#### DMCA

## Predicate Abstraction and Refinement for Verifying Multi-Threaded Programs

Citations: | 27 - 6 self |

### Citations

2289 |
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...e prove the program safety. Fixpoint abstraction Computing pre-fixpoints of F that satisfy CS1 and CS5 is a difficult task. We automate this computation using the framework of abstract interpretation =-=[7]-=-, which uses overapproximation to strike a balance between reasoning precision and efficiency. To implement required over-approximation functions, we will use a collection of abstraction functions ˙αi... |

835 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...lar proof is found by our tool. 9. Related work The main inspiration for our work draws from the rely-guarantee reasoning method [16, 17] and automatic abstraction refinement approach to verification =-=[4]-=-. The seminal work on rely-guarantee reasoning [16, 17] initially offered an approach to reason about multi-threaded programs by making explicit the interference between threads. Subsequently, rely-gu... |

736 | Construction of abstract state graphs with PVS
- Graf, Saïdi
- 1997
(Show Context)
Citation Context ...hat automates rely-guarantee reasoning for verifying safety of multi-threaded programs. Our method relies on an automated discovery of environment transitions using (transition) predicate abstraction =-=[12, 28]-=-. It performs a predicate abstraction-based reachability computation for each thread and interleaves it with the construction of environment transitions that over-approximate the effect of executing t... |

531 | G.: Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...cull and QRCU examples showing the benefits of modular proofs. As another experiment, we tested some of our smaller examples using two state-of-the-art model checkers for sequential C programs, Blast =-=[14]-=- and ARMC[31]. For each of the tested programs (Fig2-fixed, Fig4-fixed, Dekker, Peterson, and Lamport), we instrumented the program counter as explicit program variables (pc1 and pc2) and obtained a s... |

528 | CIL: Intermediate language and tools for analysis and transformation of C programs
- Necula, McPeak, et al.
- 2002
(Show Context)
Citation Context ...should execute concurrently. The input file also contains the description of an initial state and a number of assertions to be proven correct. Our tool uses a frontend based on the CIL infrastructure =-=[25]-=- to translate a C program to its corresponding multi-threaded transition system that is formalized in Section 3. The main compo341function MKTREE input g - relation, either b(u) or false begin 1 2 3 ... |

458 |
Temporal verification of reactive systems: safety
- Manna, Pnueli
- 1995
(Show Context)
Citation Context ... establish mutual exclusion and mainly deal with global variables (no local computation is included in the critical region). The mutual exclusion property of the naïve version of the Bakery algorithm =-=[22]-=- holds only when assuming assignments are performed atomically. (Our verifier was able to confirm the bug present in the code without such atomicity assumption.) BAKERY [18] is the complete version of... |

384 |
An axiomatic proof technique for parallel programs
- Owicki, Gries
- 1976
(Show Context)
Citation Context ...rect treatment of all possible thread interleavings by reasoning about the program globally is a prohibitively expensive task, even for small programs. By applying rely-guarantee techniques, see e.g. =-=[17, 26]-=-, such global reasoning can be avoided by considering each program thread in isolation, using environment transitions to summarize the effect of executing other threads, and applying them on the threa... |

361 | Partial-order methods for the verification of concurrent systems: an approach to the state-explosion problem
- Godefroid
- 1996
(Show Context)
Citation Context ... C programs, and later evolved to handle and reproduce even difficult to find Heisenbugs [24]. Monolithic reasoning can be greatly facilitated by using techniques evolved from partial-order reduction =-=[11]-=-, like dynamic partial-order reduction [8] or peephole partial order reduction [34]. Yet another technique to fight state explosion is to factor out redundancy due to thread replication as proposed in... |

258 | A new solution of dijkstra’s concurrent programming problem
- Lamport
- 1974
(Show Context)
Citation Context ...on of the Bakery algorithm [22] holds only when assuming assignments are performed atomically. (Our verifier was able to confirm the bug present in the code without such atomicity assumption.) BAKERY =-=[18]-=- is the complete version of the Bakery algorithm, while LAMPORT [19] is an algorithm with an optimized path in the absence of memory contention. QRCU [23] is an algorithm implementing the Read-copy-up... |

