Results 11  20
of
152
Model checking multithreaded programs with asynchronous atomic methods.
 In Computer Aided Verification,
, 2006
"... ..."
(Show Context)
ContextBounded Analysis of Concurrent Queue Systems ⋆
"... Abstract. We show that the bounded contextswitching reachability problem for concurrent finite systems communicating using unbounded FIFO queues is decidable, where in each context a process reads from only one queue (but is allowed to write onto all other queues). Our result also holds when indivi ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We show that the bounded contextswitching reachability problem for concurrent finite systems communicating using unbounded FIFO queues is decidable, where in each context a process reads from only one queue (but is allowed to write onto all other queues). Our result also holds when individual processes are finitestate recursive programs provided a process dequeues messages only when its local stack is empty. We then proceed to classify architectures that admit a decidable (unbounded context switching) reachability problem, using the decidability of bounded context switching. We show that the precise class of decidable architectures for recursive programs are the forest architectures, while the decidable architectures for nonrecursive programs are those that do not have an undirected cycle. 1
Contextbounded analysis for concurrent programs with dynamic creation of threads.
, 2008
"... Abstract. Contextbounded analysis has been shown to be both efficient and effective at finding bugs in concurrent programs. According to its original definition, contextbounded analysis explores all behaviors of a concurrent program up to some fixed number of context switches between threads. Thi ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Contextbounded analysis has been shown to be both efficient and effective at finding bugs in concurrent programs. According to its original definition, contextbounded analysis explores all behaviors of a concurrent program up to some fixed number of context switches between threads. This definition is inadequate for programs that create threads dynamically because bounding the number of context switches in a computation also bounds the number of threads involved in the computation. In this paper, we propose a more general definition of contextbounded analysis useful for programs with dynamic thread creation. The idea is to bound the number of context switches for each thread instead of bounding the number of switches of all threads. We consider several variants based on this new definition, and we establish decidability and complexity results for the analysis induced by them.
Bounded model checking of concurrent programs
 In ComputerAided Verification (CAV), LNCS 3576
, 2005
"... Abstract. We propose a SATbased bounded verification technique, called TCBMC, for threaded C programs. Our work is based on CBMC, which models sequential C programs in which the number of executions for each loop and the depth of recursion are bounded. The novelty of our approach is in bounding the ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a SATbased bounded verification technique, called TCBMC, for threaded C programs. Our work is based on CBMC, which models sequential C programs in which the number of executions for each loop and the depth of recursion are bounded. The novelty of our approach is in bounding the number of context switches allowed among threads. Thus, we obtain an efficient modeling that can be sent to a SAT solver for property checking. We also suggest a novel technique for modeling mutexes and Pthread conditions in concurrent programs. Using this bounded technique, we can detect bugs that invalidate safety properties. These include races and deadlocks, the detection for which is crucial for concurrent programs. 1
Modelchecking Parameterized Concurrent Programs using Linear Interfaces
"... Abstract. We consider the verification of parameterized Boolean programs— abstractions of sharedmemory concurrent programs with an unbounded number of threads. We propose that such programs can be modelchecked by iteratively considering the program under k roundrobin schedules, for increasing valu ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the verification of parameterized Boolean programs— abstractions of sharedmemory concurrent programs with an unbounded number of threads. We propose that such programs can be modelchecked by iteratively considering the program under k roundrobin schedules, for increasing values of k, using a novel compositional construct called linear interfaces that summarize the effect of a block of threads in a k round schedule. We also develop a gametheoretic sound technique to show that k rounds of schedule suffice to explore the entire searchspace, which allows us to prove a parameterized program entirely correct. We implement a symbolic modelchecker, and report on experiments verifying parameterized predicate abstractions of Linux device drivers interacting with a kernel to show the efficacy of our technique. 1
The Tree Width of Auxiliary Storage
"... We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate grap ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
We propose a generalization of results on the decidability of emptiness for several restricted classes of sequential and distributed automata with auxiliary storage (stacks, queues) that have recently been proved. Our generalization relies on reducing emptiness of these automata to finitestate graph automata (without storage) restricted to monadic secondorder (MSO) definable graphs of bounded treewidth, where the graph structure encodes the mechanism provided by the auxiliary storage. Our results outline a uniform mechanism to derive emptiness algorithms for automata, explaining and simplifying several existing results, as well as proving new decidability results. Categories and Subject Descriptors F.1.1 [Theory of Computation]:
A.: Symbolic Predictive Analysis for Concurrent Programs
 FM 2009. LNCS
, 2009
"... Abstract. Predictive analysis aims at detecting concurrency errors during runtime by monitoring a concrete execution trace of a concurrent program. In recent years, various models based on happensbefore causality relations have been proposed for predictive analysis to improve the interleaving cover ..."
