verifying multithreaded software with impact
play

Verifying Multithreaded Software with Impact Bj orn Wachter , - PowerPoint PPT Presentation

Jun 15, 2023 •448 likes •1.06k views

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers,

  1. Verifying Multithreaded Software with Impact Bj¨ orn Wachter , Daniel Kroening and Jo¨ el Ouaknine University of Oxford

  2. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM SC data variables pointers loops 2 / 20

  3. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM SC data variables pointers loops symbolic reasoning SMT SAT 2 / 20

  4. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM SC data variables pointers loops symbolic reasoning SMT abstraction SAT predicate abstraction Impact algorithm [McMillan 2006] 2 / 20

  5. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM partial orders SC modular reasoning data variables pointers loops symbolic reasoning SMT abstraction SAT predicate abstraction Impact algorithm [McMillan 2006] 2 / 20

  6. Software model checkers CBMC SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  7. Software model checkers multithreading support CBMC SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  8. Software model checkers multithreading support CBMC ? SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  9. Software model checkers multithreading support CBMC Impara SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  10. Software model checkers multithreading support CBMC Impara SatAbs Threader ESBMC Contribution: Kratos • 1st Impact -style analysis for multithreaded software Impact SLAM • Partial-Order Reduction LLBMC Blast UFO • implemented in Impara CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  11. Outline • Recap: Impact for Sequential Software • Impact for Multithreaded Software • Partial order reduction • Experiments with our tool Impara 4 / 20

  12. Impact algorithm expand UNSAT SAT refine check CEX interpolation • maintain abstract reachability tree • node labels • covering relation ⊲ v ⊲ w implies label ( v ) ⇒ label ( w ) 5 / 20

  13. Impact algorithm complete expand proof � UNSAT SAT refine check CEX interpolation • maintain abstract reachability tree • node labels • covering relation ⊲ v ⊲ w implies label ( v ) ⇒ label ( w ) • complete iff all nodes either • covered • expanded 5 / 20

  14. Classical SLAM example do { lock(); old=new; if(*) { unlock(); new++; } } while (new!=old); 6 / 20

  15. Classical SLAM example L=0 do { [L!=0] lock(); ERR L=1; old=new old=new; if(*) { * [new!=old] unlock(); L=0;new++ new++; } [new==old] } while (new!=old); 6 / 20

  16. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 True [L!=0] True ERR 6 / 20

  17. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 ERR 6 / 20

  18. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True L=0 True new++ [new!=old] [new==old] True [L!=0] True ERR True 6 / 20

  19. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True L=0 L = 0 new++ [new!=old] [new==old] False [L!=0] True ERR L = 0 6 / 20

  20. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True ⊲ L=0 L = 0 new++ [new!=old] [new==old] False [L!=0] True ERR L = 0 L = 0 6 / 20

  21. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True ⊲ L=0 L = 0 new++ [new!=old] [new==old] [new!=old] False [L!=0] [L!=0] True ERR L = 0 L = 0 ERR 6 / 20

  22. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new old = new ⊲ L=0 L = 0 old = new new++ [new!=old] [new==old] [new!=old] False False [L!=0] [L!=0] True ERR L = 0 L = 0 False ERR 6 / 20

  23. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new • terminates if all nodes * [new!=old] • covered L=0;new++ • or fully expanded [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new ⊲ old = new ⊲ L=0 L = 0 old = new new++ [new!=old] [new==old] [new!=old] False False [L!=0] [L!=0] True ERR L = 0 L = 0 False ERR 6 / 20

  24. Impact for Multithreaded Software 7 / 20

  25. Naive Impact for Multi-threading • interleave at every step threads 1,2,3 1 2 3 1 2 3 8 / 20

  26. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 9 / 20

  27. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 ∗ 2 , 0 x=0 3 , 0 assert(x==0) 3 , 1 9 / 20

  28. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 ∗ 2 , 0 T rue x=0 3 , 0 x = 0 assert(x==0) 3 , 1 9 / 20

  29. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 ∗ 2 , 0 x = 0 x=0 assert(x==0) 3 , 0 x = 0 2 , 1 assert(x==0) 3 , 1 9 / 20

  30. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) CEX 0 , 0 0 , 1 ∗ ∗ 1 , 0 x=1 2 , 0 2 , 0 x = 0 assert(x==0) x=0 assert(x==0) 2 , 1 3 , 0 x = 0 2 , 1 assert(x==0) 3 , 1 9 / 20

  31. Naive Impact blows up ART from a concrete case study (Peterson’s algorithm) 10 / 20

  32. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) a C b B c A b C c B c C 11 / 20

  33. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) a C b B c A b C c B c C 11 / 20

  34. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); consecutive independent actions only occur in the order of increasing thread ids, e.g., Aa but not aA A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) B || b and TID ( B ) < TID ( b ) a C b B c A A || b and TID ( A ) < TID ( b ) b C c B c C 11 / 20

  35. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); consecutive independent actions only occur in the order of increasing thread ids, e.g., Aa but not aA A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) B || b and TID ( B ) < TID ( b ) a C b B c A A || b and TID ( A ) < TID ( b ) b C c B c C 11 / 20

  36. Algorithm: POR+Impact (First Attempt) • POR restricts expansion 1: procedure Expand ♦ ( v ) 2: for T ∈ T with ¬ Skip ♦ ( v, T ) do 3: Expand-thread ( T, v ) 12 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Multithreaded Geant4: Semi-Automatic Transformation into Scalable Thread-Parallel Software Xin

Multithreaded Geant4: Semi-Automatic Transformation into Scalable Thread-Parallel Software Xin

Multithreaded Geant4: Semi-Automatic Transformation into Scalable Thread-Parallel Software Xin Dong 1 , Gene Cooperman 1 , and John Apostolakis 2 1 College of Computer Science, Northeastern University, Boston, MA 02115, USA { xindong,gene }

