sequentializationtargetedto boundedmodel-checkerssequentialization • alters the original program...

Sequentialization targeted to

Bounded Model-Checkers

Salvatore La Torre

Dipartimento di Informatica Università degli Studi di Salerno

• Code-to-code translation from a multithreaded program to an “equivalent” sequential one

Conc.program

Sequentialization

T1 T2 Tm

shared vars

…loc loc loc

• Re-use of existing tools (delegate the analysis to the backend tool)

• Fast prototyping (designers can concentrate only concurrency features)

• Can work with different backends

Seq.Verifier

Seq. progam

Sequentialization

• alters the original program structure by injecting control code

(which is an overhead for the backend)

• requires careful attention to the details of the translation for well-performing tools

• replaces concurrency with nondeterminism

Backend: Bounded Model Checkers

• Reduce program verification to SAT/SMT solvers

• Very effective technique to discover bugs in seq. programs

• Performance relies on the performance of underlyingsolvers

• Impressive improvement of

SAT solvers in last years

1

10

100

1000

10000

100000

1960 1970 1980 1990 2000 2010

Year

Var

s

Implementations with BMC backend

• LR seq. [Lal-Reps, CAV’08]: eager, bounded round-robin

• LMP seq. [La Torre-Madhusudan-Parlato]: lazy, any scheduling

• With BMC, LR works better than LMP[Ghafari-Hu-Rakamaric, SPIN’10]

• Implementations of LR:– CSeq: Pthreads C programs [Fischer-Inverso-Parlato, ASE’13]

– STORM: also dynamic memory allocation[Lahiri-Qadeer-Rakamaric, CAV’09]

– Corral [Lal-Qadeer-Lahiri, CAV’12]

– Delay bounded-scheduling [Emmi-Qadeer-Rakamaric, POPL’11]– Real-time systems [Chaki, Gurfinkel, Strichman – FMCAD’11]

Lal/Reps Sequentialization

• considers only round-robin scheduleswith k rounds

– thread → function, run to completion

• global memory copy for each round

– scalar → array

• context switch → round counter++

• first thread starts with

nondeterministic memory contents

– other threads continue with content left by predecessor

T0 T1

S2,1

S0,1

S1,1

Sk,1

Tn

...

......

...

...

...

S2,0

S0,0

S1,0

Sk,0

S2,n

S0,n

S1,n

Sk,n

Lal/Reps Sequentialization

• considers only round-robin scheduleswith k rounds

– thread → function, run to completion

• global memory copy for each round

– scalar → array

• context switch → round counter++

• first thread starts with

nondeterministic memory contents

– other threads continue with content left by predecessor

• checker prunes away inconsistent simulations

– assume(Si+1,0 == S i,n);

– requires second set of memory copies

– errors can only be checked at end of simulation

• requires explicit error checks

T0 T1

S2,1

S0,1

S1,1

Sk,1

Tn

...

......

...

...

...

S2,0

S0,0

S1,0

Sk,0

S2,n

S0,n

S1,n

Sk,n

CSeq Tool Architecture [Fischer-Inverso-Parlato, ASE’13]

• pycparser, AST traversal with unparsing– insert new type declarations, modify memory accesses

– insert context switch simulation code at each sequence point

– insert explicit error checks

– insert checker and code for pthread functions

sequential

non-deterministic

C program

P'

concurrent

C program

P

SAFE

UNSAFE

CSeq

sequential tool

k, N

Can we improve this?

• Eager sequentializations

– cannot rely on error checks built into the backend

– also requires specific techniques to handle programs with heap-allocated memory

• LR (but also LMP) uses additional copies of shared variables

– BMC will make more copies with loop/recursion unwinding

– can seriously affect the formula size

Two new sequentializations[Inverso-Tomasco-Fischer-LaTorre-Parlato]

• Lazy-CSeq [CAV’14-TACAS/SVCOMP’14]– lazy

– light-weight: few additional variables and code

• MU-CSeq [TACAS/SVCOMP’14]– Bound on memory unwindings

– Extension message-passing programs

Outline

• Bounded Model-checking for programs

• Lazy sequentialization: Lazy-CSeq

• Memory unwindings: MU-CSeq

• Experiments

• Conclusions

How does it work

Transform a programs into a set of equations

• Simplify control flow

• Unwind all of the loops

• Convert into Static Single Assignment (SSA)

