main driver: For each round in [1..K] for each thread in [1..N] T' thread ();

Main driver void main(void) { K: rounds ct: thread count for(r=1; r<=K; r++) { ct=1; // thread 1 active[j]: true iff thread j if(active[ct]) { //only active theads is active cs=pc[ct]+nondet uint(); // guess cs cs: guessed context-switch assume(cs<=size[ct]); // legal? position for coming simulation fseq_1(arg[ct]); // simulate thread pc[ct]=cs; // store cs pc[j]: position when context- } switched out of thread j : : : : : : : : : ct=n; // thread n size[j]: last position for if(active[ct]) { context-switches : : : : : : : : : } }}

Thread T ↝ function T' Translation P ↝ P' : T ' – unwinding, inlining – thread T ↝ function T ' guard; stmt; – main driver: • for round in [1..K] • for thread in [1..N] • T' thread (); Thread T ↝ function T' var x; ↝ static var x; • stmt; ↝ guard; stmt; •

Thread T ↝ function T' T ' Thread T ↝ function T' exec var x; ↝ static var x; • stmt; ↝ guard; stmt; • context-switch cs 1 Thread simulation: round 1 skip guess context-switch point cs 1 (in main) • ... ... execute stmts before cs 1 • jump in multiple hops to the end • and return simulation round 1

Thread T ↝ function T' T ' Thread T ↝ function T' skip var x; ↝ static var x; • resume from pc i-1 stmt; ↝ guard; stmt; • exec context-switch cs i Thread simulation: round i skip guess context-switch point cs i (in main) • ... ... jump in multiple hops to pc i-1 • execute stmts from pc i-1 to cs i • jump in multiple hops to the end • and return simulation round i >1