verifying multithreaded software with impact
play

Verifying Multithreaded Software with Impact Bj orn Wachter , - PowerPoint PPT Presentation

Jun 15, 2023 •448 likes •1.06k views

Verifying Multithreaded Software with Impact Bj orn Wachter , Daniel Kroening and Jo el Ouaknine University of Oxford Intro Multi-threading C/C++ with POSIX/WIN 32 threads event processing, device drivers, web servers,

  1. Verifying Multithreaded Software with Impact Bj¨ orn Wachter , Daniel Kroening and Jo¨ el Ouaknine University of Oxford

  2. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM SC data variables pointers loops 2 / 20

  3. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM SC data variables pointers loops symbolic reasoning SMT SAT 2 / 20

  4. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM SC data variables pointers loops symbolic reasoning SMT abstraction SAT predicate abstraction Impact algorithm [McMillan 2006] 2 / 20

  5. Intro • Multi-threading • C/C++ with POSIX/WIN 32 threads • event processing, device drivers, web servers, databases, ... • coming to embedded systems • Verification Challenges Multi threading WMM partial orders SC modular reasoning data variables pointers loops symbolic reasoning SMT abstraction SAT predicate abstraction Impact algorithm [McMillan 2006] 2 / 20

  6. Software model checkers CBMC SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  7. Software model checkers multithreading support CBMC SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  8. Software model checkers multithreading support CBMC ? SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  9. Software model checkers multithreading support CBMC Impara SatAbs Threader ESBMC Kratos Impact SLAM LLBMC Blast UFO CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  10. Software model checkers multithreading support CBMC Impara SatAbs Threader ESBMC Contribution: Kratos • 1st Impact -style analysis for multithreaded software Impact SLAM • Partial-Order Reduction LLBMC Blast UFO • implemented in Impara CPAChecker Ultimate ARMC Wolverine Magic 3 / 20

  11. Outline • Recap: Impact for Sequential Software • Impact for Multithreaded Software • Partial order reduction • Experiments with our tool Impara 4 / 20

  12. Impact algorithm expand UNSAT SAT refine check CEX interpolation • maintain abstract reachability tree • node labels • covering relation ⊲ v ⊲ w implies label ( v ) ⇒ label ( w ) 5 / 20

  13. Impact algorithm complete expand proof � UNSAT SAT refine check CEX interpolation • maintain abstract reachability tree • node labels • covering relation ⊲ v ⊲ w implies label ( v ) ⇒ label ( w ) • complete iff all nodes either • covered • expanded 5 / 20

  14. Classical SLAM example do { lock(); old=new; if(*) { unlock(); new++; } } while (new!=old); 6 / 20

  15. Classical SLAM example L=0 do { [L!=0] lock(); ERR L=1; old=new old=new; if(*) { * [new!=old] unlock(); L=0;new++ new++; } [new==old] } while (new!=old); 6 / 20

  16. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 True [L!=0] True ERR 6 / 20

  17. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 ERR 6 / 20

  18. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True L=0 True new++ [new!=old] [new==old] True [L!=0] True ERR True 6 / 20

  19. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True L=0 L = 0 new++ [new!=old] [new==old] False [L!=0] True ERR L = 0 6 / 20

  20. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True ⊲ L=0 L = 0 new++ [new!=old] [new==old] False [L!=0] True ERR L = 0 L = 0 6 / 20

  21. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new True ⊲ L=0 L = 0 new++ [new!=old] [new==old] [new!=old] False [L!=0] [L!=0] True ERR L = 0 L = 0 ERR 6 / 20

  22. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new * [new!=old] L=0;new++ [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new old = new ⊲ L=0 L = 0 old = new new++ [new!=old] [new==old] [new!=old] False False [L!=0] [L!=0] True ERR L = 0 L = 0 False ERR 6 / 20

  23. L=0 [L!=0] • reachable states ⊆ label ERR L=1; old=new • terminates if all nodes * [new!=old] • covered L=0;new++ • or fully expanded [new==old] Abstract Reachability Tree True L=0 False [L!=0] L = 0 L=1 ERR old=new ⊲ old = new ⊲ L=0 L = 0 old = new new++ [new!=old] [new==old] [new!=old] False False [L!=0] [L!=0] True ERR L = 0 L = 0 False ERR 6 / 20

  24. Impact for Multithreaded Software 7 / 20

  25. Naive Impact for Multi-threading • interleave at every step threads 1,2,3 1 2 3 1 2 3 8 / 20

  26. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 9 / 20

  27. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 ∗ 2 , 0 x=0 3 , 0 assert(x==0) 3 , 1 9 / 20

  28. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 ∗ 2 , 0 T rue x=0 3 , 0 x = 0 assert(x==0) 3 , 1 9 / 20

  29. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) 0 , 0 0 , 1 ∗ 2 , 0 x = 0 x=0 assert(x==0) 3 , 0 x = 0 2 , 1 assert(x==0) 3 , 1 9 / 20

  30. Example int x=0; thread 1 thread 2 0: assert(x==0); 0: if(*) 1: 1: x=1; 2: x=0; 3: assert(x==0) CEX 0 , 0 0 , 1 ∗ ∗ 1 , 0 x=1 2 , 0 2 , 0 x = 0 assert(x==0) x=0 assert(x==0) 2 , 1 3 , 0 x = 0 2 , 1 assert(x==0) 3 , 1 9 / 20

  31. Naive Impact blows up ART from a concrete case study (Peterson’s algorithm) 10 / 20

  32. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) a C b B c A b C c B c C 11 / 20

  33. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) a C b B c A b C c B c C 11 / 20

  34. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); consecutive independent actions only occur in the order of increasing thread ids, e.g., Aa but not aA A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) B || b and TID ( B ) < TID ( b ) a C b B c A A || b and TID ( A ) < TID ( b ) b C c B c C 11 / 20