• Convert into equations

• Bit-blast

• Solve with a SAT Solver

• Convert SAT assignment into a counterexample

Control Flow Simplifications

• All side effect are removed

– e.g., j=i++ becomes j=i; i=i+1

• Control Flow is made explicit

– continue, break replaced by goto

• All loops are simplified into one form

– for, do, while replaced by while

Loop Unwinding

while() loops are unwound iteratively

Break / continue replaced by goto

void f(...) {void f(...) {...

while(cond) {Body;

}

Remainder;}

Loop Unwinding



void f(...) {void f(...) {...

if(cond) {Body;

while(cond) {Body;

}}

Remainder;}

Loop Unwinding



void f(...) {void f(...) {...

if(cond) {Body;

if(cond) {Body;

while(cond) {Body;

}}

}

Remainder;}

Unwinding assertion



Assume statements inserted after last iteration: block execution if program runs longer than bound permits

void f(...) {void f(...) {...

if(cond) {Body;

if(cond) {Body;

if(cond) {Body;

while(cond) {Body;

}}

}}

Remainder;}

Unwinding assertion



Assume statements inserted after last iteration: block execution if program runs longer than bound permits

void f(...) {void f(...) {...

if(cond) {Body;

if(cond) {Body;

if(cond) {Body;

assume(!cond);

}}

}}

Remainder;} Unwinding

assume

Transforming Loop-Free Programs Into

Equations (1)

• Easy to transform when every variable is only assigned once!

x = a;y = x + 1;z = y – 1;

Program Constraints

x = a &&y = x + 1 &&z = y – 1 &&

Transforming Loop-Free Programs Into

Equations (2)

• When a variable is assigned multiple times,

• use a new variable for the RHS of each assignment

Program SSA Program

What about conditionals?

Program SSA Program

if (v)x = y;

elsex = z;

w = x;

if (v 0)x0 = y 0;

elsex1 = z 0;

w1 = x?? ; What should ‘x’ be?

What about conditionals?

For each join point, add new variables with selectors

Program SSA Program

if (v)x = y;

elsex = z;

w = x;

if (v 0)x0 = y 0;

elsex1 = z 0;

x2 = v 0 ? x 0 : x 1;w1 = x 2

Example

CBMC: Bounded Model Checker for CA tool by D. Kroening/Oxford and Ed Clarke/CMU

Parser Static Analysis

CNF-genSAT solver

CEX-gen CBMC

C Program

SAFE

UNSAFE + CEX

SAT

UNSAT CNF

goto-program

equations

BMC: from sequential to concurrent

• BMC for sequential programs has been used to discover subtle errors in applications

• robust BMC tools exist for C programs (e.g. CBMC, LLBMC, ESBMC)

• attempts to apply BMC to multi-threaded programs face problems

�number of interleavings grows exponentially with #threads and #statements

Recent solutions for multi-threaded programs

• partial orders

• sequentializations

Outline

�Bounded Model-checking for programs

• Lazy sequentialization: Lazy-CSeq


• Experiments

• Conclusions

Lazy-CSeq schema

• P' simulates all computations (up to K rounds) of P

• lazy: avoid exploring unfeasible runs

T₁ ∥ T₂ ∥ … ∥ Tn ↝ (T'1 ; T'2 ; … ; T'n)K

Lazy-CSeq Sequentialization

Translation P ↝ P':– unwinding, inlining (bounded program)

– thread T ↝ function T'– main driver:

For each round in [1..K]

for each thread in [1..N]

T' thread ();

Main driver

K: roundsct: thread count

active[j]: true iff thread j is active

cs: guessed context-switch position for coming simulation

pc[j]: position when context-switched out of thread j

size[j]: last position for context-switches

void main(void) {

for(r=1; r<=K; r++) {

ct=1; // thread 1

if(active[ct]) { //only active theads

cs=pc[ct]+nondet uint(); // guess cs

assume(cs<=size[ct]); // legal?

fseq_1(arg[ct]); // simulate thread

pc[ct]=cs; // store cs

}

: : : : : : : : :

ct=n; // thread n

if(active[ct]) {

: : : : : : : : : }

}}

Thread T ↝ function T'

Translation P ↝ P':– unwinding, inlining– thread T ↝ function T'– main driver:

• for round in [1..K]

• for thread in [1..N]• T' thread ();

Thread T ↝ function T'• var x; ↝ static var x;

• stmt; ↝ guard; stmt;

T'

guard; stmt;

...


