Results 1  10
of
46
Static and precise detection of concurrency errors in systems code using SMT solvers
 In CAV
, 2009
"... Abstract. Contextbounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14 ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
Abstract. Contextbounded analysis is an attractive approach to verification of concurrent programs. Bounding the number of contexts executed per thread not only reduces the asymptotic complexity, but also the complexity increases gradually from checking a purely sequential program. Lal and Reps [14] provided a method for reducing the contextbounded verification of a concurrent boolean program to the verification of a sequential boolean program, thereby allowing sequential reasoning to be employed for verifying concurrent programs. In this work, we adapt the encoding to work for systems programs written in C with the heap and accompanying lowlevel operations such as pointer arithmetic and casts. Our approach is completely automatic: we use a verification condition generator and SMT solvers, instead of a boolean model checker, in order to avoid manual extraction of boolean programs and false alarms introduced by the abstraction. We demonstrate the use of field slicing for improving the scalability and (in some cases) coverage of our checking. We evaluate our tool STORM on a set of realworld Windows device drivers, and has discovered a bug that could not be detected by extensive application of previous tools. 1
ConSeq: Detecting Concurrency Bugs through Sequential Errors
"... Concurrency bugs are caused by nondeterministic interleavings between shared memory accesses. Their effects propagate through data and control dependences until they cause software to crash, hang, produce incorrect output, etc. The lifecycle of a bug thus consists of three phases: (1) triggering, ( ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
Concurrency bugs are caused by nondeterministic interleavings between shared memory accesses. Their effects propagate through data and control dependences until they cause software to crash, hang, produce incorrect output, etc. The lifecycle of a bug thus consists of three phases: (1) triggering, (2) propagation, and (3) failure. Traditional techniques for detecting concurrency bugs mostly focus on phase (1)—i.e., on finding certain structural patterns of interleavings that are common triggers of concurrency bugs, such as data races. This paper explores a consequenceoriented approach to improving the accuracy and coverage of statespace search and bug detection. The proposed approach first statically identifies potential failure sites in a program binary (i.e., it first considers a phase (3) issue). It then uses static slicing to identify critical read instructions that are highly likely to affect potential failure sites through control and data dependences (phase (2)). Finally, it monitors a single (correct) execution of a concurrent program and identifies suspicious interleavings that could cause an incorrect state to arise at a critical read and then lead to a software failure (phase (1)). ConSeq’s backwards approach, (3)→(2)→(1), provides advantages in bugdetection coverage and accuracy but is challenging to carry out. ConSeq makes it feasible by exploiting the empirical observation that phases (2) and (3) usually are short and occur within one thread. Our evaluation on large, realworld C/C++ applications shows that ConSeq detects more bugs than traditional approaches and has a much lower falsepositive rate. D.2.5 [Testing and Debug
DelayBounded Scheduling
"... We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their nextscheduled task. In limiting the delays an otherwisedeterministic scheduler is allowed, we discover concurrency bugs efficiently—by exploring few schedules—and robustly—i.e., indep ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
We provide a new characterization of scheduling nondeterminism by allowing deterministic schedulers to delay their nextscheduled task. In limiting the delays an otherwisedeterministic scheduler is allowed, we discover concurrency bugs efficiently—by exploring few schedules—and robustly—i.e., independent of the number of tasks, context switches, or buffered events. Our characterization elegantly applies to any systematic exploration (e.g., testing, model checking) of concurrent programs with dynamic taskcreation. Additionally, we show that certain delaying schedulers admit efficient reductions from concurrent to sequential program analysis. Categories and Subject Descriptors D.2.4 [Software Engineering]:
A.: Symbolic Predictive Analysis for Concurrent Programs
 FM 2009. LNCS
, 2009
"... Abstract. Predictive analysis aims at detecting concurrency errors during runtime by monitoring a concrete execution trace of a concurrent program. In recent years, various models based on happensbefore causality relations have been proposed for predictive analysis to improve the interleaving cover ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
