Verifying Concurrent Message-Passing C Programs with Recursive Calls

  • S. Chaki
  • E. Clarke
  • N. Kidd
  • T. Reps
  • T. Touili
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3920)

Abstract

We consider the model-checking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce the reachability problem for this model to deciding the emptiness of the intersection of two context-free languages L1 and L2. We tackle this undecidable problem using a CounterExample Guided Abstraction Refinement (CEGAR) scheme. We implemented our technique in the model checker MAGIC and found a previously unknown bug in a version of a Windows NT Bluetooth driver.

References

  1. 1.
    Ramalingam, G.: Context-sensitive synchronization-sensitive analysis is undecidable. TOPLAS 22, 416–430 (2000)CrossRefGoogle Scholar
  2. 2.
    Esparza, J., Knoop, J.: An automata-theoretic approach to interprocedural data-flow analysis. In: Thomas, W. (ed.) FOSSACS 1999. LNCS, vol. 1578, pp. 14–30. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Esparza, J., Schwoon, S.: A BDD-based model checker for recursive programs. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, p. 324. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: CONCUR (1997)Google Scholar
  5. 5.
    Finkel, A., Willems, B., Wolper, P.: A direct symbolic approach to model checking pushdown systems. In: Infinity (1997)Google Scholar
  6. 6.
    Bouajjani, A., Esparza, J., Touili, T.: A generic approach to the static analysis of concurrent programs with procedures. In: POPL (2003)Google Scholar
  7. 7.
    Bouajjani, A., Esparza, J., Touili, T.: A generic approach to the static analysis of concurrent programs with procedures. Int. J. Found. of Comp. Sci (2003)Google Scholar
  8. 8.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In: POPL (1977)Google Scholar
  9. 9.
    Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, p. 486. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Kurshan, R.P.: Computer-aided verification of coordinating processes: The automatatheoretic approach. Princeton University Press, Princeton (1994)Google Scholar
  11. 11.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, p. 582. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Ball, T., Rajamani, S.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, p. 103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Henzinger, T., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL (2002)Google Scholar
  14. 14.
    Chaki, S., Clarke, E., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. In: ICSE (2003)Google Scholar
  15. 15.
    Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis, TUM (2002)Google Scholar
  16. 16.
    Chaki, S., Clarke, E., Kidd, N., Reps, T., Touili, T.: Verifying concurrent message-passing C programs with recursive calls. Tech. Rep. 1532, Univ. of Wisconsin (2005)Google Scholar
  17. 17.
    Necula, G., McPeak, S., Weimer, W., Liblit, B., To, R., Bhargava, A.: C intermediate lang (2001), http://manju.cs.berkeley.edu/cil
  18. 18.
    Morris, J.: Assignment and linked data structures. In: Theoretical Foundations of Programming Methodology, D. Reidel Publishing Co (1982)Google Scholar
  19. 19.
    Nelson, G.: Techniques for Program Verification. PhD thesis, Stanford University (1980)Google Scholar
  20. 20.
    Reps, T., Schwoon, S., Jha, S.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Reps, T., Schwoon, S., Jha, S., Melski, D.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: SCP, vol. 58 (2005)Google Scholar
  22. 22.
    Kidd, N., Reps, T., Melski, D., Lal, A.: WPDS++: A C++ library for weighted pushdown systems (2004), http://www.cs.wisc.edu/wpis/wpds++/
  23. 23.
    Chaki, S., Ivers, J., Sharygina, N., Wallnau, K.: The ComFoRT reasoning framework. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 164–169. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Qadeer, S., Wu, D.: KISS: Keep it simple and sequential. In: PLDI (2004)Google Scholar
  25. 25.
    Qadeer, S., Rehof, J.: Context-bounded model checking of concurrent software. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 93–107. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Kung, H., Lehman, P.: Concurrent manipulation of binary search trees. TODS 5 (1980)Google Scholar
  27. 27.
    Qadeer, S., Rajamani, S., Rehof, J.: Summarizing procedures in concurrent programs. In: POPL (2004)Google Scholar
  28. 28.
    Kahlon, V., Ivancic, F., Gupta, A.: Reasoning about threads communicating via locks. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 505–518. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • S. Chaki
    • 1
  • E. Clarke
    • 1
  • N. Kidd
    • 2
  • T. Reps
    • 2
  • T. Touili
    • 3
  1. 1.Carnegie Mellon UniversityPittsburghUSA
  2. 2.University of WisconsinMadisonUSA
  3. 3.LIAFACNRS & University of Paris 7ParisFrance

Personalised recommendations