T'

Thread simulation: round 1• guess context-switch point cs1 (in main)

• execute stmts before cs1

• jump in multiple hops to the end

and return


• stmt; ↝ guard; stmt; context-switch cs1

...

simulation round 1exec

skip

...


Thread simulation: round i• guess context-switch point csi (in main)

• jump in multiple hops to pci-1

• execute stmts from pci-1 to csi

• jump in multiple hops to the end

and return



simulation round i >1

T'

context-switch csi

...

exec

skip

skip

resume from pci-1

Instrumenting jumping

in and out of

thread executions(stmt; ↝ guard; stmt;)

Multiple hops:

#define J(A,B) if ( pc[ct] > A || A >= cs )

goto B;

• Ex. At position 5,

J(5,6) jumps to 6 (next position)

when not in [ pc[ct], cs [

Branching stmts

Use macro:

#define G(L) assume(cs >= L);

• Rules out spurious thread executionswhen context-switch position isinside the not picked branch



if cond

{

body1 ↝}else{

body2

}

if cond

{

body1

}else{ G(A)

body2

} G(B)

Example

2:J(2,3) if(c>0)

3:J(3,4) c++;

else {

4:J(4,5) c=0;

if(!(tmp>0)) goto l1;

5:J(5,6) c++; tmp--;

if(!(tmp>0)) goto l1;

6:J(6,7) c++; tmp--;

assume(!(tmp>0));

l1: G(7);

} G(7)

7:J(7,8) pthread mutex unlock(&m);

Assume pc=2 and cs=3(only 2: must be executed)

Additionally suppose c<=0 holds

Execution jumps to the else stmt and exits

In main pc is then set to 3 (cs)

When resumed, the tread will start from 3:

executing c++!!!!!

Adding guard G(4) right after the else stmt rules out this unfeasible computation

G(4)

Note this is not ruling outany good exectutions

The sketched one is captured by guessing cs=4 instead of cs=3

Outline


�Lazy sequentialization: Lazy-CSeq


• Experiments

• Conclusions

Main idea

• Guess a memory unwinding of the shared memory

– sequence of writes into the shared memory of an execution

• Execute each thread s.t. its local computation isconsistent with the memory unwinding

– any scheduling that fits it is considered

• Crucial notion: all the shared memory operationsare done through a memory object

Memory object

• Stores a sequence of writes

– Each write is a triple (thread, variable, value)

• Is used through an interface

• Several implementations are possible

Memory object interface

int mem_init(uint V, uint W, uint T);

• instantiate a memory object

• V = number of variables

• W = number of writes

• T = max number of threads

Memory object interface

int read(uint th_id, uint var);

void write(uint th_id, uint var, int value);

int mem_thread_create(uint parent_id);

• returns id for created thread

void terminate(uint th_id);

• checks that all writes of th_id have beenexecuted

……………

MU-Cseq sequentialization

– A funciton for each thread

thread T ↝ function T'

– main driver:

void proc main(void)

call memory_init(V, W, T); // instantiate memory

ct := mem_thread_create(0); // register main thread

call mainW;T(x1,..., xk);

call terminate(ct); // all writes are executed

assert(_error != 1) // error check

Basic Idea:

• uses auxiliary variables– pos (current index into memory object)– ct (id of currently simulated thread)

• every thread is translated into a function– simulation starts from main thread

• each thread creation interrupts simulation of current thread– new thread is called with current value of pos

• terminated threads must have completed their memory writes– terminate(ct) must hold

• old thread resumed with old memory position (in the activation record)

Simulation

simulate all executions compatible with guessed memory unwinding

Basic Idea:

• every read / write is translated into a function– simulates valid access into unwound memory

(similarly for pthread functions)

Simulation

simulate all executions compatible with guessed memory unwinding

Implementation I: Explicit Read

x y ... z“memory”

Guess and store sequence of individual write operations:

• add N copies of shared variables (“memory”)_memory[i,j] is value of j-th variable after i-th write

• add array to record writes (“writes”)i-th write is by _thr[i], which has written to _var[i]

• add array to record validity of writes (“barrier”)next write (after i) by thread t is at _next[i,t]

4 0 04 2 04 3 04 3 42... ... ... ...

0 3 42

1234...

W

pos

...

...

...

...

...0 0 0

1 x1 y2 y1 z... ...

