Advertisement

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

  • Truc L. Nguyen
  • Bernd Fischer
  • Salvatore La Torre
  • Gennaro Parlato
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10299)

Abstract

Lazy sequentialization has proven to be one of the most effective techniques for concurrent program verification. The Lazy-CSeq sequentialization tool performs a “lazy” code-to-code translation from a concurrent program into an equivalent non-deterministic sequential program, i.e., it preserves the valuations of the program variables along its executions. The obtained program is then analyzed using sequential bounded model checking tools. However, the sizes of the individual states still pose problems for further scaling. We therefore use abstract interpretation to minimize the representation of the concurrent program’s (shared global and thread-local) state variables. More specifically, we run the Frama-C abstract interpretation tool over the programs constructed by Lazy-CSeq to compute overapproximating intervals for all (original) state variables and then exploit CBMC’s bitvector support to reduce the number of bits required to represent these in the sequentialized program. We have implemented this approach in the last release of Lazy-CSeq and demonstrate the effectiveness of this approach; in particular, we show that it leads to large performance gains for very hard verification problems.

References

  1. 1.
    Agesen, O., Detlefs, D., Flood, C.H., Garthwaite, A., Martin, P.A., Shavit, N., Steele Jr., G.L.: Dcas-based concurrent deques. In: SPAA, pp. 137–146 (2000)Google Scholar
  2. 2.
    Canet, G., Cuoq, P., Monate, B.: A value analysis for C programs. In: SPAA, pp. 123–124 (2009)Google Scholar
  3. 3.
    Chaki, S., Gurfinkel, A., Strichman, O.: Time-bounded analysis of real-time systems. In: FMCAD, pp. 72–80 (2011)Google Scholar
  4. 4.
    Chebaro, O., Cuoq, P., Kosmatov, N., Marre, B., Pacalet, A., Williams, N., Yakobowski, B.: Behind the scenes in SANTE: a combination of static and dynamic analyses. Autom. Softw. Eng. 21(1), 107–143 (2014)CrossRefGoogle Scholar
  5. 5.
    Chebaro, O., Kosmatov, N., Giorgetti, A., Julliand, J.: The SANTE tool: value analysis, program slicing and test generation for C program debugging. In: Gogolla, M., Wolff, B. (eds.) TAP 2011. LNCS, vol. 6706, pp. 78–83. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21768-5_7 CrossRefGoogle Scholar
  6. 6.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24730-2_15 CrossRefGoogle Scholar
  7. 7.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)Google Scholar
  8. 8.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Why does astrée scale up? Formal Methods Syst. Des. 35(3), 229–264 (2009)CrossRefzbMATHGoogle Scholar
  9. 9.
    Fischer, B., Inverso, O., Parlato, G.: CSeq: a concurrency pre-processor for sequential C verification tools. In: ASE, pp. 710–713 (2013)Google Scholar
  10. 10.
    Fischer, B., Inverso, O., Parlato, G.: CSeq: a sequentialization tool for C. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 616–618. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36742-7_46 CrossRefGoogle Scholar
  11. 11.
    Ghafari, N., Hu, A.J., Rakamarić, Z.: Context-bounded translations for concurrent software: an empirical evaluation. In: Pol, J., Weber, M. (eds.) SPIN 2010. LNCS, vol. 6349, pp. 227–244. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-16164-3_17 CrossRefGoogle Scholar
  12. 12.
    Hendler, D., Shavit, N., Yerushalmi, L.: A scalable lock-free stack algorithm. In: SPAA, pp. 206–215. ACM (2004)Google Scholar
  13. 13.
    Holzmann, G.J.: Mars code. Commun. ACM 57(2), 64–73 (2014)CrossRefGoogle Scholar
  14. 14.
    Holzmann, G.J.: Cloud-based verification of concurrent software. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 311–327. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49122-5_15 CrossRefGoogle Scholar
  15. 15.
    Inverso, O., Nguyen, T.L., Fischer, B., La Torre, S., Parlato, G.: Lazy-cseq: a context-bounded model checking tool for multi-threaded c-programs. In: ASE, pp. 807–812 (2015)Google Scholar
  16. 16.
    Inverso, O., Tomasco, E., Fischer, B., La Torre, S., Parlato, G.: Bounded model checking of multi-threaded C programs via lazy sequentialization. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 585–602. Springer, Cham (2014). doi: 10.1007/978-3-319-08867-9_39 Google Scholar
  17. 17.
    Inverso, O., Tomasco, E., Fischer, B., La Torre, S., Parlato, G.: Lazy-CSeq: a lazy sequentialization tool for C. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 398–401. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54862-8_29 CrossRefGoogle Scholar
  18. 18.
    ISO/IEC: Information technology–portable operating system interface (POSIX) base specifications, Issue 7. ISO/IEC/IEEE 9945:2009 (2009)Google Scholar
  19. 19.