243 |
Learning from mistakes: a comprehensive study on real world concurrency bug characteristics
- Lu, Park, et al.
- 2008
(Show Context)
Citation Context ...ing a collection of programs that have intricate correctness proofs for their safety assertions. The first four programs shown in Table 1 are derived from two buggy examples highlighted as figures in =-=[20]-=-, together with their fixes from the MOZILLA CVS repository. The property to verify is that two operations performed by different threads are executed in the correct order. The next three examples mod... |

241 | A fast mutual exclusion algorithm
- Lamport
- 1987
(Show Context)
Citation Context ... are performed atomically. (Our verifier was able to confirm the bug present in the code without such atomicity assumption.) BAKERY [18] is the complete version of the Bakery algorithm, while LAMPORT =-=[19]-=- is an algorithm with an optimized path in the absence of memory contention. QRCU [23] is an algorithm implementing the Read-copy-update synchronization algorithm. It is an alternative to a readers-wr... |

208 | Tentative steps toward a development method for interfering programs
- Jones
- 1983
(Show Context)
Citation Context ...roof rule Figure 5 presents a proof rule REACHENV for compositional verification of program safety. The proof rule is inspired by the existing proof rules for compositional safety reasoning, see e.g. =-=[5, 15, 16, 26]-=-. Our formulation of REACHENV directly leads to a pre-fixpoint characterization, thus, providing a basis for the proof rule automation using abstraction and refinement techniques. REACHENV relies on t... |

206 |
Specification and design of (parallel) programs
- Jones
- 1983
(Show Context)
Citation Context ...rect treatment of all possible thread interleavings by reasoning about the program globally is a prohibitively expensive task, even for small programs. By applying rely-guarantee techniques, see e.g. =-=[17, 26]-=-, such global reasoning can be avoided by considering each program thread in isolation, using environment transitions to summarize the effect of executing other threads, and applying them on the threa... |

194 | Dynamic partial-order reduction for model checking software
- Flanagan, Godefroid
- 2005
(Show Context)
Citation Context ...d reproduce even difficult to find Heisenbugs [24]. Monolithic reasoning can be greatly facilitated by using techniques evolved from partial-order reduction [11], like dynamic partial-order reduction =-=[8]-=- or peephole partial order reduction [34]. Yet another technique to fight state explosion is to factor out redundancy due to thread replication as proposed in counter abstraction [27] and implemented ... |

145 | Finding and reproducing heisenbugs in concurrent programs
- Musuvathi, Qadeer, et al.
- 2008
(Show Context)
Citation Context ...context switches. This scheme was initially proposed and implemented in KISS [30], a multi-threaded checker for C programs, and later evolved to handle and reproduce even difficult to find Heisenbugs =-=[24]-=-. Monolithic reasoning can be greatly facilitated by using techniques evolved from partial-order reduction [11], like dynamic partial-order reduction [8] or peephole partial order reduction [34]. Yet ... |

130 | KISS: keep it simple and sequential
- Qadeer, Wu
- 2004
(Show Context)
Citation Context .... The property to verify is that two operations performed by different threads are executed in the correct order. The next three examples model the stopping procedure of a Windows NT Bluetooth driver =-=[30]-=-. BLUETOOTH2 contains two threads, one worker thread and another thread to model the stopping procedure of the driver. BLUETOOTH2-FIXED and BLUETOOTH3-FIXED are the fixed versions of the model with tw... |

89 | Thread-modular model checking
- Flanagan, Qadeer
- 2003
(Show Context)
Citation Context ...ed-memory programs. Calvin reduces the verification of the multi-threaded program to the verification of several sequential programs with the help of a programmer specified environment assumption. In =-=[9]-=-, thread-modular model checking was proposed to infer automatically environment assumptions that propagate only global variable changes to other threads. The algorithm has low complexity, polynomial i... |

89 | Race checking by context inference
- Henzinger, Jhala, et al.
- 2004
(Show Context)
Citation Context ...roof rule Figure 5 presents a proof rule REACHENV for compositional verification of program safety. The proof rule is inspired by the existing proof rules for compositional safety reasoning, see e.g. =-=[5, 15, 16, 26]-=-. Our formulation of REACHENV directly leads to a pre-fixpoint characterization, thus, providing a basis for the proof rule automation using abstraction and refinement techniques. REACHENV relies on t... |