Abstract

Cited by 23 (9 self)
 Add to MetaCart
(Show Context)
Abstract. Predictive analysis aims at detecting concurrency errors during runtime by monitoring a concrete execution trace of a concurrent program. In recent years, various models based on happensbefore causality relations have been proposed for predictive analysis to improve the interleaving coverage while ensuring the absence of false alarms. However, these models are based on only the observed events, and typically do not utilize source code. Furthermore, the enumerative algorithms they use for verifying safety properties in the predicted execution traces often suffer from the interleaving explosion problem. In this paper, we introduce a new symbolic causal model based on source code and the observed events, and propose a symbolic algorithm to check whether a safety property holds in all feasible permutations of events in the given execution trace. Rather than explicitly enumerating the interleavings, our algorithm conducts the verification using a novel encoding of the causal model and symbolic reasoning with a satisfiability modulo theory (SMT) solver. Our algorithm has a larger interleaving coverage than known causal models in the literature. We also propose a method to symbolically bound the number of context switches allowed in an interleaving, to further improve the scalability of the algorithm. 1
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination
"... Proofcarrying code (PCC) is a general framework that can, in principle, verify safety properties of arbitrary machinelanguage programs. Existing PCC systems and typed assembly languages, however, can only handle sequential programs. This severely limits their applicability since many realworld sy ..."
Abstract

Cited by 22 (8 self)
 Add to MetaCart
Proofcarrying code (PCC) is a general framework that can, in principle, verify safety properties of arbitrary machinelanguage programs. Existing PCC systems and typed assembly languages, however, can only handle sequential programs. This severely limits their applicability since many realworld systems use some form of concurrency in their core software. Recently Yu and Shao proposed a logicbased "type" system for verifying concurrent assembly programs. Their thread model, however, is rather restrictive in that no threads can be created or terminated dynamically and no sharing of code is allowed between threads. In this paper, we present a new formal framework for verifying general multithreaded assembly code with unbounded dynamic thread creation and termination as well as sharing of code between threads. We adapt and generalize the relyguarantee methodology to the assembly level and show how to specify the semantics of thread "fork" with argument passing. In particular, we allow threads to have different assumptions and guarantees at different stages of their lifetime so they can coexist with the dynamically changing thread environment. Our work provides a foundation for certifying realistic multithreaded programs and makes an important advance toward generating proofcarrying concurrent code.
Symbolic model checking for asynchronous boolean programs
 in SPIN
, 2005
"... Abstract. Software model checking problems generally contain two different types of nondeterminism: 1) nondeterministically chosen values; 2) the choice of interleaving among threads. Most modern software model checkers can handle only one source of nondeterminism efficiently, but not both. This ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Software model checking problems generally contain two different types of nondeterminism: 1) nondeterministically chosen values; 2) the choice of interleaving among threads. Most modern software model checkers can handle only one source of nondeterminism efficiently, but not both. This paper describes a SATbased model checker for asynchronous Boolean programs that handles both sources effectively. We address the first type of nondeterminism with a form of symbolic execution and fixpoint detection. We address the second source of nondeterminism using a symbolic and dynamic partialorder reduction, which is implemented inside the SATsolver’s casesplitting algorithm. The preliminary experimental results show that the new algorithm outperforms the existing software model checkers on large benchmarks. 1
Symbolic contextbounded analysis of multithreaded Java programs
 In Intl. SPIN Workshop on Model Checking Software
, 2008
"... Abstract. The reachability problem is undecidable for programs with both recursive procedures and multiple threads communicating through shared memory. Attempts to overcome this problem have been the focus of much recent research. One approach is to use contextbounded reachability, i.e. to consider ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The reachability problem is undecidable for programs with both recursive procedures and multiple threads communicating through shared memory. Attempts to overcome this problem have been the focus of much recent research. One approach is to use contextbounded reachability, i.e. to consider only those runs in which the active thread changes at most k times, where k is fixed. However, to the best of our knowledge, contextbounded reachability has not been implemented in any tool so far, primarily because its worstcase runtime is prohibitively high, i.e. O(n k), where n is the size of the shared memory. Moreover, existing algorithms for contextbounded reachability do not admit a meaningful symbolic implementation (e.g., using BDDs) to reduce the runtime in practice. In this paper, we propose an improvement that overcomes this problem. We have implemented our approach in the tool jMoped and report on experiments. 1