    La Torre, S., Madhusudan, P., Parlato, G.: Analyzing recursive programs using a fixed-point calculus. In: PLDI, pp. 211–222 (2009)Google Scholar
  20. 20.
    La Torre, S., Madhusudan, P., Parlato, G.: Reducing context-bounded concurrent reachability to sequential reachability. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 477–492. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-02658-4_36 CrossRefGoogle Scholar
  21. 21.
    La Torre, S., Madhusudan, P., Parlato, G.: Model-checking parameterized concurrent programs using linear interfaces. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 629–644. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14295-6_54 CrossRefGoogle Scholar
  22. 22.
    La Torre, S., Madhusudan, P., Parlato, G.: Sequentializing parameterized programs. In: FIT, pp. 34–47 (2012)Google Scholar
  23. 23.
    Lal, A., Qadeer, S., Lahiri, S.K.: A solver for reachability modulo theories. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 427–443. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31424-7_32 CrossRefGoogle Scholar
  24. 24.
    Lal, A., Reps, T.W.: Reducing concurrent analysis under a context bound to sequential analysis. Formal Methods Syst. Des. 1, 73–97 (2009)CrossRefzbMATHGoogle Scholar
  25. 25.
    Nguyen, T.L., Fischer, B., La Torre, S., Parlato, G.: Lazy sequentialization for the safety verification of unbounded concurrent programs. In: Artho, C., Legay, A., Peled, D. (eds.) ATVA 2016. LNCS, vol. 9938, pp. 174–191. Springer, Cham (2016). doi: 10.1007/978-3-319-46520-3_12 CrossRefGoogle Scholar
  26. 26.
    Nguyen, T.L., Inverso, O., Fischer, B., La Torre, S., Parlato, G.: Lazy-CSeq 2.0: combining lazy sequentialization with abstract interpretation. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10206, pp. 375–379. Springer, Heidelberg (2017). doi: 10.1007/978-3-662-54580-5_26 CrossRefGoogle Scholar
  27. 27.
    Oulamara, M., Venet, A.J.: Abstract interpretation with higher-dimensional ellipsoids and conic extrapolation. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 415–430. Springer, Cham (2015). doi: 10.1007/978-3-319-21690-4_24 CrossRefGoogle Scholar
  28. 28.
    Post, H., Sinz, C., Kaiser, A., Gorges, T.: Reducing false positives by combining abstract interpretation and bounded model checking. In: ASE, pp. 188–197 (2008)Google Scholar
  29. 29.
    Qadeer, S., Wu, D.: KISS: keep it simple and sequential. In: PLDI, pp. 14–24 (2004)Google Scholar
  30. 30.
    Thomson, P., Donaldson, A.F., Betts, A.: Concurrency testing using schedule bounding: an empirical study. In: PPoPP, pp. 15–28 (2014)Google Scholar
  31. 31.
    Tomasco, E., Inverso, O., Fischer, B., La Torre, S., Parlato, G.: MU-CSeq: sequentialization of C programs by shared memory unwindings. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 402–404. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54862-8_30 CrossRefGoogle Scholar
  32. 32.
    Tomasco, E., Inverso, O., Fischer, B., La Torre, S., Parlato, G.: MU-CSeq 0.3: sequentialization by read-implicit and coarse-grained memory unwindings. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 436–438. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46681-0_38 Google Scholar
  33. 33.
    Tomasco, E., Inverso, O., Fischer, B., La Torre, S., Parlato, G.: Verifying concurrent programs by memory unwinding. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 551–565. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46681-0_52 Google Scholar
  34. 34.
    Tomasco, E., Nguyen, T.L., Inverso, O., Fischer, B., La Torre, S., Parlato, G.: Lazy sequentialization for TSO and PSO via shared memory abstractions. In: FMCAD, pp. 193–200 (2016)Google Scholar
  35. 35.
    Tomasco, E., Nguyen, T.L., Inverso, O., Fischer, B., La Torre, S., Parlato, G.: MU-CSeq 0.4: individual memory location unwindings. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 938–941. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49674-9_65 CrossRefGoogle Scholar
  36. 36.
    Venet, A.J.: The gauge domain: scalable analysis of linear inequality invariants. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 139–154. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31424-7_15 CrossRefGoogle Scholar
  37. 37.
    Vyukov, D.: Bug with a context switch bound 5 (2010)Google Scholar
  38. 38.
    Wu, X., Chen, L., Miné, A., Dong, W., Wang, J.: Numerical static analysis of interrupt-driven programs via sequentialization. In: EMSOFT, pp. 55–64 (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Truc L. Nguyen
    • 1
  • Bernd Fischer
    • 2
  • Salvatore La Torre
    • 3
  • Gennaro Parlato
    • 1
  1. 1.Electronics and Computer ScienceUniversity of SouthamptonSouthamptonUK
  2. 2.Division of Computer ScienceStellenbosch UniversityStellenboschSouth Africa
  3. 3.Dipartimento di InformaticaUniversità degli Studi di SalernoFiscianoItaly

Personalised recommendations