symmetry-aware predicate abstraction for shared-variable concurrent programs alastair donaldson,...
TRANSCRIPT
Symmetry-Aware Predicate Abstraction for Shared-
Variable Concurrent Programs
Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl
Computer Science Department, Oxford University, United Kingdom
Limor Goldberg
15.4.2012
Outline
Introduction Symmetry-Aware Predicate Abstraction Symmetry-Aware Predicate Abstraction
with aliasing Closing the CEGAR Loop Experimental results Conclusion
Introduction
Introduction
Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution
Overview
Enables applying finite- state model checkers to programs written in mainstream languages
The use of predicate abstraction till now
Goal: present an application of PA to shared variable concurrent
software
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Overview
A symmetry aware predicate abstraction: Consider the replicated structure of a C
program consists of many threads Generate a boolean program
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Predicate Abstraction
Predicate: A first order atomic formula over variables V
Examples: x+y<z2, x=5
Let Þ be a program and let φ be an ACTL* formula,AP = {P1,….,Pk} ,includes:• Atoms(φ), the set of predicates appearing in φ• Some of the conditions in control statements in
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Predicate Abstraction
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
The abstract states: {B1,…,Bk}
when each predicate Pj is associated with a boolean variable Bj
The Abstraction mapping h: h(s)=
ˆ 0,1k
S
States label: • A concrete state labeled with all the
predicates it satisfied.
• An abstract states labeled with predicate the corresponding bit is 1 in that state.
Example:
Predicate Abstraction
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
• let be a program with variable x,y and a single transition x:=x+1.
• AP={P1,P2,P3} where:
• P1 = ( x 1 )
• P2 = ( x>y )
• P3 = ( y=2 )
Some of the labels are:• L((0,0)) = L((1,1)) = L((0,1)) = {P1}
• L((0,2)) = L((1,2)) = {P1, P3}
• L((2,0)) = {P2}
Example
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Example
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
• let be a program with variable x,y and a single transition x:=x+1.
• AP={P1,P2,P3} where: P1 = ( x 1 ) , P2 = ( x>y ) , P3 = ( y=2 )
• S = {s, t} • s(x) = s(y) = 0• t(x) = 1, t(y) = 2
• L(s) = {P1} , L(t) = {P1, P3}
Example
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
• let be a program with variable x,y and a single transition x:=x+1.
• AP={P1,P2,P3} where: P1 = ( x 1 ) , P2 = ( x>y ) , P3 = ( y=2 )
• {0,1}3 .• We define the abstraction mapping h:
• h((0,0)) = h((1,1)) = h((0,1)) = (1,0,0)• h((0,2)) = h((1,2)) = (1,0,1)• h((2,0)) = {P2} = (0,1,0)
Example
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
• let be a program with variable x,y and a single transition x:=x+1.
• AP={P1,P2,P3} where: P1 = ( x 1 ) , P2 = ( x>y ) , P3 = ( y=2 )
• S = {s, t} : s(x) = s(y) = 0 , t(x) = 1, t(y) = 2
• L(s) = {P1} , L(t) = {P1, P3}
• the abstraction mapping h:• h(s) = (1,0,0), h(t) = (1,0,1).
• ( ) = (1,0,0) = L(s) = {P1}
• ( ) = (1,0,1) = L(t) = {P1, P3}
Example
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
1 2 3 1 2 3
1 1 2 2 3 3
1 1 2 2 3 3
ˆ , , , ', ', '
, , ,
, , ', ' ' 1 '
', ' ' ', ' ' ', ' '
R B B B B B B
P x y B P x y B P x y B
x y x y x x y y
P x y B P x y B P x y B
(1,1)
(2,1)
(1,0,0)
(0,1,0)
⇔
• Example:• For (1,0,0) and (0,1,0) :
• They are in iff exist x,y,x’,y’ which satisfied the formula above.
