Formal Methods in System Design

, Volume 39, Issue 1, pp 83–113 | Cite as

Automatic analysis of DMA races using model checking and k-induction

  • Alastair F. DonaldsonEmail author
  • Daniel Kroening
  • Philipp Rümmer


Modern multicore processors, such as the Cell Broadband Engine, achieve high performance by equipping accelerator cores with small “scratch-pad” memories. The price for increased performance is higher programming complexity – the programmer must manually orchestrate data movement using direct memory access (DMA) operations. Programming using asynchronous DMA operations is error-prone, and DMA races can lead to nondeterministic bugs which are hard to reproduce and fix. We present a method for DMA race analysis in C programs. Our method works by automatically instrumenting a program with assertions modeling the semantics of a memory flow controller. The instrumented program can then be analyzed using state-of-the-art software model checkers. We show that bounded model checking is effective for detecting DMA races in buggy programs. To enable automatic verification of the correctness of instrumented programs, we present a new formulation of k-induction geared towards software, as a proof rule operating on loops. Our techniques are implemented as a tool, Scratch, which we apply to a large set of programs supplied with the IBM Cell SDK, in which we discover a previously unknown bug. Our experimental results indicate that our k-induction method performs extremely well on this problem class. To our knowledge, this marks both the first application of k-induction to software verification, and the first example of software model checking in the context of heterogeneous multicore processors.


