Results 1  10
of
152
Iterative Context Bounding for Systematic Testing of Multithreaded Programs
, 2007
"... Multithreaded programs are difficult to get right because of unexpected interaction between concurrently executing threads. Traditional testing methods are inadequate for catching subtle concurrency errors which manifest themselves late in the development cycle and postdeployment. Model checking or ..."
Abstract

Cited by 181 (17 self)
 Add to MetaCart
Multithreaded programs are difficult to get right because of unexpected interaction between concurrently executing threads. Traditional testing methods are inadequate for catching subtle concurrency errors which manifest themselves late in the development cycle and postdeployment. Model checking or systematic exploration of program behavior is a promising alternative to traditional testing methods. However, it is difficult to perform systematic search on large programs as the number of possible program behaviors grows exponentially with the program size. Confronted with this stateexplosion problem, traditional model checkers perform iterative depthbounded search. Although effective for messagepassing software, iterative depthbounding is inadequate for multithreaded software. This paper proposes iterative contextbounding, a new search algorithm that systematically explores the executions of a multithreaded program in an order that prioritizes executions with fewer context switches. We distinguish between preempting and nonpreempting context switches, and show that bounding the number of preempting context switches to a small number significantly alleviates the state explosion, without limiting the depth of explored executions. We show both theoretically and empirically that contextbounded search is an effective method for exploring the behaviors of multithreaded programs. We have implemented our algorithm in two model checkers and applied it to a number of realworld multithreaded programs. Our implementation uncovered 9 previously unknown bugs in our benchmarks, each of which was exposed by an execution with at most 2 preempting context switches. Our initial experience with the technique is encouraging and demonstrates that iterative contextbounding is a significant improvement over existing techniques for testing multithreaded programs.
Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis
"... This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of context ..."
Abstract

Cited by 72 (11 self)
 Add to MetaCart
(Show Context)
This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of context switches allowed in the concurrent program, and aims to prove safety, or find bugs, under the given bound. In this paper, we show how to obtain simple and efficient algorithms for the analysis of concurrent programs with a context bound. We give a general reduction from a concurrent program P, and a given context bound K, to a slightly larger sequential program P K s such that the analysis of P K s can be used to prove properties about P. The reduction introduces symbolic constants and assume statements in P K s. Thus, any sequential analysis that can deal with these two additions can be extended to handle concurrent programs as well, under the context bound. We give instances of the reduction for common program models used in model checking, such as Boolean programs, pushdown systems (PDSs), and symbolic PDSs.
Regular Symbolic Analysis of Dynamic Networks of Pushdown Processes
, 2005
"... We introduce two abstract models for multithreaded programs based on dynamic networks of pushdown systems. We address the problem of symbolic reachability analysis for these models. More precisely, we consider the problem of computing effective representations of their reachability sets using fini ..."
Abstract

Cited by 59 (20 self)
 Add to MetaCart
We introduce two abstract models for multithreaded programs based on dynamic networks of pushdown systems. We address the problem of symbolic reachability analysis for these models. More precisely, we consider the problem of computing effective representations of their reachability sets using finitestate automata. We show that, while forward reachability sets are not regular in general, backward reachability sets starting from regular sets of configurations are always regular. We provide algorithms for computing backward reachability sets using word/tree automata, and show how these algorithms can be applied for flow analysis of multithreaded programs.
A Survey of Automated Techniques for Formal Software Verification
 TRANSACTIONS ON CAD
, 2008
"... The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming erro ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming errors or prove their absence. The three techniques we consider are static analysis with abstract domains, model checking, and bounded model checking. We provide a short tutorial on the these techniques, highlighting their differences when applied to practical problems. We also survey the tools that are available implementing these techniques, and describe their merits and shortcomings.
A robust class of contextsensitive languages
 In LICS
, 2007
"... We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown auto ..."
Abstract

