Results 1  10
of
20
Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis
"... Abstract. This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of ..."
Abstract

Cited by 72 (12 self)
 Add to MetaCart
Abstract. This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of context switches allowed in the concurrent program, and aims to prove safety, or find bugs, under the given bound. In this paper, we show how to obtain simple and efficient algorithms for the analysis of concurrent programs with a context bound. We give a general reduction from a concurrent program P, and a given context bound K, to a slightly larger sequential program P K s such that the analysis of P K s can be used to prove properties about P. The reduction introduces symbolic constants and assume statements in P K s. Thus, any sequential analysis that can deal with these two additions can be extended to handle concurrent programs as well, under the context bound. We give instances of the reduction for common program models used in model checking, such as Boolean programs, pushdown systems (PDSs), and symbolic PDSs. 1
Static and precise detection of concurrency errors in systems code using SMT solvers
 In CAV
, 2009
"... Abstract. Contextbounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14 ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Contextbounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14] provided a method for reducing the contextbounded verification of a concurrent boolean program to the verification of a sequential boolean program, thereby allowing sequential reasoning to be employed for verifying concurrent programs. In this work, we adapt the encoding to work for systems programs written in C with the heap and accompanying lowlevel operations such as pointer arithmetic and casts. Our approach is completely automatic: we use a verification condition generator and SMT solvers, instead of a boolean model checker, in order to avoid manual extraction of boolean programs and false alarms introduced by the abstraction. We demonstrate the use of field slicing for improving the scalability and (in some cases) coverage of our checking. We evaluate our tool STORM on a set of realworld Windows device drivers, and has discovered a bug that could not be detected by extensive application of previous tools. 1
Modelchecking Parameterized Concurrent Programs using Linear Interfaces
"... Abstract. We consider the verification of parameterized Boolean programs— abstractions of sharedmemory concurrent programs with an unbounded number of threads. We propose that such programs can be modelchecked by iteratively considering the program under k roundrobin schedules, for increasing valu ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the verification of parameterized Boolean programs— abstractions of sharedmemory concurrent programs with an unbounded number of threads. We propose that such programs can be modelchecked by iteratively considering the program under k roundrobin schedules, for increasing values of k, using a novel compositional construct called linear interfaces that summarize the effect of a block of threads in a k round schedule. We also develop a gametheoretic sound technique to show that k rounds of schedule suffice to explore the entire searchspace, which allows us to prove a parameterized program entirely correct. We implement a symbolic modelchecker, and report on experiments verifying parameterized predicate abstractions of Linux device drivers interacting with a kernel to show the efficacy of our technique. 1
Analyzing Recursive Programs using a Fixedpoint Calculus
"... We show that recursive programs where variables range over finite domains can be effectively and efficiently analyzed by describing the analysis algorithm using a formula in a fixedpoint calculus. In contrast with programming in traditional languages, a fixedpoint calculus serves as a highlevel p ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
(Show Context)
We show that recursive programs where variables range over finite domains can be effectively and efficiently analyzed by describing the analysis algorithm using a formula in a fixedpoint calculus. In contrast with programming in traditional languages, a fixedpoint calculus serves as a highlevel programming language to easily, correctly, and succinctly describe modelchecking algorithms. While there have been declarative highlevel formalisms that have been proposed earlier for analysis problems (e.g, Datalog), the fixedpoint calculus we propose has the salient feature that it also allows algorithmic aspects to be specified. We exhibit two classes of algorithms of symbolic (BDDbased) algorithms written using this framework — one for checking for errors in sequential recursive Boolean programs, and the other to check for errors reachable within a bounded number of contextswitches in a concurrent recursive Boolean program. Our formalization of these otherwise complex algorithms is extremely simple, and spans just a page of fixedpoint formulae. Moreover, we implement these algorithms in a tool called GETAFIX which expresses algorithms as fixedpoint formulae and evaluates them efficiently using an symbolic fixedpoint solver called MUCKE. The resulting modelchecking tools are surprisingly efficient and are competetive in performance with mature existing tools that have been finetuned for these problems.
Complexity of Patternbased Verification for Multithreaded Programs
, 2011
"... Patternbased verification checks the correctness of the program executions that follow a given pattern, a regular expression over the alphabet of program transitions of the form w ∗ 1... w ∗ n. For multithreaded programs, the alphabet of the pattern is given by the synchronization operations betwee ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Patternbased verification checks the correctness of the program executions that follow a given pattern, a regular expression over the alphabet of program transitions of the form w ∗ 1... w ∗ n. For multithreaded programs, the alphabet of the pattern is given by the synchronization operations between threads. We study the complexity of patternbased verification for abstracted multithreaded programs in which, as usual in program analysis, conditions have been replaced by nondeterminism (the technique works also for boolean programs). While unrestricted verification is undecidable for abstracted multithreaded programs with recursive procedures and PSPACEcomplete for abstracted multithreaded whileprograms, we show that patternbased verification is NPcomplete for both classes. We then conduct a multiparameter analysis in which we study the complexity in the number of threads, the number of procedures per thread, the size of the procedures, and the size of the pattern. We first show that no algorithm for patternbased verification can be polynomial in the number of threads, procedures per thread, or the size of the pattern (unless P=NP). Then, using recent results about Parikh images of regular languages and semilinear sets, we present an algorithm exponential in the number of threads, procedures per thread, and size of the pattern, but polynomial in the size of the procedures.