• We can see that (1,1) and (2,1) provide all we need
Uses of predicate abstraction
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Predicate abstraction introduces as a way of dealing with data state explosion
It turns C programs into finite state boolean programs which can be model checked
Analyzing sequential software: In the SLAM project at Microsoft, using this
approach, was able to discover numerous control-dominated errors in low level operating system code.
Uses of predicate abstraction
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
The bottleneck of PA in shared variable concurrent programs: the exponential dependence of the generate state
apace on the number of running threads.
Solution – exploit symmetry
Uses of predicate abstraction
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Our goal is a scheme that:
Translate a non-recursive C program with global scope and procedure scope into a Boolean program
The n-thread Boolean program (n), shell soundly overapproximates the n-thread C program (n)
Such an abstraction method called – symmetry aware Permits predicates over arbitrary C programs variables,
local or global.
Uses of predicate abstraction
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
We present program as code fragments that declare shred and local variables.
such code is to be understood as a procedure to be executed by any number of threads
The code can declare shared variables – declared at the global scope (the complete program)
Can declare local variables (within the procedure)
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Since the program B is executed by parallel threads its variables have to be partitioned into “shared” and “local” .
The “shared” and “local” attribute of B’s variables depend on the attributes of P’s variables a predicate is formulated over.
Definition:- A local predicate refers solely to a local C program variables- A shared predicate refers solely to a shared C program
variables- A mixed predicate is neither local nor shared.
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Definition:- A local predicate refers solely to a local C program variables- A shared predicate refers solely to a shared C program variables- A mixed predicate is neither local nor shared.
Example to mix predicate:let s and l be a shared and local variables
respectively.b is a boolean corresponding to the predicate: s !=
l Thus b is a mix variable
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
The decision whether a mix predicate should be track in the shared or local space in the Boolean program is non-obvious.
Example: local variable b track the mix predicate s != l
: :
shared int s = 0;local int l = 1;assert s != l;++s;
local bool b = 1;
assert b;b = b ? * : 1 ;
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
: :
What’s the problem?
Consider the program 2 : we can see that execute this program can lead to an assertion violation.But, the corresponding concurrent Boolean program 2 is correct. 2 is an unsound abstraction for 2
shared int s = 0;local int l = 1;assert s != l;++s;
local bool b = 1;
assert b;b = b ? * : 1 ;
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
So, we’ll try to track a mix predicate with a shared Boolean variable:
Example: shared variable b tracks the mix predicate s == l
: :
shared int s = 0;shared bool t = 0;local int l = 0;If * then if t then assert s != l;l = s + 1;t = 1;
shared bool b = 1;shared bool t = 0;
If * then if t then assert ! b;b = 0;t = 1;
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
: :
Still, we have the same problem!
2 is an unsound abstraction for ’2
shared int s = 0;shared bool t = 0;local int l = 0;If * then if t then assert s != l;l = s + 1;t = 1;
shared bool b = 1;shared bool t = 0;
If * then if t then assert ! b;b = 0;t = 1;
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
The unsoundness can be eliminated by making b local in .
But, an analogous reasoning removes the unsoundness in as abstraction to .
Conclusion: a predicate of the form s == l that genuinely depends on s and l cannot be tracked by a shared or a local variable
The assertion in this program cannotcannot be violated
We can prove that over a set od nonmixed predicates, no invariant is computable that is strong enoughto prove s == l.