584 views • 12 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded

SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded

SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded programs Kernel vs. user-mode threads Concurrencys problems Recall: Why Processes &amp; Threads? Go Goals ls: Mu Multiprogramming

549 views • 39 slides
Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM 08 (Note: E-version distributed at CAV is the preliminary, not final version) Context

455 views • 44 slides
Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov Ivannikov Institute For System Programming of RAS ilja.zakharov@ispras.ru Klever Verification Framework Intended for finding bugs in large software

546 views • 32 slides
On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262 Compliance in Simulink Lukas Murer, Torben Stolte Tanja Hebecker, Michael Lipaczewski Uwe Mhrstdt, Frank Ortmeier Motivation Functional safety

589 views • 21 slides
CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded

CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded

CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded Software Pavel Andrianov, andrianov@ispras.ru Motivation Linux module drivers/net/irda/w83977af_ir.ko: 10 000 LOC static void

598 views • 25 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work with: Hao Lu, Michael D. Ernst GUIs are everywhere in modern software 2 Multithreading in GUI applications UI thread A GUI Application UI event

680 views • 36 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
SuperMatrix: A Multithreaded Runtime Scheduling System for Algorithms-by-Blocks Ernie Chan, Field

SuperMatrix: A Multithreaded Runtime Scheduling System for Algorithms-by-Blocks Ernie Chan, Field

SuperMatrix: A Multithreaded Runtime Scheduling System for Algorithms-by-Blocks Ernie Chan, Field G. Van Zee, Robert van de Geijn, Paolo Bientinesi, Enrique S. Quintana-Ort and Gregorio Quintana-Ort Software Engineering Seminar Luc Humair

525 views • 50 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

740 views • 69 slides
NC MULTI - SLIDES PROGRAMMABLE CMP 200 NOVELTY 2015 You have Meyer, Roth and Pastor (MRP) type, UB

NC MULTI - SLIDES PROGRAMMABLE CMP 200 NOVELTY 2015 You have Meyer, Roth and Pastor (MRP) type, UB

NC - multi - slides - programmable - CMP200.pdf 05/2014 NC MULTI - SLIDES PROGRAMMABLE CMP 200 NOVELTY 2015 You have Meyer, Roth and Pastor (MRP) type, UB series mechanical multi - slide machines and you want to adapt NC multi - slide machines to

281 views • 3 slides
How Charges Behave Bill Nye: Electricity Electrons carry a negative charge, and protons carry a

How Charges Behave Bill Nye: Electricity Electrons carry a negative charge, and protons carry a

How Charges Behave Bill Nye: Electricity Electrons carry a negative charge, and protons carry a positive charge. Negative charges : The charges of electrons Surround the nucleus; can be rubbed off a material Positive charges : The

453 views • 16 slides
The r-mode instability what we (think) we know 5+.)%6,'3,*7%89:9 !&quot;#$%&amp;'()*$$+'

The r-mode instability what we (think) we know 5+.)%6,'3,*7%89:9 !&quot;#$%&amp;'()*$$+'

The r-mode instability what we (think) we know 5+.)%6,'3,*7%89:9 !&quot;#$%&amp;'()*$$+' ',-.,/0$1$+/+'1,2134 /0)%*&lt;.+()%&quot;'$/,=&quot;#&quot;/7 ;0)%*&lt;.+()$%=)#+'&gt;%/+%,%#,*&gt;)%2#,$$%+?% @&quot;')*/&quot;,#A

339 views • 13 slides
Physics 115 General Physics II Session 15 Electric Charge Coulombs Law R. J. Wilkes

Physics 115 General Physics II Session 15 Electric Charge Coulombs Law R. J. Wilkes

Physics 115 General Physics II Session 15 Electric Charge Coulombs Law R. J. Wilkes Email: phy115a@u.washington.edu Home page: http://courses.washington.edu/phy115a/ 4/25/14 1 Physics 115 Lecture Schedule (up to exam 2) Today

1.16k views • 21 slides
Monitoring and Logging R Scripts in Production https://daroczig.github.io/logger Gergely Daroczi

Monitoring and Logging R Scripts in Production https://daroczig.github.io/logger Gergely Daroczi

Monitoring and Logging R Scripts in Production https://daroczig.github.io/logger Gergely Daroczi Directions in Statistical Computing September 19, 2019 About me (using R for production) 2006: calling R scripts from PHP (both reading from

762 views • 60 slides
Relational Algebra for Just Good Enough Hardware J.N. Oliveira Inesc Tec &amp; University

Relational Algebra for Just Good Enough Hardware J.N. Oliveira Inesc Tec &amp; University

Relational Algebra for Just Good Enough Hardware J.N. Oliveira Inesc Tec &amp; University of Minho RAMiCS 2014 Marienstatt im Westerwald, Germany 28 April - 1 May 2014 Motivation Context Going relational Going linear Kleisli shift

963 views • 74 slides
Building Teams and Delivering Product During Revolu6onary Change

Building Teams and Delivering Product During Revolu6onary Change

Building Teams and Delivering Product During Revolu6onary Change Susan Standiford CTO Its about change Susan Standiford susan@ruelala.com Change is

809 views • 19 slides
C ONTENT A PPLYING A R EWRITE R ULE l Intro &amp; motivation, getting started

C ONTENT A PPLYING A R EWRITE R ULE l Intro &amp; motivation, getting started

L AST T IME Introducing new Types Equations and Term Rewriting Confluence and Termination of reduction systems NICTA Advanced Course Term Rewriting in Isabelle Slide 1 Slide 3 Theorem Proving Principles, Techniques, Applications

374 views • 8 slides

More recommend