Bounded Underapproximations
"... We show a new and constructive proof of the following languagetheoretic result: for every contextfree language L, there is a bounded contextfree language L ′ ⊆ L which has the same Parikh (commutative) image as L. Bounded languages, introduced by Ginsburg and Spanier, are subsets of regular lang ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
We show a new and constructive proof of the following languagetheoretic result: for every contextfree language L, there is a bounded contextfree language L ′ ⊆ L which has the same Parikh (commutative) image as L. Bounded languages, introduced by Ginsburg and Spanier, are subsets of regular languages of the form w ∗ 1w ∗ 2 · · · w ∗ m for some w1,..., wm ∈ Σ ∗. In particular bounded contextfree languages have nice structural and decidability properties. Our proof proceeds in two parts. First, we give a new construction that shows that each context free language L has a subset LN that has the same Parikh image as L and that can be represented as a sequence of substitutions on a linear language. Second, we inductively construct a Parikhequivalent bounded contextfree subset of LN. We show two applications of this result in model checking: to underapproximate the reachable state space of multithreaded procedural programs and to underapproximate the reachable state space of recursive counter programs. The bounded language constructed above provides a decidable underapproximation for the original
A saturation method for collapsible pushdown systems
 In Proc. of ICALP’12, volume 7392 of LNCS
, 2012
"... Abstract. We introduce a natural extension of collapsible pushdown systems called annotated pushdown systems that replaces collapse links with stack annotations. We believe this new model has many advantages. We present a saturation method for global backwards reachability analysis of these models ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a natural extension of collapsible pushdown systems called annotated pushdown systems that replaces collapse links with stack annotations. We believe this new model has many advantages. We present a saturation method for global backwards reachability analysis of these models that can also be used to analyse collapsible pushdown systems. Beginning with an automaton representing a set of configurations, we build an automaton accepting all configurations that can reach this set. We also improve upon previous saturation techniques for higherorder pushdown systems by significantly reducing the size of the automaton constructed and simplifying the algorithm and proofs.
Scopebounded Multistack Pushdown Systems: FixedPoint, Sequentialization, and TreeWidth
"... Abstract. Wepresentanovelfixedpointalgorithmtosolvereachability of multistack pushdown systems restricted to runs of boundedscope. The followed approach is compositional, in the sense that the runs of the system are summarized by boundedsize interfaces. Moreover, it is suitable for a direct impl ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Wepresentanovelfixedpointalgorithmtosolvereachability of multistack pushdown systems restricted to runs of boundedscope. The followed approach is compositional, in the sense that the runs of the system are summarized by boundedsize interfaces. Moreover, it is suitable for a direct implementation and can be exploited to prove two new results. We give a sequentialization for this class of systems, i.e., for each such multistack pushdown system we construct an equivalent singlestack pushdown system that faithfully simulates the behaviour of each thread. We prove that the behaviour graphs (multiply nested words) for these systems have bounded threewidth, and thus a number of decidability results can be derived from Courcelle’s theorem. 1
Symbolic counter abstraction for concurrent software
 In CAV, volume 5643 of LNCS
, 2009
"... Abstract. The trend towards multicore computing has made concurrent software an important target of computeraided verification. Unfortunately, Model Checkers for such software suffer tremendously from combinatorial state space explosion. We show how to apply counter abstraction to realworld concu ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Abstract. The trend towards multicore computing has made concurrent software an important target of computeraided verification. Unfortunately, Model Checkers for such software suffer tremendously from combinatorial state space explosion. We show how to apply counter abstraction to realworld concurrent programs to factor out redundancy due to thread replication. The traditional global state representation as a vector of local states is replaced by a vector of thread counters, one per local state. In practice, straightforward implementations of this idea are unfavorably sensitive to the number of local states. We present a novel symbolic exploration algorithm that avoids this problem by carefully scheduling which counters to track at any moment during the search. Our experiments are carried out on Boolean programs, an abstraction promoted by the Slam project. To our knowledge, this marks the first application of counter abstraction to programs with nontrivial local state spaces, and results in the first scalable Model Checker for concurrent Boolean programs. 1
Sequentializing parameterized programs
, 2010
"... We exhibit assertionpreserving (reachability preserving) transformations from parameterized concurrent sharedmemory programs, under a kround scheduling of processes, to sequential programs. The salient feature of the sequential program is that it tracks the local variables of only one thread at ..."
Abstract

Cited by 9 (6 self)
 Add to MetaCart
(Show Context)
We exhibit assertionpreserving (reachability preserving) transformations from parameterized concurrent sharedmemory programs, under a kround scheduling of processes, to sequential programs. The salient feature of the sequential program is that it tracks the local variables of only one thread at any point, and uses only O(k) copies of shared variables (it does not use extra counters, not even one counter to keep track of the number of threads). Sequentialization is achieved using the concept of a linear interface that captures the effect an unbounded block of processes have on the shared state in a kround schedule. Linear interfaces in fact serve as summaries for parallel processes, and the sequentialization compiles these linear interfaces to procedural summaries in the sequential program. Our transformation utilizes linear interfaces to sequentialize the program, and to ensure the sequential program explores only reachable states and preserves local invariants.