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
0: shared int s = 0;1: shared int r = 0;2: local int l = 0;3: ++r;4: if ( r == 1 ) then5: ++s; ++l;6: assert s == l;7: goto 5
Naïve solution
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Solution:
• Instantiate the template n times into programs {1, . . ., n}
• Every predicate refers to local variables instantiated n times
Naïve solution - summarize
• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution
Mixed predicate as local Make unsound abstraction
Mixed predicate as shared Make unsound abstraction
Use only shared or local predicate Cannot verify a simple bug-free program
Instantiate the template as the number of threads The program is no longer symmetric – cause state explosion Symmetry oblivious – will not scale beyond a very small
number of threads
Symmetry Aware Predicate Abstraction
Symmetry Aware
Predicate Abstraction
Definitions Mixed predicate and notify all updates Implementing Notify-All updates The predicate abstraction algorithm
Definitions VS : a set of shared variables VL : a set of local variables
Loc() = {v: v occurs in } affects(v, ) = variable v affects must_notify(v, ) = the shared variable v
affects the mixed predicate A predicate i is :
shared iff Loc(i) VS
local iff Loc(i) VL
mixed iff Loc(i)VSand Loc(i)VL
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Let be a program defined over a set of variables V = VS VL
The parallel execution of by n threads is a program defined over VS and n copies of VL .
• No aliasing • Assignment to v cannot modify another variable
but v• An expression depends only on the variables
occurring in it
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Mix predicates and
Notify-All updatesLet E = {1, … , m} be a set of predicates over .
{b1, … , bm} is the Boolean variables in program .
bi tracks over predicate i .
We partition the boolean variables:bi is shared if i is shared.
otherwise, bi is local.
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Mix predicates and
Notify-All updatesWe have noticed that mixed predicate are tracked in local variables
Why?
Declaring bi shared would lose information,
declaring it local doesn’t – though, it is insufficient to guarantee a sound abstraction. This is a problem we can solve!
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Mix predicates and
Notify-All updates Each statement in is translated into a
corresponding statement in
Handling assignments:consider an assignment to variable v in and a
Boolean variable b of with associated predicate :- First we check affects (v, )
- if it evaluates to false – b does not change- otherwise, code needs to be generated to update b.
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Mix predicates and
Notify-All updatesWe need to consider three different update of b:
1. Shared update - v and are both shared :
we generate code to update b according to the
(*)standard sequential predicate abstraction rule.
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Mix predicates and
Notify-All updates
2. Local update - v is local and is local or mixed:
the value of b changes only for the active thread.
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Mix predicates and
Notify-All updates
3. Notify-All update - v is shared and is mixed:
the mixed predicate is tracked by local variable b.1. We generate code to update b locally (like in previous cases)2. We notify all passive threads about the modification of shared
variable v (and they will update their local copy of b)
this formula evaluates to true exactly when its necessary to notify
passive threads of an update to v
• Definitions• Mixed predicate• Notify All implementation• The algorithm
_ , , S Lmust notif y v aff ects v v V Loc V
Weakest precondition
For a statement st and a predicate WP(st , ) is the weakest predicate whose truth before s
entails the truth of after st terminates.
For example: WP (x=x+1 , x<5) = (x<4)
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Weakest preconditionStatement st occurs between program points p and p’. is a predicate in E with corresponding boolean b.
it is safe to assign b:=true between p and p’ if the boolean variable , b’ , corresponding to WP(st, ) is true at point p.
But , what happened if WP(st, ) isn’t in E ?
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Weakest preconditionExample:
E = {(x<5) , (x=2) }we have seen that WP(x=x+1,x<5) = x<4but x<4 is not in E.
In that case we need to strengthen the WP to an expression over the predicated in E.
(x = 2) (x<4)if (x=2) is true before x:=x+1, then x<5 is true afterwards
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Weakest preconditionExample:
E = {(x<5) , (x=2) }we have seen that WP(x=x+1,x<5) = x<4but x<4 is not in E.
In that case we need to strengthen the WP to an expression over the predicated in E.
(x = 2) (x<4)if (x=2) is true before x:=x+1, then x<5 is true afterwards
(WP(st, )) the strengthens of WP.
