a light weight approach for verifying multi threaded
play

A Light-Weight Approach for Verifying Multi-Threaded Programs with - PowerPoint PPT Presentation

A Light-Weight Approach for Verifying Multi-Threaded Programs with CPAchecker ThreadingCPA Dirk Beyer 1 Karlheinz Friedberger 2 1 LMU Munich, Germany 2 University of Passau, Germany Dirk Beyer, Karlheinz Friedberger ThreadingCPA Multi-Threaded


  1. A Light-Weight Approach for Verifying Multi-Threaded Programs with CPAchecker ThreadingCPA Dirk Beyer 1 Karlheinz Friedberger 2 1 LMU Munich, Germany 2 University of Passau, Germany Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  2. Multi-Threaded Programs on the Rise Why do we need multi-threaded programs? Where do we use them? Multi-threaded programs appear everywhere! several threads per CPU core multi-core CPUs Linux kernel, device drivers internet, web and cloud services, IoT ... SV-Comp: special category for concurrent programs Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  3. Verifying Multi-Threaded Programs A Very Old Problem Several approaches available: direct analysis of all thread interleavings program sequentialization formula-based encoding of threads Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  4. Verifying Multi-Threaded Programs A Very Old Problem Several approaches available: direct analysis of all thread interleavings program sequentialization formula-based encoding of threads Combined with some optimization: partial order reduction (ample sets, ...) iteration order for state-space exploration bounded model checking (bounded number of threads, ...) Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  5. Multi-Threaded Programs and CPAchecker What can CPAchecker do? Several approaches already available in CPAchecker : (all of them are based on the pthreads library) formula-based encoding with predicate analysis → very old orphaned branch sequentialization of the CFA → student’s thesis, needs some work ThreadingCPA: handles program locations for multiple threads → replaces LocationCPA → everything else should work out-of-the-box (really?) Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  6. Basics What every developer of CPAchecker already knows CFA control flow automaton with location nodes (program counter) and edges (statements and assumptions), one CFA per function, all function connected into super-graph of program Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  7. Basics What every developer of CPAchecker already knows CFA control flow automaton with location nodes (program counter) and edges (statements and assumptions), one CFA per function, all function connected into super-graph of program CPA abstract domain: how does an abstract state look alike? transfer relation: how to handle a single edge? merge and stop operator: how are abstract states related? Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  8. ThreadingCPA ... just another CPA LocationCPA : one program location per abstract state Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  9. ThreadingCPA ... just another CPA LocationCPA : one program location per abstract state Basic idea : track many instead of one program locations Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  10. ThreadingCPA ... just another CPA LocationCPA : one program location per abstract state Basic idea : track many instead of one program locations abstract state: { t 1 �→ l t 1 , t 2 �→ l t 2 , ... } � s ′ depends on the edge g : g transfer relation: s 1 pthread _ create : add a new location for the new thread 2 pthread _ join : remove the exit location of the joined thread 3 otherwise: just analyze the edge (like LocationCPA, with additional handling of pthread locks) merge and stop operator: based on equality of abstract states ( merge sep and stop sep ) → can be combined with other CPAs Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  11. Example Program with CFA pthread_t id1 , id2 ; main i =1, j =1; int 0 pthread_t id1, id2; void main () { 1 pthread_create (&id1 , 0 , t1 , 0 ) ; int i=1; j=1 pthread_create (&id2 , 0 , t2 , 0 ) ; 2 pthread_create(&id1, 0, t1, 0); 3 pthread_join ( id1 , 0 ) ; pthread_create(&id2, 0, t2, 0); pthread_join ( id2 , 0 ) ; 4 pthread_join(&id1, 0); a s s e r t ( j <= 8 ) ; 5 } pthread_join(&id2, 0); 6 t1 () { void assert(j<=8); i+=j ; 7 i+=j ; t1 t2 } A X i+=j; j+=i; void t2 () { B Y j+=i ; i+=j; j+=i; j+=i ; C Z } Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  12. Example CFA and ARG main main �→ 0 0 main �→ 1 pthread_t id1, id2; 1 main �→ 2 int i=1; j=1 2 main �→ 3 pthread_create(&id1, 0, t1, 0); id1 �→ A 3 main �→ 3 pthread_create(&id2, 0, t2, 0); main �→ 4 id1 �→ B 4 id1 �→ A main �→ 3 pthread_join(&id1, 0); id2 �→ X main �→ 4 main �→ 4 id1 �→ C 5 id1 �→ B id1 �→ A pthread_join(&id2, 0); id2 �→ X id2 �→ Y main �→ 4 main �→ 4 main �→ 4 6 id1 �→ C id1 �→ B id1 �→ A assert(j<=8); id2 �→ X id2 �→ Y id2 �→ Z main �→ 4 main �→ 4 7 id1 �→ C id1 �→ B main �→ 5 id2 �→ Y id2 �→ Z main �→ 4 t1 t2 id2 �→ X id1 �→ C main �→ 5 A X id2 �→ Z id2 �→ Y i+=j; j+=i; main �→ 5 B Y id2 �→ Z i+=j; j+=i; C Z main �→ 6 main �→ 7 Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  13. Verifying Multi-Threaded Programs with CPAchecker Is the ThreadingCPA compatible with (all) other CPAs? Partially! We have to handle several call stacks , one per thread → integrate CallstackCPA into ThreadingCPA Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  14. Verifying Multi-Threaded Programs with CPAchecker Is the ThreadingCPA compatible with (all) other CPAs? Partially! We have to handle several call stacks , one per thread → integrate CallstackCPA into ThreadingCPA ValueCPA, BDDCPA, IntervalCPA : → track assignments, identify variables as f :: x → problem: same function called in several threads? → solution: avoid colliding function names by cloning each function before the analysis Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  15. Verifying Multi-Threaded Programs with CPAchecker Is the ThreadingCPA compatible with (all) other CPAs? Partially! We have to handle several call stacks , one per thread → integrate CallstackCPA into ThreadingCPA ValueCPA, BDDCPA, IntervalCPA : → track assignments, identify variables as f :: x → problem: same function called in several threads? → solution: avoid colliding function names by cloning each function before the analysis Other CPAs and algorithms : TODO → some small changes required (several locations per state) → PredicateCPA: block operator matches thread interleavings? → more advanced thread management Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  16. Optimization for the ThreadingCPA Is this simple approach efficient? Not yet! We need optimization! partial order reduction → implemented in ThreadingCPA bound number of threads → implemented in ThreadingCPA iteration order → implemented as waitlist order , like BFS and DFS partitioning abstract states based on program location → inherit from Partitionable and use PartitionedReachedSet equality for call stack states with different object identities ! CPAchecker does not use equality for call stacks by default ! Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  17. Evaluation on the Category "Concurrency", SV-Comp’16 Value Analysis with Optimization Steps 1 , 000 100 CPU time (s) 10 plain value analysis + partitioning + waitlist order + POR (opt. VA) 1 0 200 400 600 800 1 , 000 n-th fastest result Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  18. Evaluation on the Category "Concurrency", SV-Comp’16 Different analyses in CPAchecker 1 , 000 100 CPU time (s) 10 BDD analysis interval analysis opt. VA 1 0 200 400 600 800 1 , 000 n-th fastest result Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  19. Evaluation on the Category "Concurrency", SV-Comp’16 Comparison of CPAchecker with other tools 1 , 000 100 CPU time (s) 10 CBMC VVT opt. VA 1 0 200 400 600 800 1 , 000 n-th fastest result Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  20. Further Possibilites CPAchecker is very flexible Validation Witnesses: export counterexamples in Graphml extension of the format: include identifiers for threads Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  21. Further Possibilites CPAchecker is very flexible Validation Witnesses: export counterexamples in Graphml extension of the format: include identifiers for threads Deadlock detection: for the user: just change the specification detail: the strengthening operator allows to inform the AutomatonCPA about deadlock found by the ThreadingCPA Dirk Beyer, Karlheinz Friedberger ThreadingCPA

  22. Dining Philosophers Problem Questions before Dinner? � : Plato, Konfuzius, Socrates, Voltaire and Descartes Dirk Beyer, Karlheinz Friedberger ThreadingCPA

Recommend


More recommend