Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Download Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Post on 20-Dec-2015

215 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research] </li> <li> Slide 2 </li> <li> Introduction Model Checking Software Little theorems about big programs automatic, Path sensitive properties Limited to sequential programs Thread-modular Reasoning Efficiently decompose checks Requires manual (or divine) intervention TAR: Thread-modular Abstraction Refinement Eliminate the divine using abstraction-refinement Safety checking for concurrent programs </li> <li> Slide 3 </li> <li> The story so far... Analyzing Sequential programs BLAST/SLAM/ Iterative Abstraction-Refinement [Kurshan 93] YES SAFE explanation NO! (Trace) BUG feasible Seed Abstraction Program Why infeasible ? infeasible Refine Abstract Is model safe ? Check </li> <li> Slide 4 </li> <li> and what of Concurrent Programs ? Shared Memory (multithreaded) Message Passing Hard to analyze ! Interleavings / State explosion One approach: Thread-modular analysis Analyse threads separately Compose analyses [Jones 83, CALVIN (FQS 02), Assume-Guarantee] </li> <li> Slide 5 </li> <li> The Problem boxes = threads white denotes shared variables Safety checking: Is an ERROR state reachable ? </li> <li> Slide 6 </li> <li> Thread-modular analysis (take1) safe </li> <li> Slide 7 </li> <li> Thread-modular analysis (take1) safe If only ! Threads are correct in constrained environments </li> <li> Slide 8 </li> <li> Second Attempt: Summaries Summarize each threads behavior Use/verify summaries (circular) </li> <li> Slide 9 </li> <li> safe Use Summaries (Assume) safe </li> <li> Slide 10 </li> <li> Verify Summaries (Guarantee) safe </li> <li> Slide 11 </li> <li> Thread-modular analysis (take 2) safe </li> <li> Slide 12 </li> <li> Our Contribution Problem with TM Reasoning: Divining (small) summaries ? ? Algorithm TAR Compute/use/verify summaries Using iterative abstraction-refinement </li> <li> Slide 13 </li> <li> An Example: Race Detection Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Shared variables: data, flag, P, C Error states: P C Initial states: : P : C ( : flag) PP C </li> <li> Slide 14 </li> <li> An Example: Race Detection Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } PP C Correctness Invariant: Producer ensures: P ) : flag Consumer ensures: C ) flag </li> <li> Slide 15 </li> <li> S Producer { : flag ! (flag : flag) : P | : flag ! : flag P } Summaries S Consumer { flag ! (flag : flag) : C | flag ! flag C } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Summary: Set of (present state, next state) pairs </li> <li> Slide 16 </li> <li> Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Checking Safety [CALVIN] [use] Sequential program: Producer+ use BLAST/SLAM/ESC/ [verify] Every action of Producer+ is in S Producer Where do summaries come from? Producer+{ 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } while(*){ s Consumer ();} safe </li> <li> Slide 17 </li> <li> Abstraction &amp; Reachability Abstraction gives finite state space Conservative Abstraction safe ) System safe Too coarse ) spurious counterexample Initial Error </li> <li> Slide 18 </li> <li> Refinement Using spurious error traces </li> <li> Slide 19 </li> <li> Refinement Using spurious error traces Add information to rule out spurious trace e.g. Track more variables or predicates Repeat reachability Till safe or real trace is found </li> <li> Slide 20 </li> <li> Abstraction &amp; Reachability Using spurious error traces Add information to rule out spurious trace e.g. Track more variables or predicates Repeat reachability Till safe or real trace is found safe </li> <li> Slide 21 </li> <li> To Summarize Nodes labeled by abstract states Each parent-child pair ! (present, next) pair Quantify out local state (e.g. program counter) Take pairs where global state changes Reachability Tree </li> <li> Slide 22 </li> <li> Producer+{ 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } while(*){ s Consumer ();} Tying up the threads ;; Refine using spurious error traces Not yet the reachable set! Summarize </li> <li> Slide 23 </li> <li> Refined System ;; safe Fixpoint </li> <li> Slide 24 </li> <li> Running TAR on Example Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Shared variables: data, flag, P, C Error states: P C Initial states: : P : C : flag PP C </li> <li> Slide 25 </li> <li> ; Summary: : P : C ! : P C : P C ! : P : C Running TAR 1 ; Init: : P : C Error: P C Abs: P, C Reach: : P : C P : C Reach: : P : C : P C Summary: : P : C ! P : C P : C ! : P : C Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } P C PP C </li> <li> Slide 26 </li> <li> Summary: C flag ! : C flag : C flag ! : C : flag ! C flag ; Summary: Running TAR 2 ; Init: : P : C : flag Error: P C Abs: P, C, flag Reach: : P : C : flag P : C : flag : P : C flag Reach: : P : C : flag Summary: : P : flag ! P : flag ! : P flag P : flag ! : P : flag Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } : P C flag : C flag : C : flag PP C Only change if : flag Only change if flag : P Fixpoint Track flag : flagflag </li> <li> Slide 27 </li> <li> ; Summary: flag ! ( flag : flag) : C ! flag C Running TAR 2 ; Reach: P : C : flag : P Reach: : P C flag : C Summary: : flag ! (flag : flag) : P ! : flag P Consumer { 1: while (*) { 2: while (!flag) {}; 3: read = data; 4: flag = false; } Producer { 1: while (*) { 2: while (flag) {}; 3: data = newdata(); 4: flag = true; } PP C safe Fixpoint SUMMARIES LEARNT ! </li> <li> Slide 28 </li> <li> Bells and Whistles Havoc Abstractions: Track only when the environment changes a variable Not what new value it changes it to For every global x, x denotes states where thread writes x Summary: if ( x ) then x = * No explicit global variables Sharing via pointers that escape </li> <li> Slide 29 </li> <li> Race Detection w/ Pointers Producer { p = &amp;buf; while (*) { while (p-&gt;flag) {}; p-&gt;data = newdata(); p-&gt;flag = true; p = p-&gt;next; } Consumer { q = &amp;buf; while (*) { while (!q-&gt;flag) {}; read = q-&gt;data; q-&gt;flag = false; q = q-&gt;next; } data flag </li> <li> Slide 30 </li> <li> Conclusions The moral TAR can check concurrent software w/o (really) exploring all interleavings The devil Shared memory via pointers Explicating local state Need to track some local state of other threads Approximate Counterexample analysis Implemented TAR in BLAST Race checking for drivers (each client is a thread) Linux/Windows drivers 1-10 Kloc Looking for examples and properties </li> <li> Slide 31 </li> <li> BLAST www.eecs.berkeley.edu/~tah/blast/ Berkeley Lazy Abstraction Software * Tool </li> <li> Slide 32 </li> <li> safe Use Summaries (Assume) safe </li> <li> Slide 33 </li> <li> Verify Summaries (Guarantee) safe </li> </ul>

Recommended

View more >