Results 1 - 10
of
34
Scalable shape analysis for systems code
- In CAV
, 2008
"... Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalabi ..."
Abstract
-
Cited by 120 (14 self)
- Add to MetaCart
(Show Context)
Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper we report on a new join operation ⊔ † for the separation domain which aggressively abstracts information for scalability yet does not lead to false error reports. ⊔ † is a critical piece of a new shape analysis tool that provides an acceptable mixture of scalability and precision for industrial application. Experiments on whole Windows and Linux device drivers (firewire, pcidriver, cdrom, md, etc.) represent the first working application of shape analysis to verification of whole industrial programs. 1
Shape-value abstraction for verifying linearizability
, 2008
"... Abstract. This paper presents a novel abstraction for heap-allocated data structures that keeps track of both their shape and their contents. By combining this abstraction with thread-local analysis and relyguarantee reasoning, we can verify a collection of fine-grained blocking and non-blocking con ..."
Abstract
-
Cited by 31 (3 self)
- Add to MetaCart
(Show Context)
Abstract. This paper presents a novel abstraction for heap-allocated data structures that keeps track of both their shape and their contents. By combining this abstraction with thread-local analysis and relyguarantee reasoning, we can verify a collection of fine-grained blocking and non-blocking concurrent algorithms for an arbitrary (unbounded) number of threads. We prove that these algorithms are linearizable, namely equivalent (modulo termination) to their sequential counterparts. 1
Automatically proving linearizability
- In CAV
, 2010
"... Abstract. This paper presents a practical automatic verification procedure for proving linearizability (i.e., atomicity and functional correctness) of concurrent data structure implementations. The procedure employs a novel instrumentation to verify logically pure executions, and is evaluated on a n ..."
Abstract
-
Cited by 22 (2 self)
- Add to MetaCart
(Show Context)
Abstract. This paper presents a practical automatic verification procedure for proving linearizability (i.e., atomicity and functional correctness) of concurrent data structure implementations. The procedure employs a novel instrumentation to verify logically pure executions, and is evaluated on a number of standard concurrent stack, queue and set algorithms. 1
Experience with Model Checking Linearizability
"... Non-blocking concurrent algorithms offer significant performance advantages, but are very difficult to construct and verify. In this paper, we describe our experience in using SPIN to check linearizability of non-blocking concurrent data-structure algorithms that manipulate dynamically allocated mem ..."
Abstract
-
Cited by 19 (3 self)
- Add to MetaCart
(Show Context)
Non-blocking concurrent algorithms offer significant performance advantages, but are very difficult to construct and verify. In this paper, we describe our experience in using SPIN to check linearizability of non-blocking concurrent data-structure algorithms that manipulate dynamically allocated memory. In particular, this is the first work that describes a method for checking linearizability with non-fixed linearization points. 1
Model Checking Linearizability via Refinement
, 2009
"... Abstract. Linearizability is an important correctness criterion for implementations of concurrent objects. Automatic checking of linearizability is challenging because it requires checking that 1) all executions of concurrent operations be serializable, and 2) the serialized executions be correct wi ..."
Abstract
-
Cited by 15 (5 self)
- Add to MetaCart
(Show Context)
Abstract. Linearizability is an important correctness criterion for implementations of concurrent objects. Automatic checking of linearizability is challenging because it requires checking that 1) all executions of concurrent operations be serializable, and 2) the serialized executions be correct with respect to the sequential semantics. This paper describes a new method to automatically check linearizability based on refinement relations from abstract specifications to concrete implementations. Our method avoids the often difficult task of determining linearization points in implementations, but can also take advantage of linearization points if they are given. The method exploits model checking of finite state systems specified as concurrent processes with shared variables. Partial order reduction is used to effectively reduce the search space. The approach is built into a toolset that supports a rich set of concurrent operators. The tool has been used to automatically check a variety of implementations of concurrent objects, including the first algorithms for the mailbox problem and scalable NonZero indicators. Our system was able to find all known and injected bugs in these implementations. 1
A.: Inductive data flow graphs
- In: POPL
, 2013
"... The correctness of a sequential program can be shown by the anno-tation of its control flow graph with inductive assertions. We pro-pose inductive data flow graphs, data flow graphs with incorpo-rated inductive assertions, as the basis of an approach to verifying concurrent programs. An inductive da ..."
