19 research outputs found
A Framework to Synergize Partial Order Reduction with State Interpolation
We address the problem of reasoning about interleavings in safety
verification of concurrent programs. In the literature, there are two prominent
techniques for pruning the search space. First, there are well-investigated
trace-based methods, collectively known as "Partial Order Reduction (POR)",
which operate by weakening the concept of a trace by abstracting the total
order of its transitions into a partial order. Second, there is state-based
interpolation where a collection of formulas can be generalized by taking into
account the property to be verified. Our main contribution is a framework that
synergistically combines POR with state interpolation so that the sum is more
than its parts
Lazy-CSeq-SP: Boosting Sequentialization-Based Verification of Multi-threaded C Programs via Symbolic Pruning of Redundant Schedules
Abstract. Sequentialization has been shown to be an effective symbolic verification technique for concurrent C programs using POSIX threads. Lazy-CSeq, a tool that applies a lazy sequentialization scheme, has won the Concurrency division of the last two editions of the Competition on Software Verification. The tool encodes all thread schedules up to a given bound into a single non-deterministic sequential C program and then invokes a C model checker. This paper presents a novel optimized imple-mentation of lazy sequentialization, which integrates symbolic pruning of redundant schedules into the encoding. Experimental evaluation shows that our tool outperforms Lazy-CSeq significantly on many benchmarks
Software Model Checking with Explicit Scheduler and Symbolic Threads
In many practical application domains, the software is organized into a set
of threads, whose activation is exclusive and controlled by a cooperative
scheduling policy: threads execute, without any interruption, until they either
terminate or yield the control explicitly to the scheduler. The formal
verification of such software poses significant challenges. On the one side,
each thread may have infinite state space, and might call for abstraction. On
the other side, the scheduling policy is often important for correctness, and
an approach based on abstracting the scheduler may result in loss of precision
and false positives. Unfortunately, the translation of the problem into a
purely sequential software model checking problem turns out to be highly
inefficient for the available technologies. We propose a software model
checking technique that exploits the intrinsic structure of these programs.
Each thread is translated into a separate sequential program and explored
symbolically with lazy abstraction, while the overall verification is
orchestrated by the direct execution of the scheduler. The approach is
optimized by filtering the exploration of the scheduler with the integration of
partial-order reduction. The technique, called ESST (Explicit Scheduler,
Symbolic Threads) has been implemented and experimentally evaluated on a
significant set of benchmarks. The results demonstrate that ESST technique is
way more effective than software model checking applied to the sequentialized
programs, and that partial-order reduction can lead to further performance
improvements.Comment: 40 pages, 10 figures, accepted for publication in journal of logical
methods in computer scienc
Actor-based model checking for Software-Defined Networks
Software-Defined Networking (SDN) is a networking paradigm that has become
increasingly popular in the last decade. The unprecedented control over the
global behavior of the network it provides opens a range of new opportunities
for formal methods and much work has appeared in the last few years on
providing bridges between SDN and verification. This article advances this
research line and provides a link between SDN and traditional work on formal
methods for verification of concurrent and distributed software---actor-based
modelling. We show how SDN programs can be seamlessly modelled using
\emph{actors}, and thus existing advanced model checking techniques developed
for actors can be directly applied to verify a range of properties of SDN
networks, including consistency of flow tables, violation of safety policies,
and forwarding loops. Our model checker for SDN networks is available through
an online web interface, that also provides the SDN actor-models for a number
of well-known SDN benchmarks
IST Austria Technical Report
We present a new dynamic partial-order reduction method for stateless model checking of concurrent programs. A common approach for exploring program behaviors relies on enumerating the traces of the program, without storing the visited states (aka stateless exploration). As the number of distinct traces grows exponentially, dynamic partial-order reduction (DPOR) techniques have been successfully used to partition the space of traces into equivalence classes (Mazurkiewicz partitioning), with the goal of exploring only few representative traces from each class.
We introduce a new equivalence on traces under sequential consistency semantics, which we call the observation equivalence. Two traces are observationally equivalent if every read event observes the same write event in both traces. While the traditional Mazurkiewicz equivalence is control-centric, our new definition is data-centric. We show that our observation equivalence is coarser than the Mazurkiewicz equivalence, and in many cases even exponentially coarser. We devise a DPOR exploration of the trace space, called data-centric DPOR, based on the observation equivalence.
1. For acyclic architectures, our algorithm is guaranteed to explore exactly one representative trace from each observation class, while spending polynomial time per class. Hence, our algorithm is optimal wrt the observation equivalence, and in several cases explores exponentially fewer traces than any enumerative method based on the Mazurkiewicz equivalence.
2. For cyclic architectures, we consider an equivalence between traces which is finer than the observation equivalence; but coarser than the Mazurkiewicz equivalence, and in some cases is exponentially coarser. Our data-centric DPOR algorithm remains optimal under this trace equivalence.
Finally, we perform a basic experimental comparison between the existing Mazurkiewicz-based DPOR and our data-centric DPOR on a set of academic benchmarks. Our results show a significant reduction in both running time and the number of explored equivalence classes
Value-centric Dynamic Partial Order Reduction
The verification of concurrent programs remains an open challenge, as thread
interaction has to be accounted for, which leads to state-space explosion.
Stateless model checking battles this problem by exploring traces rather than
states of the program. As there are exponentially many traces, dynamic
partial-order reduction (DPOR) techniques are used to partition the trace space
into equivalence classes, and explore a few representatives from each class.
The standard equivalence that underlies most DPOR techniques is the
happens-before equivalence, however recent works have spawned a vivid interest
towards coarser equivalences. The efficiency of such approaches is a product of
two parameters: (i) the size of the partitioning induced by the equivalence,
and (ii) the time spent by the exploration algorithm in each class of the
partitioning.
In this work, we present a new equivalence, called value-happens-before and
show that it has two appealing features. First, value-happens-before is always
at least as coarse as the happens-before equivalence, and can be even
exponentially coarser. Second, the value-happens-before partitioning is
efficiently explorable when the number of threads is bounded. We present an
algorithm called value-centric DPOR (VCDPOR), which explores the underlying
partitioning using polynomial time per class. Finally, we perform an
experimental evaluation of VCDPOR on various benchmarks, and compare it against
other state-of-the-art approaches. Our results show that value-happens-before
typically induces a significant reduction in the size of the underlying
partitioning, which leads to a considerable reduction in the running time for
exploring the whole partitioning