2 x

varthr“writes”

0 00 ...

...

next[1]

“barrier”

N+1244

...

1

...

3

next[T]

N+1N+1N+1N+1

N+1

N+1

N+1 N+1

N

33N

...

...

...

...

...

...

N+1

...

Simulating reads and writes

4 0 04 2 04 3 04 3 42... ... ... ...

0 3 42

x y ... z

1 x1 y2 y1 z... ...

2 x

var

1234...

W

thr

int read(uint th, uint var) {

uint th_pos;

if is_terminated(th) then return;

th_pos = Jump(th_id);

return (mem[th_pos][var]);

}

“memory” “writes”pos

...

...

...

...

...0 0 0 0 00 ...

...

next[1]

“barrier”

N+1244

...

1

...

3

next[T]...

N+1N+1N+1N+1

N+1

N+1

N+1 N+1

N

33N

...

...

...

...

...

...

N+1

Simulating reads and writes

int write(uint th, uint var, int val) {

uint jump;

if is_terminated(th) then return;

jump=next[pos][th_id];

assume ( (jump<=last_write_pos)

&& (var[jump]==var)

&& (value[jump]==val) );

pos=jump;

}

Other implementations

• Implementation II: (Implicit Read)

– mem WxV-array is replaced with W-array

var_next_write[ i ] is smallest j>i s.t. var[ i ]=var[ j ]

– saves memory but causes more complexRead implementation (larger formula)

• Implementation III:– mixed I and II

Outline



�Memory unwindings: MU-CSeq

• Experiments

• Conclusions

Lazy-CSeq won the Gold Medal and MU-CSeq I won the Silver Medal in the Concurrency category

– 76 concurrent C programs• UNSAFE instances: 20 programs containing a bug

• SAFE instances: all the others

– 4,500 l.o.c.

1) CSeq-Lazy: 1,000s, 136pts

2) CSeq-MU I: 1,200s, 136pts

3) CBMC: 29,000s, 128pts

Results:– small verification times

– small memory footprint

– no missed bugs!

Evaluation: SV-COMP2014

Lazy-Cseq vs Native Concurrency Handling (UNSAFE instances)

_1: timeout (750s) _2: internal error _3: manual translation not done

_4: test case rejected _5: unknown failure

Evaluation: bug-hunting

Evaluation: state space coverageLazy-CSeq + CBMC vs CBMC (SAFE instances)

How far is it possible to push the unwind bound with

the two different methods and still finish the analysis within

the given time and space requirements (10GB, 750s)?

• bounding the rounds

allows deeper

exploration of loops

• alternative coverage

of the state space

Evaluation: formula size

Lazy-CSeq + CBMC vs CBMC (v4.7)

(on SV-COMP14 SAFE instances)

MU-CSeq

Outline



�Memory unwindings: MU-CSeq

�Experiments

• Conclusions

Conclusions• LR and LMP sequentializations

– complete analysis of concurrent programs up to a given number of context-switches (context-bounded analysis [Qadeer-Rehof, CAV’05]

– unbounded analysis within each context

• Lazy-CSeq and MU-CSeq use additional boundingcriteria– backend tool will bound the computations anyway– this can be exploited to induce simplifications of

the generated formula

• Effective for bug-hunting– many concurrency errors show up within few

context-switches

Lazy-CSeq

• Lightweight sequentialization

– designed to take advantage of modern sequ. BMC tools

– small BMC formulae for small number of rounds

– reduced memory footprint and verification times

• Laziness:

– avoid handling spurious errors typical of eager exploration

– inherit from the backend tool all checks for sequential C:

�array-bounds-check, division-by-zero, pointer- checks, overflow-checks, reachability of error labels and assertion failures, etc.

– no need to handle dynamic memory allocation

MU-CSeq

• Ongoing research

• Preliminary experiments show it is competitive with state-of-the-art model-checkers

• II improves on I on some benchmarks

• III – performs better than both I and II in general and – when it is outperfomed it stays close to the best of

the two

• NEXT: memory unwinding can be used to sequentializemessage-passing programs

– send/receive instead of read/write

Ermenegildo TomascoOmar Inverso Gennaro Parlato

UK

Lazy-CSeq and MU-CSeq joint work with

Bernd Fischer

South Africa

sequentializationtargetedto boundedmodel-checkerssequentialization • alters the original program...

Documents