Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 - - PowerPoint PPT Presentation

Verifying Concurrent Programs

Daniel Kroening 28 May – 1 June 2012

Outline

Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication

• D. Kroening: SSFT12 – Verifying Concurrent Programs

2

• J. Alglave
• A. Donaldson
• A. Kaiser
• T. Wahl

Soundness of Data Flow Analyses for Weak Memory Models, APLAS 2011 Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs, CAV 2011 Dynamic Cutoff Detection in Parameterized Concurrent Programs, CAV 2010 Boom: Taking Boolean Program Model Checking One Step Further, TACAS 2010 Symbolic Counter Abstraction for Concurrent Software, CAV 2009

• D. Kroening: SSFT12 – Verifying Concurrent Programs

3

Forms of Concurrency

◮ Shared-variable concurrency

(Linux pthread library, Win32 thread API, . . . )

◮ Share all memory ◮ Share OS API (e.g., file descriptors)

◮ Multiple processes on the same machine

◮ Share file system ◮ Can share memory via mmap

◮ Programs on different machines

◮ Can communicate e.g. via UDP or TCP

• D. Kroening: SSFT12 – Verifying Concurrent Programs

4

Asynchronous vs. Synchronous Concurrency

Synchronous Asynchronous Partition state: S = S1 × . . . × Sn Ti : S × Si Overall system: T(s, s′) ⇐ ⇒

n

• i=0

Ti(s, s′

(i))

Transition relation for each process: Ti : S × S Overall system: T(s, s′) ⇐ ⇒ ∃i.Ti(s, s′) Each process can perform a step in each transition Only one process performs a step in a transition

• D. Kroening: SSFT12 – Verifying Concurrent Programs

5

Asynchronous Shared-Variable Concurrency

◮ We focus on asynchronous shared-variable concurrency ◮ Motivated by Intel’s multi-core story

◮ Doubling the gate count doubles the power consumption ◮ Increasing the clock speed requires raising voltage,

with manifold increase in power!

◮ Scaling micro-processors is easier by replicating CPU

cores

◮ CPUs with 100 cores are around

• D. Kroening: SSFT12 – Verifying Concurrent Programs

6

Thread Interleavings: Example (1) XX

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=0, y=0

• D. Kroening: SSFT12 – Verifying Concurrent Programs

7

Thread Interleavings: Example (1) XX

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=10, y=0

• D. Kroening: SSFT12 – Verifying Concurrent Programs

7

Thread Interleavings: Example (1) XX

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=10, y=1

• D. Kroening: SSFT12 – Verifying Concurrent Programs

7

Thread Interleavings: Example (1) XX

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=10, y=20

• D. Kroening: SSFT12 – Verifying Concurrent Programs

7

Thread Interleavings: Example (1) XX

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=11, y=20

• D. Kroening: SSFT12 – Verifying Concurrent Programs

7

Thread Interleavings: Example (1) XX

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=11, y=21

• D. Kroening: SSFT12 – Verifying Concurrent Programs

7

Thread Interleavings: Example (2) Alternative Schedule

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=0, y=0

• D. Kroening: SSFT12 – Verifying Concurrent Programs

8

Thread Interleavings: Example (2) Alternative Schedule

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=10, y=0

• D. Kroening: SSFT12 – Verifying Concurrent Programs

8

Thread Interleavings: Example (2) Alternative Schedule

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=11, y=0

• D. Kroening: SSFT12 – Verifying Concurrent Programs

8

Thread Interleavings: Example (2) Alternative Schedule

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=11, y=1

• D. Kroening: SSFT12 – Verifying Concurrent Programs

8

Thread Interleavings: Example (2) Alternative Schedule

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=11, y=2

• D. Kroening: SSFT12 – Verifying Concurrent Programs

8

Thread Interleavings: Example (2) Alternative Schedule

Thread 1 Thread 2 Thread 3

x=10; y++; y=20; (end) x++; (end) y++; (end)

Current state: x=11, y=20

• D. Kroening: SSFT12 – Verifying Concurrent Programs

8

Races

◮ The example program has a race, i.e., the result depends

• n the schedule
• D. Kroening: SSFT12 – Verifying Concurrent Programs

9

Races

◮ The example program has a race, i.e., the result depends

• n the schedule

◮ This may indicate a program bug,

but need not

◮ Locks may help, but need not ◮ Enumerate? Exponential blowup!