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Weakest precondition(*) sequential predicate abstraction:
Given a set E = {1, … , m} of predicates tracked by variable {b1, … , bm} , assignment statement st is translated into the following code, for each i {1,…,m}:
if (WP(st, i)) then bi = 1
else if (WP(st,i)) then bi = 0
else bi = *
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Weakest preconditionFor example: : (l<10) tracked by b,
E={} , st: (++l)
( WP(st, ) ) = ( l < 9 ) = false( WP(st, ) ) = ( l 9) = l 10 =
So, according to the previous formula:b = ( b ? * : 0 )
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Weakest precondition
In general, the formula is often abbreviated using the assignment:
bi = choose (( WP(st, i) ) , ( WP(st, i) ) )
Where choose (x,y) return 1 if x evaluates to true, 0 if x y evaluates to true * otherwise
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Implementing Notify-All
updates
If must_notify( v, ) evaluated to true tracked in by a local boolean , b.
Predicate abstracting an assignment of the form v = is implemented using two assignments.
(1) b = choose (( WP(st, ) ) , ( WP(st, ) ) )(2) [b] = choose (( WP(st, []) ) , ( WP(st, ]) ) )
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Implementing Notify-All
updates
[b] stands for the copy of local variable b owned by some passive thread
Similarly, [] stands for the expression defining predicate , but with every local variable occurring in the expression replaced by the copy owned by the passive thread
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Implementing Notify-All
updates(1) b = choose (( WP(st, ) ) , ( WP(st, ) ) )(2) [b] = choose (( WP(st, []) ) , ( WP(st, ]) ) )
Example:
Statement: (s = l) shared and local variable
Mixed predicate, : (s == l)
The code generated for this is:b = true[b] = choose (( WP(s=l, s==[l]) ) , ( WP(s=l, (s==[l]) ) ))
[b] = choose ((l==[l]) , ( WP(s=l, (l==[l]) ) ))
• Definitions• Mixed predicate• Notify All implementation• The algorithm
The Algorithm
• Definitions• Mixed predicate• Notify All implementation• The algorithm
𝒢 (𝜙 )=¬ℱ (¬ (𝜙 ))
The Algorithm
• Definitions• Mixed predicate• Notify All implementation• The algorithm
Indexes of all the predicate that that effected by v
The Algorithm
• Definitions• Mixed predicate• Notify All implementation• The algorithm
When v is shared, indexes of mixed predicate s.t the corresponding boolean predicate is local and needs to be updated separately
Symmetry Aware Predicate Abstraction
with Aliasing
Symmetry Aware
Predicate Abstraction with
Aliasing
Assumptions Definitions The algorithm
Assumptions We don’t consider programs where a shared pointer
variable, or pointer variable local to thread i, can point to a variable local to thread j (when i j).
When p is a local variable of type int*, and predicate :(*p ==1), is local if p can never point to a shared variable, otherwise, is classed as mixed.
We have a black box pointer alias analysis for concurrent programs. For a program over variable v, it yields the relation d VxV for each program location d.
• Assumptions• Definitions• The algorithm
Definitions For v,w V, if vdw then v doesn’t point to w at d. loc(,d) = the set of variables that it may be necessary to
access in order to evaluate expression in point d. loc(z, d) = for a constant value z loc(v, d) = {v} loc(&v, d) = loc v, d) = {v} {loc( w,d) | v d w}
Loc() = loc(,d) targets(x,d) = the set of variables that may be modified by
writing to l-value x at program point d. targets(v, d) = {v} targets(*v, d) = {w V | v d w}
• Assumptions• Definitions• The algorithm
Predicate Abstraction
Algorithm with Aliasing We define predicate to be shared local or mixed with
respect to alias information with the new definition of Loc.
Without pointers we defined affects(v, ) = (v Loc() ) indicate that updating v may affect the truth of .
with pointers this definition is not sufficient.the truth of may be affected by assigning to l-value x
if some variable that depends on points to x.
Now: affects(x, , d) = (target(x,d) loc(, d) )
• Assumptions• Definitions• The algorithm
must_notify Again, we need to determine whether an update affects
the truth of a predicate only for the threads executing the update, or for all threads.