  35. Partial-Order Reduction [Godefroid’94, Peled’93, Valmari’90] avoid unnecessary interleavings resulting in same state main() thread 1 thread 2 assume(i!=j); v[i]=0; v[j]=0; A : v[i]=1; a : v[j]=-2; pthread_create ( T 1 ); B : v[i]=v[i]+1; b : v[j]=v[j]+1; pthread_create ( T 2 ); C : v[i]=v[j]; c : v[i]=v[i]+1; pthread_join ( T 1 ); pthread_join ( T 2 ); assert(v[j] ≥ 0); consecutive independent actions only occur in the order of increasing thread ids, e.g., Aa but not aA A a B a A b C a B b A c A || a and TID ( A ) < TID ( a ) B || b and TID ( B ) < TID ( b ) a C b B c A A || b and TID ( A ) < TID ( b ) b C c B c C 11 / 20

  36. Algorithm: POR+Impact (First Attempt) • POR restricts expansion 1: procedure Expand ♦ ( v ) 2: for T ∈ T with ¬ Skip ♦ ( v, T ) do 3: Expand-thread ( T, v ) 12 / 20

Recommend

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm

1 Conventionally, software testing has aimed at verifying functionality but the testing paradigm has changed for software services. Developing a full-featured and functioning software service is necessary; however service real time availability

606 views • 19 slides
Multithreaded Geant4: Semi-Automatic Transformation into Scalable Thread-Parallel Software Xin

Multithreaded Geant4: Semi-Automatic Transformation into Scalable Thread-Parallel Software Xin

Multithreaded Geant4: Semi-Automatic Transformation into Scalable Thread-Parallel Software Xin Dong 1 , Gene Cooperman 1 , and John Apostolakis 2 1 College of Computer Science, Northeastern University, Boston, MA 02115, USA { xindong,gene }

584 views • 12 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded

SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded

SE350: Operating Systems Lecture 5: Multithreaded Kernels Outline Use cases for multithreaded programs Kernel vs. user-mode threads Concurrencys problems Recall: Why Processes &amp; Threads? Go Goals ls: Mu Multiprogramming

549 views • 39 slides
Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman

Detecting Erroneous Assumptions when verifying software using SMT solvers David R. Cok Eastman Kodak Company Research Laboratories 14 July 2008 AFM 08 (Note: E-version distributed at CAV is the preliminary, not final version) Context

455 views • 44 slides
Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov

Reducing Time and Efforts When Verifying Large Software Systems with Klever Ilia Zakharov Ivannikov Institute For System Programming of RAS ilja.zakharov@ispras.ru Klever Verification Framework Intended for finding bugs in large software

546 views • 32 slides
On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262 Compliance in Simulink Lukas Murer, Torben Stolte Tanja Hebecker, Michael Lipaczewski Uwe Mhrstdt, Frank Ortmeier Motivation Functional safety

589 views • 21 slides
CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded

CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded

CPALockator Thread-Modular Approach with Transition Abstraction for Analysis of Multithreaded Software Pavel Andrianov, andrianov@ispras.ru Motivation Linux module drivers/net/irda/w83977af_ir.ko: 10 000 LOC static void

598 views • 25 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work

Finding Errors in Multithreaded GUI Applications Sai Zhang University of Washington Joint work with: Hao Lu, Michael D. Ernst GUIs are everywhere in modern software 2 Multithreading in GUI applications UI thread A GUI Application UI event

680 views • 36 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
SuperMatrix: A Multithreaded Runtime Scheduling System for Algorithms-by-Blocks Ernie Chan, Field

SuperMatrix: A Multithreaded Runtime Scheduling System for Algorithms-by-Blocks Ernie Chan, Field

SuperMatrix: A Multithreaded Runtime Scheduling System for Algorithms-by-Blocks Ernie Chan, Field G. Van Zee, Robert van de Geijn, Paolo Bientinesi, Enrique S. Quintana-Ort and Gregorio Quintana-Ort Software Engineering Seminar Luc Humair

525 views • 50 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory &amp; Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

740 views • 69 slides
Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko The Problem

Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko The Problem

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko The Problem How to automatically test the local state reachability in multithreaded programs E.g., find assertion violations,

484 views • 23 slides
1 Concurrent Systems Distributed Systems Typically: Typically: Multithreaded or

1 Concurrent Systems Distributed Systems Typically: Typically: Multithreaded or

Today Chair of Software Engineering Complex Systems Software Engineering What is it? Prof. Dr. Bertrand Meyer Examples Dr. Manuel Oriol Technologies involved Dr. Bernd Schoeller Dynamically Evolvable Systems What is it?

375 views • 10 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo

A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo

A Model-driven Methodology for Generating and Verifying CSP-based Java Code no 1 ul N.N. Alborodo 2 Julio Mari Ra 1 Universidad Polit 2 IMDEA Software Institute ecnica de Madrid Babel research group raul.alborodo@imdea.org

758 views • 45 slides
Trace-driven Simulation of Multithreaded Applications Alejandro Rico, Alejandro Duran, Felipe

Trace-driven Simulation of Multithreaded Applications Alejandro Rico, Alejandro Duran, Felipe

Trace-driven Simulation of Multithreaded Applications Alejandro Rico, Alejandro Duran, Felipe Cabarcas Yoav Etsion, Alex Ramirez and Mateo Valero Multithreaded applications and trace-driven simulation Most computer architecture research

599 views • 25 slides
Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving trigonometric functions. We learn to verify and spend time verifying trigonometric identities because the practice we get verifying trigonometric

661 views • 46 slides
Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

570 views • 24 slides

More recommend