33 research outputs found
Sequentializing Parameterized Programs
We exhibit assertion-preserving (reachability preserving) transformations
from parameterized concurrent shared-memory programs, under a k-round
scheduling of processes, to sequential programs. The salient feature of the
sequential program is that it tracks the local variables of only one thread at
any point, and uses only O(k) copies of shared variables (it does not use extra
counters, not even one counter to keep track of the number of threads).
Sequentialization is achieved using the concept of a linear interface that
captures the effect an unbounded block of processes have on the shared state in
a k-round schedule. Our transformation utilizes linear interfaces to
sequentialize the program, and to ensure the sequential program explores only
reachable states and preserves local invariants.Comment: In Proceedings FIT 2012, arXiv:1207.348
Verifying multi-threaded software using SMT-based context-bounded model checking
We describe and evaluate three approaches to model check multi-threaded software with shared variables and locks using bounded model checking based on Satisfiability Modulo Theories (SMT) and our modelling of the synchronization primitives of the Pthread library. In the lazy approach, we generate all possible interleavings and call the SMT solver on each of them individually, until we either find a bug, or have systematically explored all interleavings. In the schedule recording approach, we encode all possible interleavings into one single formula and then exploit the high speed of the SMT solvers. In the underapproximation and widening approach, we reduce the state space by abstracting the number of interleavings from the proofs of unsatisfiability generated by the SMT solvers. In all three approaches, we bound the number of context switches allowed among threads in order to reduce the number of interleavings explored. We implemented these approaches in ESBMC, our SMT-based bounded model checker for ANSI-C programs. Our experiments show that ESBMC can analyze larger problems and substantially reduce the verification time compared to state-of-the-art techniques that use iterative context-bounding algorithms or counter-example guided abstraction refinement
Thread-Modular Static Analysis for Relaxed Memory Models
We propose a memory-model-aware static program analysis method for accurately
analyzing the behavior of concurrent software running on processors with weak
consistency models such as x86-TSO, SPARC-PSO, and SPARC-RMO. At the center of
our method is a unified framework for deciding the feasibility of inter-thread
interferences to avoid propagating spurious data flows during static analysis
and thus boost the performance of the static analyzer. We formulate the
checking of interference feasibility as a set of Datalog rules which are both
efficiently solvable and general enough to capture a range of hardware-level
memory models. Compared to existing techniques, our method can significantly
reduce the number of bogus alarms as well as unsound proofs. We implemented the
method and evaluated it on a large set of multithreaded C programs. Our
experiments showthe method significantly outperforms state-of-the-art
techniques in terms of accuracy with only moderate run-time overhead.Comment: revised version of the ESEC/FSE 2017 pape
Safety verification of asynchronous pushdown systems with shaped stacks
In this paper, we study the program-point reachability problem of concurrent
pushdown systems that communicate via unbounded and unordered message buffers.
Our goal is to relax the common restriction that messages can only be retrieved
by a pushdown process when its stack is empty. We use the notion of partially
commutative context-free grammars to describe a new class of asynchronously
communicating pushdown systems with a mild shape constraint on the stacks for
which the program-point coverability problem remains decidable. Stacks that fit
the shape constraint may reach arbitrary heights; further a process may execute
any communication action (be it process creation, message send or retrieval)
whether or not its stack is empty. This class extends previous computational
models studied in the context of asynchronous programs, and enables the safety
verification of a large class of message passing programs
Model checking Branching-Time Properties of Multi-Pushdown Systems is Hard
We address the model checking problem for shared memory concurrent programs
modeled as multi-pushdown systems. We consider here boolean programs with a
finite number of threads and recursive procedures. It is well-known that the
model checking problem is undecidable for this class of programs. In this
paper, we investigate the decidability and the complexity of this problem under
the assumption of bounded context-switching defined by Qadeer and Rehof, and of
phase-boundedness proposed by La Torre et al. On the model checking of such
systems against temporal logics and in particular branching time logics such as
the modal -calculus or CTL has received little attention. It is known that
parity games, which are closely related to the modal -calculus, are
decidable for the class of bounded-phase systems (and hence for bounded-context
switching as well), but with non-elementary complexity (Seth). A natural
question is whether this high complexity is inevitable and what are the ways to
get around it. This paper addresses these questions and unfortunately, and
somewhat surprisingly, it shows that branching model checking for MPDSs is
inherently an hard problem with no easy solution. We show that parity games on
MPDS under phase-bounding restriction is non-elementary. Our main result shows
that model checking a context bounded MPDS against a simple fragment of
CTL, consisting of formulas that whose temporal operators come from the set
{\EF, \EX}, has a non-elementary lower bound
Faster Algorithms for Weighted Recursive State Machines
Pushdown systems (PDSs) and recursive state machines (RSMs), which are
linearly equivalent, are standard models for interprocedural analysis. Yet RSMs
are more convenient as they (a) explicitly model function calls and returns,
and (b) specify many natural parameters for algorithmic analysis, e.g., the
number of entries and exits. We consider a general framework where RSM
transitions are labeled from a semiring and path properties are algebraic with
semiring operations, which can model, e.g., interprocedural reachability and
dataflow analysis problems.
Our main contributions are new algorithms for several fundamental problems.
As compared to a direct translation of RSMs to PDSs and the best-known existing
bounds of PDSs, our analysis algorithm improves the complexity for
finite-height semirings (that subsumes reachability and standard dataflow
properties). We further consider the problem of extracting distance values from
the representation structures computed by our algorithm, and give efficient
algorithms that distinguish the complexity of a one-time preprocessing from the
complexity of each individual query. Another advantage of our algorithm is that
our improvements carry over to the concurrent setting, where we improve the
best-known complexity for the context-bounded analysis of concurrent RSMs.
Finally, we provide a prototype implementation that gives a significant
speed-up on several benchmarks from the SLAM/SDV project