Abstract. Predictive analysis aims at detecting concurrency errors during runtime by monitoring a concrete execution trace of a concurrent program. In recent years, various models based on happensbefore causality relations have been proposed for predictive analysis to improve the interleaving coverage while ensuring the absence of false alarms. However, these models are based on only the observed events, and typically do not utilize source code. Furthermore, the enumerative algorithms they use for verifying safety properties in the predicted execution traces often suffer from the interleaving explosion problem. In this paper, we introduce a new symbolic causal model based on source code and the observed events, and propose a symbolic algorithm to check whether a safety property holds in all feasible permutations of events in the given execution trace. Rather than explicitly enumerating the interleavings, our algorithm conducts the verification using a novel encoding of the causal model and symbolic reasoning with a satisfiability modulo theory (SMT) solver. Our algorithm has a larger interleaving coverage than known causal models in the literature. We also propose a method to symbolically bound the number of context switches allowed in an interleaving, to further improve the scalability of the algorithm. 1
Analyzing Recursive Programs using a Fixedpoint Calculus
"... We show that recursive programs where variables range over finite domains can be effectively and efficiently analyzed by describing the analysis algorithm using a formula in a fixedpoint calculus. In contrast with programming in traditional languages, a fixedpoint calculus serves as a highlevel p ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
We show that recursive programs where variables range over finite domains can be effectively and efficiently analyzed by describing the analysis algorithm using a formula in a fixedpoint calculus. In contrast with programming in traditional languages, a fixedpoint calculus serves as a highlevel programming language to easily, correctly, and succinctly describe modelchecking algorithms. While there have been declarative highlevel formalisms that have been proposed earlier for analysis problems (e.g, Datalog), the fixedpoint calculus we propose has the salient feature that it also allows algorithmic aspects to be specified. We exhibit two classes of algorithms of symbolic (BDDbased) algorithms written using this framework — one for checking for errors in sequential recursive Boolean programs, and the other to check for errors reachable within a bounded number of contextswitches in a concurrent recursive Boolean program. Our formalization of these otherwise complex algorithms is extremely simple, and spans just a page of fixedpoint formulae. Moreover, we implement these algorithms in a tool called GETAFIX which expresses algorithms as fixedpoint formulae and evaluates them efficiently using an symbolic fixedpoint solver called MUCKE. The resulting modelchecking tools are surprisingly efficient and are competetive in performance with mature existing tools that have been finetuned for these problems.
Modelchecking Parameterized Concurrent Programs using Linear Interfaces
"... Abstract. We consider the verification of parameterized Boolean programs— abstractions of sharedmemory concurrent programs with an unbounded number of threads. We propose that such programs can be modelchecked by iteratively considering the program under k roundrobin schedules, for increasing valu ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
Abstract. We consider the verification of parameterized Boolean programs— abstractions of sharedmemory concurrent programs with an unbounded number of threads. We propose that such programs can be modelchecked by iteratively considering the program under k roundrobin schedules, for increasing values of k, using a novel compositional construct called linear interfaces that summarize the effect of a block of threads in a k round schedule. We also develop a gametheoretic sound technique to show that k rounds of schedule suffice to explore the entire searchspace, which allows us to prove a parameterized program entirely correct. We implement a symbolic modelchecker, and report on experiments verifying parameterized predicate abstractions of Linux device drivers interacting with a kernel to show the efficacy of our technique. 1
Tracebased Symbolic Analysis for Atomicity Violations
 TOOLS AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF SYSTEMS
, 2010
"... We propose a symbolic algorithm to accurately predict atomicity violations by analyzing a concrete execution trace of a concurrent program. We use both the execution trace and the program source code to construct a symbolic predictive model, which captures a large set of alternative interleavings of ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
We propose a symbolic algorithm to accurately predict atomicity violations by analyzing a concrete execution trace of a concurrent program. We use both the execution trace and the program source code to construct a symbolic predictive model, which captures a large set of alternative interleavings of the events of the given trace. We use precise symbolic reasoning with a satisfiability modulo theory (SMT) solver to check the feasible interleavings for atomicity violations. Our algorithm differs from the existing methods in that all reported atomicity violations can appear in the actual program execution; and at the same time the feasible interleavings analyzed by our model are significantly more than other predictive models that guarantee the absence of false alarms.