Model checking k-induction DMA Multicore programming Cell BE 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi M, Lamport L (1991) The existence of refinement mappings. Theor Comput Sci 82(2):253–284 zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Aho AV, Lam MS, Sethi R, Ullman JD (2006) Compilers: principles, techniques and tools. Addison Wesley, Reading Google Scholar
  3. 3.
    Armoni R, Fix L, Fraer R, Huddleston S, Piterman N, Vardi MY (2005) SAT-based induction for temporal safety properties. Electron Notes Theor Comput Sci 119(2):3–16 CrossRefGoogle Scholar
  4. 4.
    Bellens P, Perez JM, Badia RM, Labarta J (2006) CellSs: a programming model for the Cell BE architecture. In: Proceedings of the 2006 ACM/IEEE conference on supercomputing (SC). ACM, New York, p 86 CrossRefGoogle Scholar
  5. 5.
    Beyer D, Henzinger TA, Jhala R, Majumdar R (2007) The software model checker Blast. Int J Softw Tools Technol Transf 9(5–6):505–525 CrossRefGoogle Scholar
  6. 6.
    Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:118–149 Google Scholar
  7. 7.
    Bjesse P, Claessen K (2000) SAT-based verification without state space traversal. In: FMCAD. LNCS, vol 1954. Springer, Berlin, pp 372–389 Google Scholar
  8. 8.
    Botincan M, Dodds M, Donaldson AF, Parkinson MJ (2011) Automatic safety proofs for asynchronous memory operations. In: PPOPP. ACM, New York, pp 313–314 Google Scholar
  9. 9.
    Clarke E, Kroening D, Lerda F (2004) A tool for checking ANSI-C programs. In: TACAS. LNCS, vol 2988. Springer, Berlin, pp 168–176 Google Scholar
  10. 10.
    Clarke E, Kroening D, Sharygina N, Yorav K (2005) SATABS: SAT-based predicate abstraction for ANSI-C. In: TACAS. LNCS, vol 3440. Springer, Berlin, pp 570–574 Google Scholar
  11. 11.
    Cook B, Koskinen E (2011) Making prophecies with decision predicates. In: POPL. ACM, New York, pp 399–410 Google Scholar
  12. 12.
    Cooper P, Dolinsky U, Donaldson AF, Richards A, Riley C, Russell G (2010) Offload—automating code migration to heterogeneous multicore systems. In: HiPEAC. LNCS, vol 5952. Springer, Berlin, pp 337–352 Google Scholar
  13. 13.
    Cordeiro L (2010) SMT-based bounded model checking for multi-threaded software in embedded systems. In: ICSE (2). ACM, New York, pp 373–376 Google Scholar
  14. 14.
    Cordeiro L, Fischer B, Marques-Silva J (2009) SMT-based bounded model checking for embedded ANSI-C software. In: ASE Google Scholar
  15. 15.
    Déharbe D, Moreira AM (1997) Using induction and BDDs to model check invariants. In: CHARME. IFIP conference proceedings, vol 105. Chapman & Hall, London, pp 203–213 Google Scholar
  16. 16.
    Donaldson AF, Keir P, Lokhmotov A (2009) Compile-time and run-time issues in an auto-parallelisation system for the Cell BE processor. In: Euro-Par 2008 workshops. LNCS, vol 5415. Springer, Berlin, pp 163–173 CrossRefGoogle Scholar
  17. 17.
    Donaldson AF, Dolinsky U, Richards A, Russell G (2010) Automatic offloading of C++ for the Cell BE processor: a case study using Offload. In: MuCoCoS. IEEE Press, New York, pp 901–906 Google Scholar
  18. 18.
    Donaldson AF, Kroening D, Rümmer P (2010) Automatic analysis of scratch-pad memory code for heterogeneous multicore processors. In: TACAS. LNCS, vol 6015. Springer, Berlin, pp 280–295 Google Scholar
  19. 19.
    Donaldson AF, Haller L, Kroening D (2011) Strengthening induction-based race checking with lightweight static analysis. In: Jhala R, Schmidt DA (eds) VMCAI. LNCS, vol 6538. Springer, Berlin, pp 169–183 Google Scholar
  20. 20.
    Donaldson AF, Kroening D, Rümmer P (2011) SCRATCH: a tool for automatic analysis of DMA races. In: PPOPP. ACM, New York, pp 311–312 Google Scholar
  21. 21.
    Eén N, Sörensson N (2003) Temporal induction by incremental SAT solving. Electron Notes Theor Comput Sci 89(4) Google Scholar
  22. 22.
    Emmi M, Qadeer S, Rakamaric Z (2011) Delay-bounded scheduling. In: POPL. ACM, New York, pp 411–422 Google Scholar
  23. 23.
    Engler D, Ashcraft K (2003) RacerX: Effective, static detection of race conditions and deadlocks. In: SOSP. ACM, New York, pp 237–252 Google Scholar
  24. 24.
    Fatahalian K, Horn DR, Knight TJ, Leem L, Houston M, Park JY, Erez M, Ren M, Aiken A, Dally WJ, Hanrahan P (2006) Sequoia: programming the memory hierarchy. In: Supercomputing (SC). ACM, New York, p 83 Google Scholar
  25. 25.
    Flanagan C, Freund SN (2000) Type-based race detection for Java. In: PLDI. ACM, New York, pp 219–232 CrossRefGoogle Scholar
  26. 26.
    Flanagan C, Godefroid P (2005) Dynamic partial-order reduction for model checking software. In: POPL. ACM, New York, pp 110–121 Google Scholar
  27. 27.
    Franzén A (2006) Using satisfiability modulo theories for inductive verification of Lustre programs. Electron Notes Theor Comput Sci 144(1):19–33 CrossRefGoogle Scholar
  28. 28.
    Große D, Le HM, Drechsler R (2010) Proving transaction and system-level properties of untimed SystemC TLM designs. In: MEMOCODE. IEEE Press, New York, pp 113–122 Google Scholar
  29. 29.
    Hagen G, Tinelli C (2008) Scaling up the formal verification of Lustre programs with SMT-based techniques. In: FMCAD. IEEE Press, New York, pp 109–117 Google Scholar
  30. 30.
    Harel D (1980) On Folk theorems. Commun ACM 23(7):379–389 zbMATHCrossRefGoogle Scholar
  31. 31.
    Helmstetter C, Maraninchi F, Maillet-Contoz L, Moy M (2006) Automatic generation of schedulings for improving the test coverage of systems-on-a-chip. In: FMCAD. IEEE Press, New York, pp 171–178 Google Scholar
  32. 32.
    Hofstee HP (2005) Power efficient processor architecture and the Cell processor. In: HPCA. IEEE Press, New York, pp 258–262 Google Scholar
  33. 33.
    Honda K, Vasconcelos VT, Yoshida N (2009) Type-directed compilation for multicore programming. Electron Notes Theor Comput Sci 241:101–111 CrossRefGoogle Scholar
  34. 34.
    IBM. Example library API reference, version 3.1, July 2008 Google Scholar
  35. 35.
    IBM. Cell BE resource center, October 2009.
  36. 36.
    Ionkov L, Nyrhinen A, Mirtchovski A (2009) CellFS: Taking the “DMA” out of Cell programming. In: IPDPS. IEEE Press, New York, pp 1–8 Google Scholar
  37. 37.
    Kroening D, Strichman O (2003) Efficient computation of recurrence diameters. In: VMCAI. LNCS, vol 2575. Springer, Berlin, pp 298–309 Google Scholar
  38. 38.
    Lal A, Reps TW (2009) Reducing concurrent analysis under a context bound to sequential analysis. Form Methods Syst Des 35(1):73–97 zbMATHCrossRefGoogle Scholar
  39. 39.
    Lillieroth CJ, Singh S (1999) Formal verification of FPGA cores. Nord J Comput 6(3):299–319 zbMATHGoogle Scholar
  40. 40.
    McMillan KL (1999) Circular compositional reasoning about liveness. In: CHARME. LNCS, vol 1703. Springer, Berlin, pp 342–345 Google Scholar
  41. 41.
    Moore GE (1998) Cramming more components onto integrated circuits. Proc IEEE 86:82–85 CrossRefGoogle Scholar
  42. 42.
    Naik M, Aiken A, Whaley J (2006) Effective static race detection for Java. In: PLDI. ACM, New York, pp 308–319 Google Scholar
  43. 43.
    Savage S, Burrows M, Nelson G, Sobalvarro P, Anderson T (1997) Eraser: A dynamic data race detector for multithreaded programs. ACM Trans Comput Syst 15(4):391–411 CrossRefGoogle Scholar
  44. 44.
    Schuppan V, Biere A (2006) Liveness checking as safety checking for infinite state spaces. Electron Notes Theor Comput Sci 149(1):79–96 CrossRefMathSciNetGoogle Scholar
  45. 45.
    Sheeran M, Singh S, Stålmarck G (2000) Checking safety properties using induction and a SAT-solver. In: FMCAD. LNCS, vol 1954. Springer, Berlin, pp 108–125 Google Scholar
  46. 46.
    Vimjam VC, Hsiao MS (2007) Explicit safety property strengthening in SAT-based induction. In: VLSID. IEEE Press, New York, pp 63–68 Google Scholar
  47. 47.
    Yoshida N, Vasconcelos VT, Paulino H, Honda K (2008) Session-based compilation framework for multicore programming. In: FMCO. LNCS, vol 5751. Springer, Berlin, pp 226–246 Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Alastair F. Donaldson
    • 1
    Email author
  • Daniel Kroening
    • 1
  • Philipp Rümmer
    • 2
  1. 1.Department of Computer ScienceUniversity of OxfordOxfordUK
  2. 2.Department of Information TechnologyUppsala UniversityUppsalaSweden

Personalised recommendations