79 | ARMC: The logical choice for software model checking with abstraction refinement
- Podelski, Rybalchenko
- 2007
(Show Context)
Citation Context ...nd succeeds in computing modular predicates. 8. Experimental results In this section, we describe a proof-of-concept implementation of our proposed algorithm as an extension of the model checker ARMC =-=[29]-=-. Tool description The verifier we built takes as input a number of functions (written in the C language) representing threads that should execute concurrently. The input file also contains the descri... |

61 | Transition predicate abstraction and fair termination
- Podelski, Rybalchenko
- 2005
(Show Context)
Citation Context ...hat automates rely-guarantee reasoning for verifying safety of multi-threaded programs. Our method relies on an automated discovery of environment transitions using (transition) predicate abstraction =-=[12, 28]-=-. It performs a predicate abstraction-based reachability computation for each thread and interleaves it with the construction of environment transitions that over-approximate the effect of executing t... |

47 | Thread-modular verification for shared-memory programs
- Flanagan, Freund, et al.
- 2002
(Show Context)
Citation Context ...̌ 11.2s Bluetooth2-fixed 90 No ̌ 3.7s ̌ 0.4s Bluetooth3-fixed 90 No ̌ 135s ̌ 9.7s Scull[6] 451 Yes ̌-Modular 128.5s T/O Dekker[1] 39 No ̌ 11.1s ̌ 6s Peterson[1] 26 No ̌ 4.7s ̌ 3.9s Readers-writer-lock=-=[10]-=- 22 Yes ̌-Modular 0.2s ̌ 0.4s Time varying mutex[10] 29 No ̌ 11.8s ̌ 3.1s Szymanski[32] 43 No ̌ 32s ̌ 8.8s NaïveBakery[22] 22 Yes ̌-Modular 2.5s ̌ 3s Bakery[18] 37 No ̌ 105.4s ̌ 101s Lamport[19] 62 No... |

25 |
Linux Device Drivers, 3rd Edition. O’Reilly Associates
- Corbet, Rubini, et al.
- 2005
(Show Context)
Citation Context ...orker thread and another thread to model the stopping procedure of the driver. BLUETOOTH2-FIXED and BLUETOOTH3-FIXED are the fixed versions of the model with two and respectively three threads. SCULL =-=[6]-=- is a Linux character device driver that implements access to a global memory area. The property to verify is that read and write operations are performed in critical section. We also include some exa... |

22 |
A Simple Solution to Lamport’s Concurrent Programming Problem with Linear Wait (ICS ’88
- Szymanski
- 1988
(Show Context)
Citation Context ...[6] 451 Yes ̌-Modular 128.5s T/O Dekker[1] 39 No ̌ 11.1s ̌ 6s Peterson[1] 26 No ̌ 4.7s ̌ 3.9s Readers-writer-lock[10] 22 Yes ̌-Modular 0.2s ̌ 0.4s Time varying mutex[10] 29 No ̌ 11.8s ̌ 3.1s Szymanski=-=[32]-=- 43 No ̌ 32s ̌ 8.8s NaïveBakery[22] 22 Yes ̌-Modular 2.5s ̌ 3s Bakery[18] 37 No ̌ 105.4s ̌ 101s Lamport[19] 62 No ̌ 120.8s ̌ 97s QRCU[23] 120 Yes ̌-Modular 34.5s T/O Table 1. “Has a modular proof?” in... |

19 | Peephole partial order reduction
- Wang, Yang, et al.
- 2008
(Show Context)
Citation Context ...nbugs [24]. Monolithic reasoning can be greatly facilitated by using techniques evolved from partial-order reduction [11], like dynamic partial-order reduction [8] or peephole partial order reduction =-=[34]-=-. Yet another technique to fight state explosion is to factor out redundancy due to thread replication as proposed in counter abstraction [27] and implemented in the model checker Boom [2, 3]. We view... |

18 |
L.D.: Liveness with (0, 1, infty)-counter abstraction
- Pnueli, Xu, et al.
- 2002
(Show Context)
Citation Context ...l-order reduction [8] or peephole partial order reduction [34]. Yet another technique to fight state explosion is to factor out redundancy due to thread replication as proposed in counter abstraction =-=[27]-=- and implemented in the model checker Boom [2, 3]. We view these techniques as paramount in obtaining practical multi-threaded verifiers, but orthogonal to our proposal for automatic environment infer... |