We need to define must_notify like we did without aliasing.
• Assumptions• Definitions• The algorithm
must_notify – first try
The previous definition (without aliasing) was:
So, we can try to adapt it to this situation with the new definitions:
_ , , S Lmust notif y v aff ects v v V Loc V
_ , , , ,
arg , S L
must notif y x d aff ects x d
t ets x d V Loc V
• Assumptions• Definitions• The algorithm
must_notify – first trySuppose we have the following variables:
• shared s, t• local l• local pointer p
s.t : p d t and p d l
• : ( s < l )
Consider an assignment to *p at point d:The only shared variable that can be modified is t, and the truth of doesn’t depend on it.
• Assumptions• Definitions• The algorithm
must_notify – second trySecond Try
Meaning: is mixed and , and exists variable v that may changed as a results of writing to x at point d, and one must access v to evaluate .
The predicate abstraction algorithm can now be adapted to handle pointers
_ , , arg , S
L
must notif y x d t ets x d V Loc
Loc V
• Assumptions• Definitions• The algorithm
The Algorithm
• Assumptions• Definitions• The algorithm
The CEGAR loop
The CEGAR Loop
Reminder Adept CEGAR loop to handle concurrency
Remainder
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |=
model check
Mh
generate initialabstraction
M and
refinement
This spurious
• Remainder• CEGAR loop with concurrency
Remainder
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |=
model check
Mh
generate initialabstraction
M and
refinement
This spurious
• Remainder• CEGAR loop with concurrency
Remainder
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |=
model check
Mh
generate initialabstraction
M and
refinement
This spurious
• Remainder• CEGAR loop with concurrency
Remainder
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |=
model check
Mh
generate initialabstraction
M and
refinement
This spurious
• Remainder• CEGAR loop with concurrency
spurious
counterexample
x1
x2
y1
y2
X Y
Considering the counterexample Y X Y :This path exists only in the abstract model
• Remainder• CEGAR loop with concurrency
Remainder
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |=
model check
Mh
generate initialabstraction
M and
refinement
This spurious
• Remainder• CEGAR loop with concurrency
Remainder
Th is not spuriouscheck spuriouscounterexample
Th
stop
Mh |=
generatecounterexample Th
Mh |=
model check
Mh
generate initialabstraction
M and
refinement
This spurious
• Remainder• CEGAR loop with concurrency
Adept CEGAR loop
to handle concurrency
Model checking boolean broadcast program
Simulation
Refinement
• Remainder• CEGAR loop with concurrency
Model checking
boolean broadcast program
We can no longer use existing concurrent Boolean program model checkers such as Boom (*).
A prototype extension of Boom which called B-Boom can overcome the problem that the new syntax and semantics for broadcasts created.
B-Boom extends the capabilities of Boom to support broadcast operations.
• Remainder• CEGAR loop with concurrency
Simulation
The existing SATABS simulator: extracts the control flow from the trace Mapped it back to the original C program Translate it into a propositional formula
The error is spurious exactly if the formula is unsatisfiable
For concurrent case the control flow information of an abstract trace includes which thread executes actively in each steps.
An extended version of the SATABS create a trace over a replicated C program which can be checked using SAT
• Remainder• CEGAR loop with concurrency
Refinement
The implementation performs refinement by extracting new predicates from counterexample via WP calculations.
• Remainder• CEGAR loop with concurrency
Experimental results
Experimental results
Symmetry-aware vs. Symmetry oblivious
Sound abstraction vs. unsound abstraction
Symmetry aware
vs.
Symmetry oblivious
Reminder:
SOPA: an n-thread symmetric concurrent program expanded so that variables for all threads are
explicitly duplicated and n copies of all non-shared predicate are generated.
Sound Abs
vs.
Unsound Abs
Reminder:
we saw Unsound Abstraction in the two naïve solutions to the mixed predicate problem.