1,939 research outputs found
Lost in Abstraction: Monotonicity in Multi-Threaded Programs (Extended Technical Report)
Monotonicity in concurrent systems stipulates that, in any global state,
extant system actions remain executable when new processes are added to the
state. This concept is not only natural and common in multi-threaded software,
but also useful: if every thread's memory is finite, monotonicity often
guarantees the decidability of safety property verification even when the
number of running threads is unknown. In this paper, we show that the act of
obtaining finite-data thread abstractions for model checking can be at odds
with monotonicity: Predicate-abstracting certain widely used monotone software
results in non-monotone multi-threaded Boolean programs - the monotonicity is
lost in the abstraction. As a result, well-established sound and complete
safety checking algorithms become inapplicable; in fact, safety checking turns
out to be undecidable for the obtained class of unbounded-thread Boolean
programs. We demonstrate how the abstract programs can be modified into
monotone ones, without affecting safety properties of the non-monotone
abstraction. This significantly improves earlier approaches of enforcing
monotonicity via overapproximations
Context-Bounded Analysis For Concurrent Programs With Dynamic Creation of Threads
Context-bounded analysis has been shown to be both efficient and effective at
finding bugs in concurrent programs. According to its original definition,
context-bounded analysis explores all behaviors of a concurrent program up to
some fixed number of context switches between threads. This definition is
inadequate for programs that create threads dynamically because bounding the
number of context switches in a computation also bounds the number of threads
involved in the computation. In this paper, we propose a more general
definition of context-bounded analysis useful for programs with dynamic thread
creation. The idea is to bound the number of context switches for each thread
instead of bounding the number of switches of all threads. We consider several
variants based on this new definition, and we establish decidability and
complexity results for the analysis induced by them
Pointer Race Freedom
We propose a novel notion of pointer race for concurrent programs
manipulating a shared heap. A pointer race is an access to a memory address
which was freed, and it is out of the accessor's control whether or not the
cell has been re-allocated. We establish two results. (1) Under the assumption
of pointer race freedom, it is sound to verify a program running under explicit
memory management as if it was running with garbage collection. (2) Even the
requirement of pointer race freedom itself can be verified under the
garbage-collected semantics. We then prove analogues of the theorems for a
stronger notion of pointer race needed to cope with performance-critical code
purposely using racy comparisons and even racy dereferences of pointers. As a
practical contribution, we apply our results to optimize a thread-modular
analysis under explicit memory management. Our experiments confirm a speed-up
of up to two orders of magnitude
Procedure-modular specification and verification of temporal safety properties
This paper describes ProMoVer, a tool for fully automated procedure-modular verification of Java programs equipped with method-local and global assertions that specify safety properties of sequences of method invocations. Modularity at the procedure-level is a natural instantiation of the modular verification paradigm, where correctness of global properties is relativized on the local properties of the methods rather than on their implementations. Here, it is based on the construction of maximal models for a program model that abstracts away from program data. This approach allows global properties to be verified in the presence of code evolution, multiple method implementations (as arising from software product lines), or even unknown method implementations (as in mobile code for open platforms). ProMoVer automates a typical verification scenario for a previously developed tool set for compositional verification of control flow safety properties, and provides appropriate pre- and post-processing. Both linear-time temporal logic and finite automata are supported as formalisms for expressing local and global safety properties, allowing the user to choose a suitable format for the property at hand. Modularity is exploited by a mechanism for proof reuse that detects and minimizes the verification tasks resulting from changes in the code and the specifications. The verification task is relatively light-weight due to support for abstraction from private methods and automatic extraction of candidate specifications from method implementations. We evaluate the tool on a number of applications from the domains of Java Card and web-based application
A Concurrent Perspective on Smart Contracts
In this paper, we explore remarkable similarities between multi-transactional
behaviors of smart contracts in cryptocurrencies such as Ethereum and classical
problems of shared-memory concurrency. We examine two real-world examples from
the Ethereum blockchain and analyzing how they are vulnerable to bugs that are
closely reminiscent to those that often occur in traditional concurrent
programs. We then elaborate on the relation between observable contract
behaviors and well-studied concurrency topics, such as atomicity, interference,
synchronization, and resource ownership. The described
contracts-as-concurrent-objects analogy provides deeper understanding of
potential threats for smart contracts, indicate better engineering practices,
and enable applications of existing state-of-the-art formal verification
techniques.Comment: 15 page
- ā¦