Abstract
-
Cited by 12 (3 self)
- Add to MetaCart
The correctness of a sequential program can be shown by the anno-tation of its control flow graph with inductive assertions. We pro-pose inductive data flow graphs, data flow graphs with incorpo-rated inductive assertions, as the basis of an approach to verifying concurrent programs. An inductive data flow graph accounts for a set of dependencies between program actions in interleaved thread executions, and therefore stands as a representation for the set of concurrent program traces which give rise to these dependencies. The approach first constructs an inductive data flow graph and then checks whether all program traces are represented. The size of the inductive data flow graph is polynomial in the number of data de-pendencies (in a sense that can be made formal); it does not grow exponentially in the number of threads unless the data dependen-cies do. The approach shifts the burden of the exponential explosion towards the check whether all program traces are represented, i.e., to a combinatorial problem (over finite graphs).
Verifying Linearizability with Hindsight
, 2010
"... We present a proof of safety and linearizability of a highlyconcurrent optimistic set algorithm. The key step in our proof is the Hindsight Lemma, which allows a thread to infer the existence of a global state in which its operation can be linearized based on limited local atomic observations about ..."
Abstract
-
Cited by 11 (0 self)
- Add to MetaCart
We present a proof of safety and linearizability of a highlyconcurrent optimistic set algorithm. The key step in our proof is the Hindsight Lemma, which allows a thread to infer the existence of a global state in which its operation can be linearized based on limited local atomic observations about the shared state. The Hindsight Lemma allows us to avoid one of the most complex and non-intuitive steps in reasoning about highly concurrent algorithms: considering the linearization point of an operation to be in a different thread than the one executing it. The Hindsight Lemma assumes that the algorithm maintains certain simple invariants which are resilient to interference, and which can themselves be verified using purely thread-local proofs. As a consequence, the lemma allows us to unlock a perhaps-surprising intuition: a high degree of interference makes non-trivial highlyconcurrent algorithms in some cases much easier to verify than less concurrent ones.
RGSep Action Inference
"... Abstract. We present an automatic verification procedure based on RGSep that is suitable for reasoning about fine-grained concurrent heapmanipulating programs. The procedure computes a set of RGSep actions overapproximating the interference that each thread causes to its concurrent environment. Thes ..."
Abstract
-
Cited by 9 (3 self)
- Add to MetaCart
(Show Context)
Abstract. We present an automatic verification procedure based on RGSep that is suitable for reasoning about fine-grained concurrent heapmanipulating programs. The procedure computes a set of RGSep actions overapproximating the interference that each thread causes to its concurrent environment. These inferred actions allow us to verify safety, liveness, and functional correctness properties of a collection of practical concurrent algorithms from the literature. 1
Z.: Verification of parameterized concurrent programs by modular reasoning about data and control
- In: POPL’12
, 2012
"... In this paper, we consider the problem of verifying thread-state properties of multithreaded programs in which the number of ac-tive threads cannot be statically bounded. Our approach is based on decomposing the task into two modules, where one reasons about data and the other reasons about control. ..."
Abstract
-
Cited by 8 (4 self)
- Add to MetaCart
(Show Context)
In this paper, we consider the problem of verifying thread-state properties of multithreaded programs in which the number of ac-tive threads cannot be statically bounded. Our approach is based on decomposing the task into two modules, where one reasons about data and the other reasons about control. The data module computes thread-state invariants (e.g., linear constraints over global variables and local variables of one thread) using the thread interference in-formation computed by the control module. The control module computes a representation of thread interference, as an incremen-tally constructed data flow graph, using the data invariants provided by the data module. These invariants are used to rule out patterns of thread interference that can not occur in a real program execu-tion. The two modules are incorporated into a feedback loop, so that the abstractions of data and interference are iteratively coars-
Shape Analysis of Low-level C with Overlapping Structures
"... Abstract. Device drivers often keep data in multiple data structures simultaneously while embedding list or tree related records into the records containing the actual data; this results in overlapping structures. Shape analyses have traditionally relied on a graph-based representation of memory whe ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Device drivers often keep data in multiple data structures simultaneously while embedding list or tree related records into the records containing the actual data; this results in overlapping structures. Shape analyses have traditionally relied on a graph-based representation of memory where a node corresponds to a whole record and edges to pointers. As this is ill-suited for encoding overlapping structures, we propose and formally relate two refined memory models. We demonstrate the appropriateness of these models by implementing shape analyses based on them within the TVLA framework. The implementation is exemplified using code extracted from cache managing kernel modules. 1