• D. Kroening: SSFT12 – Verifying Concurrent Programs

9

Ordering of Loads/Stores

Thread 1 Thread 2

mov [x], 1 mov [y], 1 mov eax, [y] mov ebx, [x]

◮ Suppose x and y are shared and initialized with 0

• D. Kroening: SSFT12 – Verifying Concurrent Programs

10

Ordering of Loads/Stores

Thread 1 Thread 2

mov [x], 1 mov [y], 1 mov eax, [y] mov ebx, [x]

◮ Suppose x and y are shared and initialized with 0 ◮ Unfortunately, the program may terminate with eax=ebx=0!

• D. Kroening: SSFT12 – Verifying Concurrent Programs

10

Shared Memory in Hardware

✘ Computer vendors do not guarantee atomicity of loads/stores

◮ Only very special commands are guaranteed to be atomic,

e.g., the Compare-and-Swap (CAS) instruction

• D. Kroening: SSFT12 – Verifying Concurrent Programs

11

Shared Memory in Hardware

✘ Computer vendors do not guarantee atomicity of loads/stores

◮ Only very special commands are guaranteed to be atomic,

e.g., the Compare-and-Swap (CAS) instruction

◮ Stores are not even guaranteed to be visible to other

threads unless a memory barrier (memory fence) is inserted. ✘ But: memory fences are expensive (>100 cycles), so we cannot put them everywhere

• D. Kroening: SSFT12 – Verifying Concurrent Programs

11

Boolean Programs

Let’s look at a Windows device driver example:

1

void DecrementIo(DEVICE OBJECT ∗ DeviceObject) {

2

EXT ∗ ext = (EXT∗)DeviceObject−>DeviceExtension;

3 4

int IoIsPending =

5

InterlockedDecrement (&ext−>IoIsPending);

6 7

if (!IoIsPending) {

8

KeSetEvent (&ext−>event, IO NO INCREMENT, FALSE); }

9

}

• D. Kroening: SSFT12 – Verifying Concurrent Programs

12

Boolean Programs

The initial abstraction, without any predicates:

1

void DecrementIo() {

2

InterlockedDecrement();

3

goto L1,L2;

4

L1: KeSetEvent();

5

L2: return;

6

}

• D. Kroening: SSFT12 – Verifying Concurrent Programs

13

Adding Some Predicates

Some predicate refinement scheme computes a set of predicates: b1 ext == &envext b2 envext.IoIsPending == 1 b3 envext.IoIsPending == 2 b4 IoIsPending == 2 b5 IoIsPending == 1 b6 (∗ext).IoIsPending == 1 b7 (∗ext).IoIsPending == 2

• D. Kroening: SSFT12 – Verifying Concurrent Programs

14

Boolean Programs

This results in the following new abstract model:

1 bool b1,b2,b3; // global 2 3 void DecrementIo() { 4

bool b4,b5,b6,b7; // local

5

b1,b6,b7 = ∗,∗,∗

6

constrain((!(b1’ && b2) || b6’) &&

7

(!( b1’ && b3) || b7’));

8

b4,b5 = InterlockedDecrement(b6,b7);

9

goto L1,L2;

10

L1: assume(!b4 && !b5);

11

KeSetEvent();

12

L2: return;

13 }

• D. Kroening: SSFT12 – Verifying Concurrent Programs

15

Concurrent Boolean Programs

Suppose we could dynamically create threads in Boolean Programs:

1 bool b1,b2,b3; // global 2 3 void DecrementIo() { 4

bool b4,b5,b6,b7; // local

5

b1,b6,b7 = ∗,∗,∗

6

constrain((!(b1’ && b2) || b6’) &&

7

(!( b1’ && b3) || b7’));

8

b4,b5 = InterlockedDecrement(b6,b7);

9

start thread L1, L2;

10

L1: assume(!b4 && !b5);

11

KeSetEvent();

12

L2: return;

13 }

• D. Kroening: SSFT12 – Verifying Concurrent Programs

16

Predicate Abstraction for Concurrent Programs

Can we apply our refinement loop to concurrent software?