16 | Local proofs for global safety properties
- Cohen, Namjoshi
- 2009
(Show Context)
Citation Context ...roof rule Figure 5 presents a proof rule REACHENV for compositional verification of program safety. The proof rule is inspired by the existing proof rules for compositional safety reasoning, see e.g. =-=[5, 15, 16, 26]-=-. Our formulation of REACHENV directly leads to a pre-fixpoint characterization, thus, providing a basis for the proof rule automation using abstraction and refinement techniques. REACHENV relies on t... |

15 |
Automatic discovery of mutual exclusion algorithms
- Bar-David, Taubenfeld
- 2003
(Show Context)
Citation Context ...ig4-fixed[20] 168 Yes ̌-Modular 1.5s ̌ 11.1s Bluetooth2[30] 90 No ̌ 29.1s ̌ 11.2s Bluetooth2-fixed 90 No ̌ 3.7s ̌ 0.4s Bluetooth3-fixed 90 No ̌ 135s ̌ 9.7s Scull[6] 451 Yes ̌-Modular 128.5s T/O Dekker=-=[1]-=- 39 No ̌ 11.1s ̌ 6s Peterson[1] 26 No ̌ 4.7s ̌ 3.9s Readers-writer-lock[10] 22 Yes ̌-Modular 0.2s ̌ 0.4s Time varying mutex[10] 29 No ̌ 11.8s ̌ 3.1s Szymanski[32] 43 No ̌ 32s ̌ 8.8s NaïveBakery[22] 22... |

11 | Thread-modular verification is cartesian abstract interpretation
- Malkis, Podelski, et al.
- 2006
(Show Context)
Citation Context ...mplexity, polynomial in the number of threads, but is incomplete and fails to discover environment assumptions that refer to the local states of a thread. Thread-modular verification is formalized by =-=[21]-=- in the framework of abstract interpretation as Cartesian product of sets of states. The method of [15] uses a richer abstraction scheme that computes contextual thread reachability, where the context... |

11 |
Using Promela and Spin to verify parallel algorithms. LWN.net, weekly edition
- McKenney
- 2007
(Show Context)
Citation Context ...de without such atomicity assumption.) BAKERY [18] is the complete version of the Bakery algorithm, while LAMPORT [19] is an algorithm with an optimized path in the absence of memory contention. QRCU =-=[23]-=- is an algorithm implementing the Read-copy-update synchronization algorithm. It is an alternative to a readers-writer lock having wait-free read operations. Performance of our tool To explain our exp... |

4 | Taking Boolean program model checking one step further
- Basler, Hague, et al.
- 2010
(Show Context)
Citation Context ... reduction [34]. Yet another technique to fight state explosion is to factor out redundancy due to thread replication as proposed in counter abstraction [27] and implemented in the model checker Boom =-=[2, 3]-=-. We view these techniques as paramount in obtaining practical multi-threaded verifiers, but orthogonal to our proposal for automatic environment inference. Acknowledgments The first author was suppor... |

2 | Non-monotonic refinement of control abstraction for concurrent programs
- Gupta, Popeea, et al.
- 2010
(Show Context)
Citation Context ...d versions of the abstract states m2 and n2 is disjoint from the error states of the program. We check if the conjunction of the clauses in HC1 is satisfiable using a SAT-based algorithm presented in =-=[13]-=-. (Section 7 presents an algorithm for solving Horn clauses over linear inequalities.) We obtain the following satisfying assignment SOL that maps each unknown predicate to an assertion of the program... |

1 |
The ARMC tool. Available from http://www7.in.tum.de/˜rybal/armc
- Rybalchenko
(Show Context)
Citation Context ... examples showing the benefits of modular proofs. As another experiment, we tested some of our smaller examples using two state-of-the-art model checkers for sequential C programs, Blast [14] and ARMC=-=[31]-=-. For each of the tested programs (Fig2-fixed, Fig4-fixed, Dekker, Peterson, and Lamport), we instrumented the program counter as explicit program variables (pc1 and pc2) and obtained a sequential mod... |