Complexity of Patternbased Verification for Multithreaded Programs
, 2011
"... Patternbased verification checks the correctness of the program executions that follow a given pattern, a regular expression over the alphabet of program transitions of the form w ∗ 1... w ∗ n. For multithreaded programs, the alphabet of the pattern is given by the synchronization operations betwee ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
Patternbased verification checks the correctness of the program executions that follow a given pattern, a regular expression over the alphabet of program transitions of the form w ∗ 1... w ∗ n. For multithreaded programs, the alphabet of the pattern is given by the synchronization operations between threads. We study the complexity of patternbased verification for abstracted multithreaded programs in which, as usual in program analysis, conditions have been replaced by nondeterminism (the technique works also for boolean programs). While unrestricted verification is undecidable for abstracted multithreaded programs with recursive procedures and PSPACEcomplete for abstracted multithreaded whileprograms, we show that patternbased verification is NPcomplete for both classes. We then conduct a multiparameter analysis in which we study the complexity in the number of threads, the number of procedures per thread, the size of the procedures, and the size of the pattern. We first show that no algorithm for patternbased verification can be polynomial in the number of threads, procedures per thread, or the size of the pattern (unless P=NP). Then, using recent results about Parikh images of regular languages and semilinear sets, we present an algorithm exponential in the number of threads, procedures per thread, and size of the pattern, but polynomial in the size of the procedures.
On sequentializing concurrent programs
, 2011
"... Abstract. We propose a general framework for compositional underapproximate concurrent program analyses by reduction to sequential program analyses—socalled sequentializations. We notice the existing sequentializations—based on bounding the number of execution contexts, execution rounds, or delays ..."
Abstract

Cited by 8 (6 self)
 Add to MetaCart
Abstract. We propose a general framework for compositional underapproximate concurrent program analyses by reduction to sequential program analyses—socalled sequentializations. We notice the existing sequentializations—based on bounding the number of execution contexts, execution rounds, or delays from a deterministic taskschedule—rely on three key features for scalable concurrent program analyses: (i) reduction to the sequential program model, (ii) compositional reasoning to avoid expensive taskproduct constructions, and (iii) parameterized exploration bounds. To understand how those sequentializations can be unified and generalized, we define a general framework which preserves their key features, and in which those sequentializations are particular instances. We also identify a most general instance which considers more executions, by composing the rounds of different tasks in any order, restricted only by the unavoidable program and taskcreation causality orders. In fact, we show this general instance is fundamentally more powerful by identifying an infinite family of statereachability problems (to states g1, g2,...) which can be answered precisely with a fixed exploration bound, whereas the existing sequentializations require an increasing bound k to reach each gk. Our framework applies to a general class of sharedmemory concurrent programs, with dynamic taskcreation and arbitrary preemption. 1
Global model checking of ordered multipushdown systems
 Schloss Dagstuhl  LeibnizZentrum fuer Informatik
, 2010
"... In this paper, we address the verification problem of ordered multipushdown systems: A multistack extension of pushdown systems that comes with a constraint on stack operations such that a pop can only be performed on the first nonempty stack. First, we show that for an ordered multipushdown syst ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
In this paper, we address the verification problem of ordered multipushdown systems: A multistack extension of pushdown systems that comes with a constraint on stack operations such that a pop can only be performed on the first nonempty stack. First, we show that for an ordered multipushdown system the set of all predecessors of a regular set of configurations is an effectively constructible regular set. Then, we exploit this result to solve the global model checking which consists in computing the set of all configurations of an ordered multipushdown system that satisfy a given wregular property (expressible in lineartime temporal logics or the lineartime µcalculus). As an immediate consequence of this result, we obtain an 2ETIME upper bound for the model checking problem of wregular properties for ordered multipushdown systems (matching its lowerbound).