1.) Compute Abstraction 2.) Check Abstraction 3.) Check Feasibility 4.) Refine Predicates [no error] OK [feasible] report counterexample C program

• D. Kroening: SSFT12 – Verifying Concurrent Programs

17

Predicate Abstraction for Concurrent Programs

Claim: Yes, we can!

◮ Abstraction: as before! ◮ Checking ˆ

M: use Model Checker for concurrent Boolean programs

◮ Simulation: as before – use thread switches from abstract

counterexample

◮ Refinement: as before!

• D. Kroening: SSFT12 – Verifying Concurrent Programs

18

Example

1 int g; 2 void ∗t1(void ∗arg) { 3

g=0;

4

if (g==1) {

5

g=2;

6

if (g==3)

7

g=4;

8

}

9 } 10 void ∗t2(void ∗arg) { 11

g=1;

12

if (g==2) {

13

g=3;

14

assert(g!=4);

15

}

16 }

• D. Kroening: SSFT12 – Verifying Concurrent Programs

19

Example

16 int main() { 17

pthread t id1, id2;

18 19

pthread create(&id1, NULL, t1, NULL);

20

pthread create(&id2, NULL, t2, NULL);

21 }

• D. Kroening: SSFT12 – Verifying Concurrent Programs

20

Initial Abstraction

1 decl g eq 4; 2 void t1() begin 3

g eq 4:=0; // g=0;

4

if ∗ then begin // g==1

5

g eq 4:=0; // g=2;

6

if ∗ then // g==3

7

g eq 4:=1; // g=4;

8

end

9 end 10 void t2() begin 11

g eq 4:=0; // g=1;

12

if ∗ then begin // g==2

13

g eq 4:=0; // g=3;

14

assert(!g eq 4); // g!=4

15

end

16 end 17 void main() begin 18

...

19

g eq 4:=0;

20

...

21

start thread ...

22 end

• D. Kroening: SSFT12 – Verifying Concurrent Programs

21

Abstract Counterexample

Thread Line Instruction

19

g eq 4 := 0;

2 11

g eq 4 := 0;

2 12

if ∗ then ...

2 13

g eq 4 := 0;

1 3

g eq 4 := 0;

1 4

if ∗ then ...

1 5

g eq 4 := 0;

1 6

if ∗ then ...

1 7

g eq 4 := 1;

2 14

assert(!g eq 4);

• D. Kroening: SSFT12 – Verifying Concurrent Programs

22

Abstract Counterexample

Thread Line Instruction

19

g eq 4 := 0;

2 11

g eq 4 := 0;

2 12

if ∗ then ...

2 13

g eq 4 := 0;

1 3

g eq 4 := 0;

1 4

if ∗ then ...

1 5

g eq 4 := 0;

1 6

if ∗ then ...

1 7

g eq 4 := 1;

2 14

assert(!g eq 4);

Concrete Instr. SSA-Constraint

g=0;

g0 = 0

g=1;

∧g1 = 1

if (g==2)

∧g1 = 2

g=3;

∧g2 = 3

g=0;

∧g3 = 0

if (g==1)

∧g3 = 1

g=2;

∧g4 = 2

if (g==3)

∧g4 = 3

g=4;

∧g5 = 4

assert(g!=4);