Cited by 43 (7 self)
 Add to MetaCart
(Show Context)
We define a new class of languages defined by multistack automata that forms a robust subclass of contextsensitive languages, with decidable emptiness and closure under boolean operations. This class, called multistack visibly pushdown languages (MVPLs), is defined using multistack pushdown automata with two restrictions: (a) the pushdown automaton is visible, i.e. the input letter determines the operation on the stacks, and (b) any computation of the machine can be split into�stages, where in each stage, there is at most one stack that is popped. MVPLs are an extension of visibly pushdown languages that captures noncontext free behaviors, and has applications in analyzing abstractions of multithreaded recursive programs, significantly enlarging the search space that can be explored for them. We show that MVPLs are closed under boolean operations, and problems such as emptiness and inclusion are decidable. We characterize MVPLs using monadic secondorder logic over appropriate structures, and exhibit a Parikh theorem for them. 1.
DelayBounded Scheduling
"... We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their nextscheduled task. In limiting the delays an otherwisedeterministic scheduler is allowed, we discover concurrency bugs efficiently—by exploring few schedules—and robustly—i.e., indep ..."
Abstract

Cited by 42 (12 self)
 Add to MetaCart
(Show Context)
We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their nextscheduled task. In limiting the delays an otherwisedeterministic scheduler is allowed, we discover concurrency bugs efficiently—by exploring few schedules—and robustly—i.e., independent of the number of tasks, context switches, or buffered events. Our characterization elegantly applies to any systematic exploration (e.g., testing, model checking) of concurrent programs with dynamic taskcreation. Additionally, we show that certain delaying schedulers admit efficient reductions from concurrent to sequential program analysis. Categories and Subject Descriptors D.2.4 [Software Engineering]:
Verifying concurrent messagepassing C programs with recursive calls.
, 2005
"... Abstract. We consider the modelchecking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce ..."
Abstract

Cited by 41 (16 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the modelchecking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce the reachability problem for this model to deciding the emptiness of the intersection of two contextfree languages L 1 and L 2 . We tackle this undecidable problem using a CounterExample Guided Abstraction Refinement (CEGAR) scheme. We implemented our technique in the model checker MAGIC and found a previously unknown bug in a version of a Windows NT Bluetooth driver.
Interprocedural analysis of concurrent programs under a context bound
 In TACAS
, 2007
"... Abstract. Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. In previous work, Qadeer and Rehof [23] showed that contextbounded analysis is decidable for recursive programs under a finitestate abstraction of program data. In this paper, we show that con ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. In previous work, Qadeer and Rehof [23] showed that contextbounded analysis is decidable for recursive programs under a finitestate abstraction of program data. In this paper, we show that contextbounded analysis is decidable for certain families of infinitestate abstractions, and also provide a new symbolic algorithm for the finitestate case. 1
Static and precise detection of concurrency errors in systems code using SMT solvers
 In CAV
, 2009
"... Abstract. Contextbounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14 ..."
Abstract

Cited by 37 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Contextbounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14] provided a method for reducing the contextbounded verification of a concurrent boolean program to the verification of a sequential boolean program, thereby allowing sequential reasoning to be employed for verifying concurrent programs. In this work, we adapt the encoding to work for systems programs written in C with the heap and accompanying lowlevel operations such as pointer arithmetic and casts. Our approach is completely automatic: we use a verification condition generator and SMT solvers, instead of a boolean model checker, in order to avoid manual extraction of boolean programs and false alarms introduced by the abstraction. We demonstrate the use of field slicing for improving the scalability and (in some cases) coverage of our checking. We evaluate our tool STORM on a set of realworld Windows device drivers, and has discovered a bug that could not be detected by extensive application of previous tools. 1
Reachability analysis of multithreaded software with asynchronous communication
 In FSTTCS
, 2005
"... Abstract. We introduce asynchronous dynamic pushdown networks (ADPN), a new model for multithreaded programs in which pushdown systems communicate via shared memory. ADPN generalizes both CPS (concurrent pushdown systems) [7] and DPN (dynamic pushdown networks) [5]. We show that ADPN exhibit several ..."
Abstract

Cited by 35 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce asynchronous dynamic pushdown networks (ADPN), a new model for multithreaded programs in which pushdown systems communicate via shared memory. ADPN generalizes both CPS (concurrent pushdown systems) [7] and DPN (dynamic pushdown networks) [5]. We show that ADPN exhibit several advantages as a program model. Since the reachability problem for ADPN is undecidable even in the case without dynamic creation of processes, we address the bounded reachability problem [7], which considers only those computation sequences where the (index of the) thread accessing the shared memory is changed at most a fixed given number of times. We provide efficient algorithms for both forward and backward reachability analysis. The algorithms are based on automata techniques for symbolic representation of sets of configurations. 1