∧g5 = 4

• D. Kroening: SSFT12 – Verifying Concurrent Programs

22

Example

◮ In total, 4 iterations, and 4 predicates:

g==4, g==3, g==1, g==2

◮ Final counterexample has a thread switch

after each assignment to g

• D. Kroening: SSFT12 – Verifying Concurrent Programs

23

Tricky Details

1 volatile unsigned value; 2 3 unsigned NonblockingCounter increment() { 4

unsigned v = 0;

5 6

lock ();

7

if (value == 0u−1) {

8

unlock();

9

return 0;

10

}else{

11

v = value;

12

value = v + 1;

13

unlock();

14

assert(value > v);

15

return v + 1;

16

}

17 }

• D. Kroening: SSFT12 – Verifying Concurrent Programs

24

Tricky Details

1 volatile unsigned value; 2 3 unsigned NonblockingCounter increment() { 4

unsigned v = 0;

5 6

lock ();

7

if (value == 0u−1) {

8

unlock();

9

return 0;

10

}else{

11

v = value;

12

value = v + 1;

13

unlock();

14

assert(value > v);

15

return v + 1;

16

}

17 }

Is “ value>v ” global or local?

• D. Kroening: SSFT12 – Verifying Concurrent Programs

24

Tricky Details

1 volatile unsigned value; 2 3 unsigned NonblockingCounter increment() { 4

unsigned v = 0;

5 6

lock ();

7

if (value == 0u−1) {

8

unlock();

9

return 0;

10

}else{

11

v = value;

12

value = v + 1;

13

unlock();

14

assert(value > v);

15

return v + 1;

16

}

17 }

Is “ value>v ” global or local? CAV 2011: neither. We need broadcast!

• D. Kroening: SSFT12 – Verifying Concurrent Programs

24

The Problem We Consider Definition

Consider thread state (s, ℓ). thread state reachability problem: Is there a reachable global state (s, ℓ1, . . . , ℓn) such that ℓ = ℓi for some i? Note:

◮ can express single-index properties of threads ◮ can also encode MutEx: using shared variable as monitor

• D. Kroening: SSFT12 – Verifying Concurrent Programs

25

Boolean Programs with Bounded Replication

◮ We have an effective Model Checker

for Boolean programs with a bounded number of threads

◮ BDD-based ◮ Exploits symmetry between threads

[CAV 2009, FMSD 2010]

• D. Kroening: SSFT12 – Verifying Concurrent Programs

26

Symbolic Experiments

0.1 1 10 100 [sec] 1000 0.1 1 10 100 1000 [sec] Plain Symbolic Exploration Symbolic Boom with Counter Abstraction

4 5 6 3 4 3 4 4 5 6 2 3 5 6 7 8 9 10 11 12 3 4 5 2 3 4 2 3 4 3 4 2 3 4 4 5 6 2 3 2 2 3 2 2 3 2 3 4 5 6 3 4 2 3 3 4 2 2 2 2 2 2 2 3 4 3 4 5 3 4 2 2 2 3 2 3 4 5 6 7 8 9 10 11 12 13 2 3 4 4 5 6 7 2 3 3 4 2 15 16 17 18 19 20 21 22 23 24 25 2627 28 29 30 31 32 33 343536 37 38 39 40 41 42 43 44 45 46 47 48 49 2 2 2 3 4 5 2 3 4 3 4 6 7 8 9 10 11 12 13 7 8 9 10 11 12 13 14 15 16 17 18 3 4 5 2 6 7 8 9 10 11 12 13 14 15 2 6 7 8 9 10 11 12 13 14 15 2 5 6 7 8 9 10 3 4 2 3 16 17 18 1920 21 22 2324 2526272829 30313233 3435 36 37 38 39 40 41 42 43 44 45 46 47 48 49 3 4 5 6 7 8 9 3 4 4 5 6 3 4 3 4 5 4 5 6 7 2 5 6 7 8 9 3 4 3 4 3 4 2 2 2 3 3 4 5 3 4 5 6 2 12 13 14 15 16 17 18 19 20 21 22 23 2425 26 27 28 29 30 313233343536373839 40 41 42 43 44 2 3 2 3 2 4 5 6 7 8 2 6 7 8 9 10 11 12 13 6 7 8 9 10 11 12 13 3 4 3 4 5 3 4 5 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2829 2 3 4 2 5 6 7 8 9 10 11 12 3 4 3 4 5 2 2 3 4 4 5 6 7 8 3 2 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2829 3031 32 333435 36 37 38 39 40 41 2 2 3 2 3 3 4 2 3 2 3 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 2 3 4 3 4 2 2 3 4 2 3 2 2 1718 1920 2122 23 242526272829303132 33 3435 36 37 38 39 4041 42 43 44 45 46 47 48 49 3 4 5 6 7 8 9 10 11 2 2 3 6 7 8 9 10 11 12 13 14 15 3 4 5 2 2 2 11 12 13 14 15 16 17 18 19 20 21 2223 2425 26 272829 303132333435 363738 39 4041 42 43 44 2 4 5 6 7 8 3 4 7 8 9 10 11 12 13 14 15 16 17 2 3 3 4 3 4 2 3 2 3 4 5 6 2 3 14 15 1617 18 19 202122 2324 2526272829303132 3334 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 2 3 3 4 2 2 4 5 6 7 3 4 3 4 5 2 3 4 5 6 2 3 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 272829 303132333435 36 373839 40 41 42 43 44 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 28 29 3031323334 35 36 3738 39 40 41 42 43 44 3 4 2 17 18 19 20 21 22 2324 25 26272829303132 33 3435 36 37 38 3940 41 4243 44 45 46 47 48 49 2 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 2 2 2 3 3 2 2 3 3 4 3 4 3 2 3 2 3 3 4 2 3 4 3 4 3 4 2 3 4 5 6 7 4 5 6 2 2 6 7 8 9 10 11 12 13 2 3 4 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 3 4 3 4 5 3 4 2 2 3 4 5 2 6 7 8 9 10 11 12 13 2 2 3 3 2 3 4 3 4 5 5 6 7 8 9 3 4 3 4 2 2 2 5 6 7 8 9 10 11 12 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 28 3 4 3 4 2 3 2 2 2 2 3 3 4 5 6 7 8 9 10 3 4 12 13 14 15 16 17 18 19 20 21 22 2324 25 26 2728 29303132333435 3637 38 39 40 41 42 43 3 4 3 4 2 3 4 2 3 2 3 4 5 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 3 4 3 4 5 6 3 4 3 4 3 4 5 3 4 3 4 26 27 28 29 30 31 32 33 34 35 36 3738 39 40 41 42 43 44 45 46 47 48 49 3 3 4 6 7 8 9 10 11 12 13 3 4 2 3 4 5 6 7 2 3 4 4 5 6 2 2 3 3 4 3 4 3 4 2 3 4 3 2 2 3 2 2 3 4 2 2 3 3 4 5 2 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2829 30313233 343536 3738 3940 41 42 43 44 3 4 3 4 3 4 4 5 6 7 8 3 4 3 4 5 4 5 6 2 2 3 4 5 6 7 8 3 3 2 3 2 3 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 5 6 7 8 9 3 4 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 282930 31 32 33 3435 36 37 38 39 40 41 42 43 44 17 1819 20 21 22 2324 25 262728 29 303132 33 34 35 3637 3839 40 41 42 43 44 45 46 47 48 49 3 4 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 28 2 3 2 3 2 2 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 2 2 2 4 5 6 7 3 4 2 2 2 2 3 2 3 2 2 3 4 2 3 2 3 4 3 4 2 3 2 2 3 4 6 7 8 9 10 11 6 7 8 9 10 11 12 13 3 4 5 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28293031323334353637 3839 40 41 42 43 44 3 4 3 4 2 2 3 2 3 3 4 4 5 6 7 8 2 2 3 5 6 7 8 9 10 2 3 2 3 4 5 6 7 2 3 3 4 3 3 4 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 2 2 4 5 6 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28293031323334353637 38 39 4041 42 43 44 2 3 4 5 2 3 4 2 3 2 4 5 6 17 18 19 20 21 2223 24 252627282930 3132 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 2 3 3 4 6 7 8 9 10 11 12 2 2 3 3 4 3 4 5 3 4 3 4 2 2 4 5 6 7 8 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 2829303132 33 34353637 38 3940 41 4243 44 3 3 4 2 3 4 3 3 4 3 4 4 5 6 7 2 3 3 4 3 4 3 4 6 7 8 9 10 11 12 13 14 15 2 3 4 5 6 7 8 9 10 11 12 13 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 2 2 3 4 2 3 3 2 5 6 7 8 9 10 2 3 4 2 2 2 2 3 4 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 2 3 3 2 2 3 3 4 5 2 2 3 4 12 13 14 15 16 17 18 19 20 21 22 23 24 2526 27 2829303132333435 36 373839 40 41 42 43 3 4 2 3 2 3 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 282930313233343536 3738 39 40 4142 43 44 4 5 6 7 8 2 3 3 4 2 2 3 2 3 2 6 7 8 9 10 11 12 13 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 2 5 6 7 8 9 3 4 5 4 5 6 7 8 2 5 6 7 8 9 2 2 3 4 5 2 2 3 4 3 4 5 3 4 3 4 12 13 14 15 16 17 18 19 20 21 22 23 24 25 2627 2829 3031323334353637 3839 40 41 42 4344 2 3 5 6 7 8 9 10 11 3 4 2 3 4 5 3 3 4 3 4 3 4 5 3 4 5 6 7 8 9 10 4 5 6 2 3 5 6 7 8 9 10 11 12 2 3 2 3 3 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 2 3 4 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 6 7 8 9 10 11 12 13 3 4 2 2 2 3 4 3 4 2 2 3 2 2 3 2 2 2 2 2 3 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 3 3 4 2 3 4 5 6 3 4 3 4 3 4 2 3 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 2 3 3 4 3 4 2 2 3 3 4 5 6 3 3 4 5 6 3 2 3 4 5 6 2 2 3 4 5 6 2 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 2 2 3 3 4 5 7 8 9 10 11 12 13 14 15 16 17 18 19 20 2 2 3 4 2 2 3 4 3 4 3 4 5 3 4 2 3 4 5 6 7 8 9 3 4 5 2 3 4 17 18 19 20 21 22 2324 25 262728 2930 313233 34 3536 37 38 39 4041 42 43 44 45 46 47 48 49 2 2 3 3 2 3 2 6 7 8 9 10 11 12 4 5 6 7 8 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 7 8 9 10 11 12 13 14 15 16 17 7 8 9 10 11 12 13 14 15 16 17 4 5 6 2 6 7 8 9 10 11 12 13 2 2 3 3 4 5 3 4 3 4 12 13 14 15 16 17 18 19 20 21 22 2324 25 262728 29 30 3132 33343536 37 3839 4041 42 43 4 5 6 7 8 5 6 7 8 9 2 2 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 3 4 3 2 3 7 8 9 10 11 12 13 14 15 16 17 3 4 3 4 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 4 5 6 2 3 3 4 2 3 4 4 5 6 7 8 2 3 3 4 3 4 3 2 2 3 4 3 4 5 2 3 4 5 6 4 5 6 7 8 2 32 33 34 35 36 37 38 3940 41 42 43 44 45 46 47 48 49 2 2 2 3 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 2 3 4 5 6 2 3 2 3 4 2 2 3 4 3 4 6 7 8 9 10 11 12 13 2 2 5 6 7 8 9 16 17 18 19 20 21 22 23 2425 2627282930 3132 33 34 35 36 3738 39 40 41 42 43 44 45 46 47 48 49 2 2 2 3 3 4 2 2 2 3 3 4 4 5 6 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 6 7 8 9 10 11 12 13 14 2 2 2 2 7 8 9 10 11 12 13 14 15 16 17 2 4 5 6 7 2 3 2 2 3 2 3 4 3 4 3 4 2 3 3 4 2 2 3 2 3 4 5 6 7 8 9 10 3 4 3 4 3 4 2 2 3 2 17 18 19 20 21 22 2324 252627282930313233 34 35 36 3738 39 40 4142 43 44 45 46 47 48 49 3 4 3 2 3 4 5 3 4 2 7 8 9 10 11 12 13 14 15 16 17 2 3 4 3 4 5 3 4 2 3 3 4 4 5 6 7 8 3 4 3 2 3 4 3 4 3 4 5 5 6 7 8 9 3 4 3 4 2 3 2 2 12 13 14 15 16 17 18 19 20 2122 23 24 25 26 27 28293031 3233 3435 36 37 38 3940 41 2 2 2 2 3 2 3 2 2 3 2 3 2 3 2 4 5 6 2 3 3 4 7 8 9 10 11 12 13 14 15 16 17 18 3 4 2 3 4 2 6 7 8 9 10 11 12 13 14 15 3 4 3 4 5 2 6 7 8 9 10 11 12 13 14 15 3 4 3 4 2 3 2 3 4 3 4 2 2 2 2 2 3 4 2 2 6 7 8 9 10 11 12 13 2 4 5 6 2 2 2 3 2 2 3 2 3 2 3 2 3 4 17 18 19 20 21 22 23 24 2526 27282930 3132 3334 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 7 8 9 10 11 12 13 14 15 16 17 18 2 2 2 3 2 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 3 4 5 6 2 8 9 10 11 12 13 14 15 16 17 18 19 20 21 3 4 5 4 5 6 7 2 3 4 2 2

• D. Kroening: SSFT12 – Verifying Concurrent Programs

27

Boolean Programs with Unounded Replication

But we really want an unbounded number of threads

◮ Programs with a large number of theads (>10) ◮ Server with dynamic thread spawning

(say dependent on load)

◮ Or when thread-count is lost

during predicate abstraction! Our answer: reduction to Petri net coverability

• D. Kroening: SSFT12 – Verifying Concurrent Programs

28

Experimental Results

• 1. Boolean programs

◮ Proper concurrent ones (extracted from Linux kernel) ◮ “Pseudo” concurrent ones (SLAM)

• 2. Petri Net benchmarks

◮ Bounded and unbounded ◮ Bingham and Ganty/Begin/Delzanno/Raskin ◮ Comparison with Lola (Karsten Wolf) and MIST

• D. Kroening: SSFT12 – Verifying Concurrent Programs

29

Experimental Results

On Boolean Programs:

#P Sh Lcs Loc Time c Safe Unsafe 773 17 8 1170 0.1 1 407 366 17 21 22 1139 0.8 2 3 14 8 13 26 1131 72.3 3 8 54 18 31 1267 874.0 ? – –

We now need to make harder models!

• D. Kroening: SSFT12 – Verifying Concurrent Programs

30

Experimental Results

Checking coverability on standard Petri Net benchmarks:

          time (s)                          #solved

Comparison with numerous algorithms implemented in MIST

• D. Kroening: SSFT12 – Verifying Concurrent Programs

31

Experimental Results

Checking coverability on Petri Nets with transfer arcs:

       time (s)                      #solved

Comparison with two algorithms implemented in MIST

• D. Kroening: SSFT12 – Verifying Concurrent Programs

32

Conclusion

◮ Model Checking for C programs with unbounded threads ◮ Symmetry-aware abstraction to VASS/Petri net coverability

(with transfer arcs) ✔ Enables verification of C programs with unbounded concurrency

• D. Kroening: SSFT12 – Verifying Concurrent Programs

33

Watch the video! Download me!

http://www.cprover.org/satabs/ http://www.cprover.org/SSFT12/

• D. Kroening: SSFT12 – Verifying Concurrent Programs

34